Please note that this page is for informational purposes only and Datadog customers are responsible for making their own independent assessment of the information presented below. All of Datadog’s obligations and liabilities to our customers are outlined in our agreements, and this page does not form part of, or modify, any agreement between Datadog and our customers. We may update or change this page from time to time. When we do so, we will update the “Current as of” date above.
In July 2020, the Court of Justice of the European Union issued its long-awaited decision in Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems (“Schrems II”), holding that (1) the EU-U.S. Privacy Shield program could no longer be used for data transfers to the United States, and (2) the transfer mechanisms identified in the GDPR—including the European Commission-issued Standard Contractual Clauses (SCCs)—could only be used where the laws and practices in the data importer’s country do not impinge on the protections provided by the transfer mechanism.
To address the concerns raised in the Schrems II decision, in October 2022, U.S. President Biden signed Executive Order 14086 on Enhancing Safeguards for United States Signals Intelligence Activities, which requires certain changes to the way U.S. intelligence agencies collect data under its collection authorities. In furtherance of Executive Order (EO) 14086, the Department of Commerce created the EU-U.S. Data Privacy Framework (DPF)—a framework to allow for international data transfers to the U.S.—for which the European Commission adopted an adequacy decision on July 10, 2023.
Datadog has certified to, and is an active member of, the DPF. That said, we continue to believe that being transparent about our data-transfer practices is important to our customers, so we will continue to maintain this Transfer Impact Assessment so that our customers are confident in their ability to use our Services no matter where they are located.
The most important terms you should know as you review this Assessment are the following:
- “Customer Data” means the data from our Customers’ Environments that are submitted to the Services or that are otherwise uploaded to the Services.
- “Customer Personal Data” means Customer Data that consists of personal data (e.g., Logs events that include things like an individual’s full name or an IP address).
- “Data Processing Addendum” and “DPA” mean the contract we sign with customers that governs how we process personal data; our current form DPA is here.
- “EEA” means the European Economic Area.
- “GDPR” means Europe’s General Data Protection Regulation.
- “Personal data” means data related to an identified or identifiable natural person (e.g., a full name, an IP address, or a photograph of someone).
- “Services” means the hosted products we provide to our customers.
- “Standard Contractual Clauses” and “SCCs” mean the European Commission-approved contracts used to safeguard personal data when transferred out of the EEA.
- “Subprocessor” means a vendor that processes Customer Personal Data on Datadog’s behalf.
Datadog’s Services include a number of SaaS-based products that can be used to collect, view, manage, and analyze a wide array of data relating to your computing infrastructure and software applications. These include, among other things, our Log Management product, which lets customers search, filter, and analyze their logs; and our Infrastructure Monitoring product, which gives customers visibility of the performance of their IT assets.
Because we offer a number of distinct products within the Services and our customers use these products in unique ways, many different kinds of data may be sent to Datadog for processing. As a result, it’s possible that you may configure and use our Services in a way that results in the collection of personal data, including personal data that is governed by data protection laws like the GDPR.
Transfers of Your Personal Data
Even though we believe that the risk of the U.S. government collecting Customer Personal Data is low, we take the privacy and security of your personal data seriously. To ensure that we meet state of the art practices for privacy and security, we have implemented the following technical, contractual, and organizational measures to protect your personal data.
We know that the global privacy landscape is in constant flux, and that new risks are routinely uncovered. Accordingly, we do not view this as a static Assessment—instead, we are committed to continuously analyzing our policies and practices to ensure that we can process Customer Personal Data in a way that complies with all applicable privacy and data protection laws. We’re always willing to work with you if you have specific concerns not covered in the Assessment above. You can reach out to Datadog’s privacy team at firstname.lastname@example.org.