This is a reference copy of the Datadog EEA Data Processing Addendum, which may be required for some Datadog customers. For a full copy of Datadog’s EEA Data Processing Addendum, including its attached schedules and the Standard Contractual Clauses effective 9/27/2021, please click here.
If you’re ready to sign the Datadog EEA DPA, please reach out to your Datadog CSM or sales representative. If you’re not sure who your CSM or sales representative is, please contact firstname.lastname@example.org.
This DPA supplements the Master Agreement and unless indicated otherwise, applies exclusively to Datadog’s provision of access to the Services under the Master Agreement and Order(s) agreed to between Customer and Datadog. If and to the extent Datadog Processes Customer Personal Data on behalf of a Participating Affiliate, Customer is entering into this DPA on behalf of itself and such Participating Affiliate to the extent required under applicable EU Data Protection Law. For purposes of this DPA only, and except where indicated otherwise, the term “Customer” shall include any relevant Participating Affiliate. Each Party will comply with all Applicable Laws with respect to its performance under this DPA, including the GDPR.
Customer Personal Data. The Parties acknowledge and agree that Customer is the Controller and Datadog is the Processor with respect to the Processing of Customer Personal Data, and that this DPA and the Master Agreement constitute Customer’s documented instructions regarding Datadog’s Processing of Customer Personal Data. An overview of the categories of Data Subjects, types of Customer Personal Data being Processed and the nature and purpose of the Processing is provided in Annex 1 to Schedule B. Notwithstanding the foregoing, Datadog will inform Customer promptly if it becomes aware that Customer’s instructions may violate applicable EU Data Protection Law.
Account Data. The Parties acknowledge and agree that Customer and Datadog are independent Controllers with respect to the Processing of Account Data, and each Party will comply with its obligations as a Controller and agrees to provide reasonable assistance as is necessary: (a) to each other to enable each Party to comply with any Data Subject access requests and to respond to any other queries or complaints from Data Subjects in accordance with the EU Data Protection Law; and (b) to each other to facilitate the handling of any Personal Data Breach as required under EU Data Protection Law.
Customer Responsibilities and Restrictions
Without limiting its responsibilities under the Master Agreement, Customer is solely responsible for ensuring that no special categories of Personal Data (GDPR Article 9) or Personal Data relating to criminal convictions and offenses (GDPR Article 10) are submitted for Processing by the Services. Further, no provision of this DPA includes the right to, and Customer shall not, directly or indirectly, enable any person or entity other than Authorized Users to access and use the Services or use (or permit others to use) the Services other than as described in the applicable Order, Documentation, AUP, Master Agreement and this DPA, or for any unlawful purpose.
Unless earlier terminated as provided herein, the term of this DPA will continue through the expiration or earlier termination of the last applicable Order to be in effect.
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects, Datadog shall implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk (including those outlined in Annex II of Schedule A for Account Data, and those outlined in Annex II or Schedule B for Customer Personal Data (together, “Security Measures”). In assessing the appropriate level of security, Datadog shall take into account the risks that are presented by Processing Customer Personal Data including, in particular, the risks presented by a Customer Personal Data Breach (as defined in Section 9). Datadog may make such changes to the Security Measures as Datadog deems necessary or appropriate from time to time, including without limitation to comply with Applicable Law, but no such changes will reduce the overall level of protection for Customer Personal Data. Datadog will take appropriate steps to ensure compliance with the Security Measures by its employees, agents, contractors and Subprocessors to the extent applicable to their scope of performance, including ensuring that all persons authorized to Process Customer Personal Data have agreed to appropriate obligations of confidentiality.
Customer authorizes Datadog’s use of Datadog’s Affiliates as Subprocessors and both Datadog’s and its Affiliates’ use of third-party Subprocessors in connection with the provision of Services. As a condition to permitting a Subprocessor to Process Customer Personal Data, Datadog or a Datadog Affiliate will enter into a written agreement with the Subprocessor containing data protection obligations no less protective than those in this DPA with respect to Customer Personal Data. Datadog will restrict its Subprocessors’ access to only what is necessary to maintain the Services or to provide the Services to Customer and Authorized Users. Subject to this Section 6, Datadog reserves the right to engage and substitute Subprocessors as it deems appropriate, but shall: (a) remain responsible to Customer for the provision of the Services and (b) be liable for the actions and omissions of its Subprocessors undertaken in connection with Datadog’s performance of this DPA to the same extent Datadog would be liable if performing the Services directly.
