Datadog’s Data Transfer Impact Assessment | Datadog
Back to Datadog Legal

Datadog’s Data Transfer Impact Assessment

Current as of
Datadog’s Data Transfer Impact Assessment

Please note that this page is for informational purposes only and Datadog customers are responsible for making their own independent assessment of the information presented below. All of Datadog’s obligations and liabilities to our customers are outlined in our agreements, and this page does not form part of, or modify, any agreement between Datadog and our customers. We may update or change this page from time to time. When we do so, we will update the “Current as of” date above.

  1. Overview

    In July 2020, the Court of Justice of the European Union issued a decision in Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems (“Schrems II”), holding that (1) the U.S.-EU Privacy Shield program could no longer be used for data transfers to the United States, and (2) the transfer mechanisms identified in the GDPR — including the European Commission-issued Standard Contractual Clauses (“SCCs”) — could only be used where the laws and practices in the data importer’s country do not impinge on the protections provided by the transfer mechanism.

    As a result of the decision, organizations are required to carry out assessments of the laws and practices in the countries they transfer data to. And if you use Datadog as a vendor, that means assessing transfers to Datadog in the U.S. We put together this Data Transfer Impact Assessment to provide you with all the information you need to perform a transfer assessment of Datadog.

  2. Definitions

    The most important terms you should know as you review this Assessment are the following:

    • “Customer Data” means the data sent from your IT environment to Datadog for processing by the Services (e.g., Logs events).
    • “Customer Personal Data” means Customer Data that consists of personal data (e.g., Logs events that include things like an individual’s full name or an IP address).
    • “Data Processing Addendum” and “DPA” mean the contract we sign with customers that governs how we process Personal Data; our current form DPA is available here.
    • “EEA” means the European Economic Area.
    • “GDPR” means Europe’s General Data Protection Regulation.
    • “Personal Data” means data related to an identified or identifiable natural person (e.g., a full name, an IP address, or a photograph of someone).
    • “Services” means the hosted products we provide to our customers.
    • “Standard Contractual Clauses” and “SCCs” mean the European Commission-approved contracts used to safeguard Personal Data when transferred out of the EEA.
    • “Subprocessor” means a vendor that processes Customer Personal Data on Datadog’s behalf.

  3. Datadog’s Services

    Datadog’s Services include a number of SaaS-based products that can be used to collect, view, manage, and analyze a wide array of data relating to your computing infrastructure and software applications. These include, among other things, our Log Management product, which lets customers search, filter, and analyze their logs; and our Infrastructure Monitoring product, which gives customers visibility of the performance of their IT assets.

    Because we offer a number of distinct products within the Services and our customers use these products in unique ways, many different kinds of data may be sent to Datadog for processing. As a result, it’s possible that you may configure and use our Services in a way that results in the collection of Personal Data, including Personal Data that is governed by data protection laws like the GDPR.

  4. Transfers of Your Personal Data

    1. Transfer Mechanisms in General

      The GDPR prohibits the transfer of Personal Data outside of the EEA unless the transfer is made using an approved transfer mechanism: (1) the transfer is made to a country that the European Commission has determined provides an adequate level of data protection; (2) the transfer is subject to appropriate safeguards; or (3) the transfer is made in accordance with specific derogations.

      First, an organization may transfer Personal Data out of the EEA when the transfer is to a country that the European Commission has determined provides an adequate level of data protection. The European Commission maintains a list of the countries that have been deemed adequate. While the U.S. used to be on the list (scoped to the organizations who were part of the Privacy Shield program), that decision was revoked as a result of the Schrems II decision.

      Second, an organization may transfer Personal Data out of the EEA when the transfer is subject to appropriate safeguards under Article 46 of the GDPR. There are a few specific mechanisms that provide appropriate safeguards, the most popular of which is the European Commission-approved Standard Contractual Clauses — a form contract signed by the data exporter and the data importer.

      Third, an organization may transfer Personal Data out of the EEA in specific (and limited) cases, including where the data subject (whose Personal Data will be transferred) has explicitly consented to the transfer. More information about these derogations is available in Article 49 of the GDPR.

    2. Transfers to Datadog

      When you create a Datadog account, you choose where your Customer Data is hosted. As of the date of this Assessment, you may choose between multiple hosting options in the U.S. and the EU. When you select a hosting region, we commit not to host your Customer Data anywhere else.

      In order to ensure that all transfers of Personal Data to Datadog are made under a GDPR-compliant transfer mechanism, we will sign a Data Processing Addendum with you that incorporates the European Commission-approved Standard Contractual Clauses.

