Amplitude

Authentication & Authorization

Credentials

• Amplitude connects via basic authentication with the project's credentials API Key and API Secret (see the DataGrail help docs).

• Optionally, Amplitude integration can be connected with additional org-level API credentials to use Data Access Subject Request API (see the DataGrail help docs).

• Publicly exposing your API credentials can allow unauthorized access to the Amplitude API endpoints, and your Amplitude data by a third party. DataGrail stores your API credentials encrypted and protected.

Permissions

• Amplitude admin privileges are required to manage API credentials (see the DataGrail Help Docs).

• To request an org-level API key, submit a ticket to the support team at support.amplitude.com (see the DataGrail Help Docs).

Endpoints Utilized

DataGrail uses the following endpoint to validate that credentials are good based on a successful response:

• GET https://amplitude.com/api/2/annotations

DataGrail does not use this endpoint for any other purpose nor uses any of the data returned.

Version

Amplitude integration currently supports version 2.

Limits

• DataGrail supports requests throttling to stay within 70-80% of specified service rate limits.

• DataGrail processes API responses with HTTP 429 status to interrupt requests, waiting and retrying (using an exponential backoff strategy).

Access

DataGrail will take different actions depending on the connection mode.

Connection with project level credentials

For an access request, DataGrail will take the following actions:

• Search for a user whose User ID or Amplitude ID matches related identifiers provided in the request.

• Get a user summary and their most recent 1000 events plus all of the events from their most recent session for each detected user record (with pagination and batch processing).

• For all objects found, DataGrail will return all available fields. You can edit which objects and fields you want to provide to the Data Subject via our Portal Requests.

Endpoints Utilized

• GET https://amplitude.com/api/2/usersearch

• GET https://amplitude.com/api/2/useractivity

Connection with organization level credentials

For an access request, DataGrail will take the following actions:

• Create data request

• Regularly poll the data request job to get its status.

• Download a returned output file (S3 link) when the job is completed.

• For all objects found, DataGrail will return all available fields. You can edit which objects and fields you want to provide to the Data Subject via our Portal Requests.

Endpoints Utilized

• POST https://amplitude.com/api/2/dsar/requests

• GET https://amplitude.com/api/2/dsar/requests/requestID

• GET DATA_S3_LINK

Deletion

For a deletion request, DataGrail will take the following actions:

• Request a user be scheduled for deletion with User ID or Amplitude ID matches related identifiers provided in the request.

• List deletion jobs scheduled in a time range and check requested job status. The request will repeat until the job is completed.

• Search for deleted users to verify deletion.

Endpoints Utilized

• POST https://amplitude.com/api/2/deletions/users

• GET https://amplitude.com/api/2/deletions/users

• GET https://amplitude.com/api/2/usersearch