Datadog’s current Subprocessors are listed in the Subprocessor List. Upon execution of this DPA, Datadog will subscribe Customer’s email address listed on the signature page of this DPA to notifications of Datadog’s use of new Subprocessors (“Change Notices”). Datadog will send a Change Notice before a new Subprocessor Processes any Customer Personal Data. Customer may object to any new Subprocessor on reasonable grounds relating to the protection of the Customer Personal Data, in which case Datadog shall have the right to satisfy the objection through one of the following:
- (a) Datadog will cancel its plans to use the Subprocessor with regard to Customer Personal Data or will offer an alternative to provide the Services without such Subprocessor;
- (b) Datadog will take the corrective steps requested by Customer in its Objection Notice (which remove Customer’s objection) and proceed to use the Subprocessor with regard to Customer Personal Data; or
- (c) Datadog may cease to provide, or Customer may agree not to use (temporarily or permanently), the particular aspect of the Services that would involve the use of such Subprocessor with regard to Personal Data, subject to a mutual agreement of the Parties to adjust the remuneration for the Services considering their reduced scope.
All objections under Section 6.2 must be submitted by email to Datadog at email@example.com within 14 days of the Change Notice (each, an “Objection Notice”). If none of the options outlined in Clause (a), (b) or (c) of Section 6.2 are reasonably available and Customer’s objection has not been resolved to the Parties’ mutual satisfaction within 30 days of Datadog’s receipt of the Objection Notice, either Party may terminate the affected Order and Datadog will refund to Customer a pro rata share of any unused amounts prepaid by Customer under the applicable Order for the Services on the basis of the remaining portion of the current terms of the Order.
If the Customer does not provide a timely Objection Notice with respect to a new Subprocessor, Customer will be deemed to have authorized Datadog to use of the Subprocessor and to have waived its right to object. Datadog may use a new or replacement Subprocessor while the objection procedures under this Section 6 are in process.
Data Subject Rights
If Datadog receives a request from a Data Subject in relation to Customer Personal Data then, to the extent legally permissible, Datadog will advise the Data Subject to submit their request to Customer and Customer will be responsible for responding to any such request including, where necessary, by using the functionality of the Services. Customer hereby agrees that Datadog may confirm to a Data Subject that his or her requests relates to Customer. To the extent Customer is unable through its use of the Services to address a particular Data Subject request, Datadog will, upon Customer’s request and taking into account the nature of Customer Personal Data Processed, provide reasonable assistance in addressing the Data Subject request (provided Datadog is legally permitted to do so and that the Data Subject request was made in accordance with EU Data Protection Law). To the extent permitted by Applicable Law, Customer shall be responsible for any costs arising from Datadog’s provision of such assistance.
Deletion Upon Expiration
Commencing 30 days after the effective date of termination of the Master Agreement, Datadog will initiate a process upon Customer’s written request that deletes Customer Personal Data retained in production within 90 days and in backups within 180 days. Any Customer Personal Data archived in backups will be isolated and protected from any further Processing, except as otherwise required by Applicable Law. Notwithstanding the foregoing, to the extent Datadog is required by Applicable Law to retain some or all Customer Personal Data, Datadog will not be obligated to delete the retained Customer Personal Data, but this DPA will continue to apply to the retained Customer Personal Data. Customer acknowledges that it is responsible for exporting any Customer Data that Customer wants to retain prior to expiration of the referenced 30-day period pursuant to the Master Agreement.