      If you haven’t yet signed a DPA with us and believe that you need one, you can request a copy from your customer success manager or sales representative, as outlined in the link above.

    3. Datadog’s Onward Transfers

      In order to provide our best-in-class Services, including 24/7 support, we may disclose your Customer Data to certain of our affiliates and trusted vendors (our Subprocessors). These onward transfers are only made as necessary to deliver our Services as outlined in our agreements with you.

      A full list of our current Subprocessors is maintained on our Subprocessors List. In our Subprocessors List, we identify for each Subprocessor the specific service that they provide to us, such as infrastructure provision by our cloud services providers or support ticketing systems, and each Subprocessor’s location.

      Before we engage a new Subprocessor, we subject it to a rigorous vendor-review and -onboarding process to ensure that we can safely provide it with the Customer Personal Data we receive from our customers. This includes reviewing each vendor’s security and privacy practices to ensure that they meet our strict requirements, as well as requiring them to sign a DPA with us that (1) provides protections for Customer Personal Data at least as protective as those in our DPA with you, and (2) includes the SCCs for any onward transfers of Customer Personal Data. After we vet a new Subprocessor and feel confident that Customer Personal Data will be fully protected when shared with the Subprocessor, we send a notice to each of our customers who has signed a DPA so that it has an opportunity to review the new Subprocessor. You can subscribe to our notifications of new Subprocessors by completing the form on our Subprocessors List.

    4. Analysis of the Transfer Mechanisms

      Once your transfer mechanism has been determined, you need to assess your transfers under the guidelines provided by the Court of Justice of the European Union and the European Data Protection Board. According to the European Data Protection Board, you must assess whether “there is anything in the law and/or practices in force of the third country that may impinge on the effectiveness of the appropriate safeguards of the transfer tools you are relying on, in the context of your specific transfer.” To assist you with this assessment, we’ve provided information below related to the laws and practices in the U.S., with an emphasis on those that were of concern to the Schrems II court.

      • FISA 702

        Section 702 of the Foreign Intelligence Surveillance Act (“FISA 702”) permits a specific U.S. court to authorize the federal government to issue orders to certain types of companies in the U.S. These orders usually require companies to disclose the communications they have of certain individuals located outside of the U.S. Under FISA, these orders may only be issued to “electronic communication service providers,” which includes providers of “electronic communication service[s]” and providers of “remote computing service[s].”

        We have analyzed the scope of FISA 702, and we do not believe that we are subject to government orders for communications under the statute. Specifically, based on the Services that we provide to our customers, it is our opinion that we do not constitute a provider of “electronic communication service[s],” a provider of “remote computing service[s],” or an entity that would otherwise be considered an “electronic communication service provider” that is subject to orders under FISA 702. As a result, we don’t believe that we would ever be in scope to receive an order under FISA 702.

      • Executive Order 12333

        Executive Order (“EO”) 12333 applies to U.S. government intelligence activities, and outlines how different U.S. intelligence agencies are responsible for certain intelligence and counterintelligence operations, including how they can collect the communications of non-U.S. individuals. According to the U.S. government, any disclosure requirement directed at companies under EO 12333 must be “authorized by statute and must be targeted at specific persons or identifiers.” Moreover, “bulk collection is expressly prohibited.”

        We do not believe that EO 12333 introduces a substantial risk to our customers with respect to their use of the Services. As a general matter, the kinds of data that our customers send to us as part of their use of the Services would not constitute the types of communications that are relevant for the U.S. government during intelligence and counterintelligence operations — compare, for example, the content of an individual’s emails with the logged events of when the individual logged into her email service provider’s website (this being the type of data that could be sent to Datadog); while intelligence agencies might be interested in collecting the former, it is unlikely that they would collect the latter under EO 12333. Moreover, because we encrypt data when in transit across public networks, we believe we are at little risk of having any customer Personal Data in the clear intercepted under EO 12333.

      • Government Access Requests in General

        Taken together, we think it is highly unlikely that any of the features of U.S. law that the Schrems II court was worried about would apply to Datadog’s processing of your Personal Data as part of our provision of the Services.

        Moreover, if we ever were to receive any kind of request from a governmental body requesting the Personal Data you have submitted to our Services, to the extent permitted by applicable laws, we would (1) attempt to fight or quash the request by raising nonfrivolous objections; (2) provide you with reasonable notice of the request so that you have the opportunity to seek a protective order or other appropriate remedy; (3) attempt to redirect the governmental body to request the information from you directly; and (4) if ultimately required to disclose your Personal Data to the government, limit the disclosure to the minimum amount of data legally necessary to comply with the request.

