Please note that this page is for informational purposes only and Datadog customers are responsible for making their own independent assessment of the information presented below. All of Datadog’s obligations and liabilities to our customers are outlined in our agreements, and this page does not form part of, or modify, any agreement between Datadog and our customers. We may update or change this page from time to time. When we do so, we will update the “Current as of” date above.
Overview
In July 2020, the Court of Justice of the European Union issued a decision in Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems (“Schrems II”), holding that (1) the U.S.-EU Privacy Shield program could no longer be used for data transfers to the United States, and (2) the transfer mechanisms identified in the GDPR — including the European Commission-issued Standard Contractual Clauses (“SCCs”) — could only be used where the laws and practices in the data importer’s country do not impinge on the protections provided by the transfer mechanism.
As a result of the decision, organizations are required to carry out assessments of the laws and practices in the countries they transfer data to. And if you use Datadog as a vendor, that means assessing transfers to Datadog in the U.S. We put together this Data Transfer Impact Assessment to provide you with all the information you need to perform a transfer assessment of Datadog.
Definitions
The most important terms you should know as you review this Assessment are the following:
- “Customer Data” means the data sent from your IT environment to Datadog for processing by the Services (e.g., Logs events).
- “Customer Personal Data” means Customer Data that consists of personal data (e.g., Logs events that include things like an individual’s full name or an IP address).
- “Data Processing Addendum” and “DPA” mean the contract we sign with customers that governs how we process Personal Data; our current form DPA is available here.
- “EEA” means the European Economic Area.
- “GDPR” means Europe’s General Data Protection Regulation.
- “Personal Data” means data related to an identified or identifiable natural person (e.g., a full name, an IP address, or a photograph of someone).
- “Services” means the hosted products we provide to our customers.
- “Standard Contractual Clauses” and “SCCs” mean the European Commission-approved contracts used to safeguard Personal Data when transferred out of the EEA.
- “Subprocessor” means a vendor that processes Customer Personal Data on Datadog’s behalf.
Datadog’s Services
Datadog’s Services include a number of SaaS-based products that can be used to collect, view, manage, and analyze a wide array of data relating to your computing infrastructure and software applications. These include, among other things, our Log Management product, which lets customers search, filter, and analyze their logs; and our Infrastructure Monitoring product, which gives customers visibility of the performance of their IT assets.
Because we offer a number of distinct products within the Services and our customers use these products in unique ways, many different kinds of data may be sent to Datadog for processing. As a result, it’s possible that you may configure and use our Services in a way that results in the collection of Personal Data, including Personal Data that is governed by data protection laws like the GDPR.
Transfers of Your Personal Data
Supplementary Measures
Even though we believe that we are technically out of scope of the laws and practices in the U.S. that caused the Schrems II court to question data transfers to the U.S., we take the privacy and security of your Personal Data seriously. In order to ensure that we meet state of the art practices for privacy and security, we have implemented the following technical, contractual, and organizational measures in order to protect your Personal Data.
Reevaluation
We know that the global privacy landscape is in constant flux, and that new risks are routinely uncovered. Accordingly, we do not view this as a static Assessment — instead, we are committed to continuously analyzing our policies and practices in order to ensure that we can process Customer Personal Data in a way that complies with all applicable privacy and data protection laws. We’re always willing to work with you if you have specific concerns not covered in the Assessment above. You can reach out to Datadog’s privacy team, at privacy@datadoghq.com.