Customer Personal Data Breach Management
Datadog will notify Customer without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data Breach with respect to Customer Personal Data transmitted, stored or otherwise Processed by Datadog or its Subprocessors (a “Customer Personal Data Breach”). Such notice may be provided (1) by posting a notice in the Services; (2) by sending an email to the email address from which a Change Notice subscription request was made; (3) by sending an email to the email address for Customer listed on the signature page to this DPA; and/or (4) pursuant to the notice provisions of the Master Agreement. Customer shall ensure that its contact information is current and accurate at all times during the terms of this DPA. Datadog will promptly take all actions relating to its Security Measures (and those of its Subprocessors) that it deems necessary and advisable to identify and remediate the cause of a Customer Personal Data Breach. In addition, Datadog will promptly provide Customer with: (i) reasonable cooperation and assistance with regard to the Customer Personal Data Breach, (ii) reasonable information in Datadog’s possession concerning the Customer Personal Data Breach insofar as it affects Customer, including remediation efforts and any notification to Supervisory Authorities and, (iii) to the extent known: (a) the possible cause of the Customer Personal Data Breach; (b) the categories of Customer Personal Data involved; and (c) the possible consequences to Data Subjects. Datadog’s notification of or response to a Customer Personal Data Breach under this Section will not constitute an acknowledgment of fault or liability with respect to the Customer Personal Data Breach, and the obligations herein shall not apply to Personal Data Breaches that are caused by Customer, Authorized Users or providers of Customer Components. If Customer decides to notify a Supervisory Authority, Data Subjects or the public of a Customer Personal Data Breach, Customer will provide Datadog with advance copies of the proposed notices and, subject to Applicable Law (including any mandated deadlines under EU Data Protection Law), allow Datadog an opportunity to provide any clarifications or corrections to those notices. Subject to Applicable Law, Datadog will not reference Customer in any public filings, notices or press releases associated with the Customer Personal Data Breach without Customer’s prior consent.
Compliance and Reviews
As of the date of this DPA, Datadog participates in the Cloud Security Alliance STAR self-assessment program and has completed the associated Consensus Assessments Initiative Questionnaire (CAIQ), currently available at https://cloudsecurityalliance.org/star/registry/datadog/. Subject to the confidentiality obligations of the Master Agreement, Datadog will additionally make available to Customer upon request such other attestations, certifications, reports or extracts thereof from external auditors or organizations as Datadog may possess from time to time to assist Customer in assessing Datadog’s compliance with the terms of this DPA.
Where required by EU Data Protection Law, Datadog will allow Customer (directly or through a third-party auditor subject to written confidentiality obligations) to conduct an audit of Datadog’s procedures relevant to the protection of Customer Personal Data to verify Datadog’s compliance with its obligations under this DPA. In such case:
- (a) Customer shall: (i) provide Datadog at least 30 days’ prior written notice of any proposed audit; (ii) undertake an audit no more than once in any 12-month period, except where required by a competent Supervisory Authority or where an audit is required due to a Customer Personal Data Breach; and (iii) conduct any audit in a manner designed to minimize disruption of Datadog’s normal business operations. To that end and before the commencement of any such audit, Customer and Datadog shall mutually agree upon the audit’s participants, schedule and scope, which shall in no event permit Customer or its third-party auditor to access the Services’ hosting sites, underlying systems or infrastructure.
- (b) Customer shall reimburse Datadog for its time expended in connection with an audit at Datadog’s then-current professional service rates, which shall be made available to Customer upon request and shall be reasonable taking into account the time and effort required by Datadog.
- (c) Representatives of Customer performing an audit shall protect the confidentiality of all information obtained through such audits in accordance with the Master Agreement, may be required to execute an enhanced mutually agreeable nondisclosure agreement and shall abide by Datadog’s security policies while on Datadog’s premises. Upon completion of an audit, Customer agrees to promptly furnish to Datadog any written audit report or, if no written report is prepared, to promptly notify Datadog of any non-compliance discovered during the course of the audit.
Impact Assessment and Additional Information
Datadog will provide Customer with reasonable cooperation, information and assistance as needed to fulfill Customer’s obligation under EU Data Protection Law, including as needed to carry out a data protection impact assessment related to Customer’s use of the Services (in each case to the extent Customer does not otherwise have access to the relevant information, and such information is in Datadog’s control). Without limiting the foregoing, Datadog shall provide reasonable assistance to Customer in the cooperation or prior consultation with the Supervisory Authority in the performance of its tasks relating to this Section to the extent required by EU Data Protection Law.
