Amplifa – AI sales platform for industrial B2B

Trust Center · DE · Düsseldorf · Frankfurt

Data protection and security – Made in Germany.

A 100% German vendor, governed by German law, hosted in Frankfurt am Main. Built to pass any enterprise vendor onboarding – from DAX corporation to mid-market engineering firm.

Hosting and data storage in Germany (Frankfurt am Main). Third-country transfers exclusively under EU Standard Contractual Clauses (Art. 46 GDPR).

  • Made in Germany. Engineering & operations in Düsseldorf
  • GDPR-compliant. DPA, TOMs & subprocessor list
  • Hosted in Germany. AWS eu-central-1, Frankfurt am Main
  • AES-256 & TLS 1.3. Encryption at-rest & in-transit
  • Vendor-onboarding ready for DAX & Mittelstand
  • DPA, TOMs & TIA available within 24 h
  • Auditable per § 9 of our DPA
  • NIS-2 supply-chain ready

Compliance at a glance

Everything your privacy and procurement team reviews.

  • Data processing under Art. 28 GDPR. Ready-to-sign DPA
  • Technical & organizational measures. Art. 32 GDPR
  • Data-breach notification. within 24 hours to the controller
  • Record of processing activities. Art. 30 GDPR
  • No special categories (Art. 9). Business B2B contact data only
  • Privacy by Design & by Default. Privacy-friendly defaults
  • Annual penetration tests. Independent third parties, monthly scans
  • Employee training. Privacy & InfoSec, mandatory yearly
  • ISO 27001 / SOC 2 Type II / BSI C5. Roadmap – in preparation
  • Incident-response process. Aligned with NIS-2

Made in Germany

Fully German. Fully enterprise-ready.

No US subsidiary construct, no offshore development, no data flows outside the EU. amplifa is a German company with a German contracting party – built for the requirements of German procurement, privacy and security departments.

  • HQ & engineering in Düsseldorf. amplifa GmbH, Luisenstraße 9, 40215 Düsseldorf. Registered with the commercial register at Düsseldorf local court. Product and engineering team 100% in Germany.
  • Hosting exclusively in Frankfurt. AWS region eu-central-1, hoster certified per BSI C5 and ISO 27001. Geo-redundant backups in two availability zones – no data storage outside the EU.
  • German law, jurisdiction Düsseldorf. T&Cs per BGB/HGB, German contracting party, exclusive jurisdiction Düsseldorf. No US or offshore contract constructs.
  • Dedicated EU customer success. Named contacts in Düsseldorf for Sales, Customer Success, Security and Privacy. Full English communication, no offshore hotlines.
  • Compliance stack DE & EU. GDPR, BDSG, UWG, NIS-2 Readiness Statement, EU AI Act conformity declaration, BSI C5:2020 self-assessment, Transfer Impact Assessment (Schrems II).
  • Taxes & invoicing in DE. Invoices with German VAT (VAT ID pending registration), HGB-compliant bookkeeping, payment by SEPA direct debit or bank transfer.

amplifa GmbH · Luisenstraße 9 · 40215 Düsseldorf · Germany. Contracting party for all commercial relationships. All subprocessors with US ties are safeguarded by EU Standard Contractual Clauses, zero-data-retention and a documented Transfer Impact Assessment (Schrems II).

Subprocessors

Transparent. Complete. Current.

Complete list of all subprocessors per Art. 28 (2) GDPR – broken down by infrastructure, AI inference, sales tooling and tracking. Third-country transfers exclusively under EU Standard Contractual Clauses 2021/914 with a documented Transfer Impact Assessment (Schrems II, AMP-TC-017).

A. Infrastructure, platform & collaboration

Core infrastructure for operations, hosting and internal collaboration.

B. LLM & AI inference

Exclusively enterprise/commercial APIs with contractual zero-data-retention and exclusion of model training (see AMP-TC-015).

C. Sales, data enrichment & outreach

Legitimate interest in conjunction with § 7 UWG, whitelist criteria, opt-out mechanics and suppression list (see DPA § 8b).

D. Analytics, tracking & reach (consent-based only)

Activated exclusively after consent via the cookie banner (Art. 6 (1) lit. a GDPR in conjunction with § 25 TDDDG, Consent Mode v2).

Changes to this list are communicated to controllers at least 30 days in advance (Art. 28 (4) GDPR). Full TIA assessment and certificates per provider on request (AMP-TC-003, AMP-TC-017).

Security highlights

Confidentiality. Integrity. Availability.

Confidentiality

  • AES-256 encryption of all data at-rest
  • Mandatory multi-factor authentication (TOTP/WebAuthn) for all employees
  • Role-based access (RBAC), least-privilege, quarterly access reviews
  • Logical tenant separation via row-level security

Integrity

  • TLS 1.3 for all data transmission
  • SPF, DKIM and DMARC fully configured
  • Tamper-protected audit logs (append-only, 12 months)
  • Four-eyes principle for production data changes

Availability

  • 99.9% monthly average availability (SLA)
  • RPO ≤ 15 minutes, RTO ≤ 4 hours
  • Geo-redundant, encrypted backups in two availability zones (Frankfurt)
  • No backups outside the EU
  • Semi-annual restore tests

Incident Response

Clear reporting paths when it matters.

Report a security incident

Vulnerabilities, suspected cases and responsible-disclosure reports are accepted any time at:

Reporting channels & deadlines

  • Notification to the supervisory authority within 72 hours (Art. 33 GDPR)
  • Notification of affected controllers within 24 hours
  • Documented incident lifecycle with severity classification P1 – P4

FAQ

For procurement & data protection officers.

Where is our data hosted?

In Frankfurt am Main, AWS region eu-central-1. The data center used is certified per ISO 27001 and BSI C5.

Will amplifa sign a DPA with us?

Yes. We provide a ready-to-sign Data Processing Agreement under Art. 28 GDPR including TOMs (Art. 32) and a complete subprocessor list.

Does data leave the EU?

Hosting and data storage take place in Germany (Frankfurt am Main). Individual subprocessors with US ties are integrated exclusively under the EU Standard Contractual Clauses (Art. 46 GDPR).

How fast are we notified of an incident?

Affected controllers are notified within 24 hours of becoming aware. Notifications to the competent supervisory authority are made within the statutory 72-hour deadline (Art. 33 GDPR).

What data does amplifa process?

Exclusively business B2B contact data (name, business email, role, company). No special categories of personal data under Art. 9 GDPR.

Can we audit amplifa?

Yes. Evidence and on-site audits are possible per § 9 of our DPA after reasonable advance notice.

What happens to our data after the contract ends?

Return or verifiable deletion at the controller's choice per § 11 of our DPA. A deletion confirmation is issued.

Amplifa: Home · Product · AI SDR Agents · ICP Playbook · About · Book a call · Webinar

Resources: Blog · Sales Glossary · Studies · Guides · Workflows · Tool Comparison · Email Finder · Intent Finder · Lookalike Finder · Tools

Industries: Mechanical Engineering · Medical Technology · Automotive · Chemicals · Electronics · Metal Industry · Plastics · Food · Packaging · Consumer Goods · Energy · Software

Success Stories: Overview

Legal: Imprint · Privacy · Terms