  5. Supplementary Measures

    Even though we believe that we are technically out of scope of the laws and practices in the U.S. that caused the Schrems II court to question data transfers to the U.S., we take the privacy and security of your Personal Data seriously. In order to ensure that we meet state of the art practices for privacy and security, we have implemented the following technical, contractual, and organizational measures in order to protect your Personal Data.

    1. Technical Measures

      We have implemented the following technical measures to safeguard all Personal Data you transfer to us.

      • Hosting locations. You can choose between multiple hosting locations for your Personal Data. Today, you can choose between having your data hosted in the U.S. or the EU. While your data may leave your hosting region in some cases (for example, if you open a support request and one of our support engineers needs to access your data in order to help you), we ensure that your data – including backups – is never stored in a separate region.

      • Encryption. All Personal Data you send to us is encrypted in transit using Transport Layer Security (TLS) with HTTP Strict Transport Security (HSTS) by default, and can be configured by our customers to use TLS 1.2 where supported. Moreover, all Personal Data, including data stored in backups, is encrypted at rest with FIPS 140-2-compliant encryption standards, as well as FIPS 140-2-approved cryptographic devices for the generation, storage, and revocation of encryption keys.

      • Data retention. We rely on the principle of storage minimization to ensure that your Personal Data is not retained for longer than is necessary for your purposes. For more information on our default retention periods, please refer to our Data Collection, Resolution, and Retention page.

    2. Contractual Measures

      We have implemented the following contractual measures to safeguard all Personal Data you transfer to us.

      • DPAs. We sign DPAs, which include the SCCs as a transfer mechanism, with every customer who needs one, and every Subprocessor to whom we may transfer your Customer Personal Data. Our DPAs with Subprocessors provide at least the same level of data protection as our DPA with you does, and they always include the SCCs as a transfer mechanism.

    3. Organizational Measures

      We have implemented the following organizational measures to safeguard all Personal Data you transfer to us.

      • Subprocessor onboarding. Prior to onboarding a new Subprocessor, we conduct a comprehensive vendor assessment, which includes a review of the Subprocessor’s security and privacy practices. Moreover, we require annual audit documentation from our Subprocessors to demonstrate compliance with the security terms of its data processing agreement.

      • Government requests. As outlined above, we have not received any disclosure requests from the U.S. government, including requests for access under FISA 702, in connection with Customer Personal Data. Should we ever receive such a request, we will review the legality of government access requests and challenge such requests where they are considered to be unlawful.

      • Incident response and business continuity planning. We have a robust vulnerability management program in place to stay ahead of security incidents. We use many tools and tactics to discover security vulnerabilities, including a private bug bounty program, infrastructure scans, internal security testing, and annual third-party pen tests. We also have a detailed incident response plan and dedicated incident response team that guides our investigation and mitigation of any identified or potential breach. Moreover, we have a thorough business continuity plan designed so that our teams work diligently to recover operations in a timely manner, if needed.

      • Dedicated privacy team. We have a dedicated Legal Privacy team that specializes in privacy and data-protection issues. They stay up to date on all privacy regulations and requirements that apply to us, ensuring that your regulatory requirements with respect to Datadog are always met.

      • Recurring audits. We conduct a series of annual audits, including ISO 27001 and SOC 2 Type 2 audits, to ensure compliance with our technical and organizational measures, and we make our relevant audit reports available to you.

      • Confidentiality obligations. All of our employees are required to sign confidentiality agreements, where local law allows. In addition, all of our Subprocessors who handle Customer Personal Data are required to adhere to confidentiality terms.

      • Access controls. We enforce strict access controls to ensure that the only people who have access to Customer Personal Data are those that absolutely need it to perform their job functions. To further ensure that this is the case, we log all access to Customer Data.

      • Employee training. We provide privacy and security training to all of our employees when they join the company, and yearly thereafter. As a result, our employees are always kept up to date on security and privacy best practices.

      • Privacy by design. In order to ensure that all of our Services are built with privacy in mind, we make sure that data protection reviews and considerations are explicitly included in the product design life cycle. This has led to the inclusion of a number of customer-facing privacy features in our products (including Logs, APM, and RUM), as well as a stronger, privacy-focused culture on our product and engineering teams.

  6. Reevaluation

    We know that the global privacy landscape is in constant flux, and that new risks are routinely uncovered. Accordingly, we do not view this as a static Assessment — instead, we are committed to continuously analyzing our policies and practices in order to ensure that we can process Customer Personal Data in a way that complies with all applicable privacy and data protection laws. We’re always willing to work with you if you have specific concerns not covered in the Assessment above. You can reach out to Datadog’s privacy team, at privacy@datadoghq.com.