The Standard Contractual Clauses – Controller to Controller (Schedule A) and the Standard Contractual Clauses – Controller to Processor (Schedule B) will apply, respectively, to Account Data and Customer Personal Data when transferred outside of the EEA to any country not recognized by the European Commission as providing an adequate level of data protection. Subject to Applicable Law, the Parties agree that the audits described in Clause 8.9 of Schedule B shall be carried out as set forth in Section 10 above, and that Datadog’s use of subprocessors under Clause 9 of Schedule B shall be carried out as set forth in Section 6 above.
Limitation of Liability
Each Party’s (and each of its Affiliate’s) liability taken together in the aggregate, arising out of or related to this DPA, including without limitation under the Standard Contractual Clauses, whether in contract, tort, or under any other theory of liability, is subject to the limitation of liability provisions of the Master Agreement.
Terms such as “Personal Data”, “Data Subject”, “Processing”, “Controller”, “Processor”, “Personal Data Breach”, and “Supervisory Authority” that are defined in Article 4 of the General Data Protection Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing of Directive 95/46/EC (“GDPR”) shall have the meanings assigned to them in such Article.
Other capitalized terms not otherwise defined in this DPA shall have the respective meanings assigned to them in this Section.
- “Account Data” means information about Customer that Customer provides to Datadog in connection with the creation or administration of its Datadog accounts, such as first and last name, user name and email address of an Authorized User or Customer’s billing contact. Customer shall ensure that all Account Data is current and accurate at all times during the term of the applicable Order.
- “Adequacy” means where the European Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organization in question, ensures an adequate level of protection.
- “Affiliate” means, unless otherwise defined in the Master Agreement, a business entity that directly or indirectly controls, is controlled by or is under common control with, such Party; “control” means the direct or indirect ownership of more than 50% of the voting securities of a business entity.
- “Applicable Laws” means any and all governmental laws, rules, directives, regulations or orders that are applicable to a particular Party’s performance under this DPA, including applicable EU Data Protection Law.
- “AUP” means Datadog’s standard Acceptable Use Policy, currently available at https://www.datadoghq.com/legal/acceptable-use/.
- “Authorized User” means an individual employee, agent or contractor of Customer or a Participating Affiliate for whom subscriptions to Services have been purchased pursuant to the terms of the Master Agreement and applicable Order, and who have been supplied user credentials for the Services by Customer or the Participating Affiliate (or by Datadog at Customer’s or a Participating Affiliate’s request).
- “Customer Component” means each individual component of Customer’s Environment.
- “Customer Credentials” means access passwords, keys, tokens or other credentials used by Customer in connection with the Services.
- “Customer Data” means data from Customer’s Environment that are submitted for Processing by the Services. Through Customer’s configuration and use of the Services, Customer has control over the types and amounts of Customer Data.
- “Customer’s Environment” means, exclusive of Services, the systems, platforms, services, software, devices, sites and/or networks that Customer uses in its own internal business operations.
- “Customer Personal Data” means Customer Data comprising Personal Data of Data Subjects located in the EEA.
- “Documentation” means Datadog’s standard user documentation for the Services, currently available at https://docs.datadoghq.com/.
- “EEA” means the European Economic Area, which constitutes the member states of the European Union (“EU”) and Norway, Iceland and Liechtenstein, as well as for purposes of this DPA, the United Kingdom.
- “EU Data Protection Law” means the GDPR, and shall include the data protection or privacy laws of the United Kingdom in place after its withdrawal from the EU.
- “Order” means a separate order for Services pursuant to the Master Agreement: (a) completed and submitted by Customer online at the Datadog site and accepted by Datadog or (b) executed by Datadog and Customer.
- “Participating Affiliate” means an Affiliate of Customer that: (a) has not entered into an Order or other separate agreement directly with Datadog and (b) Customer has authorized to access and use the Services under an existing Order between Datadog and Customer.
- “Party” means each of Datadog and Customer.
- “Services” means the hosted services to which Customer subscribes through, or otherwise uses following, an Order that are made available by Datadog online via the applicable login page (currently https://app.datadoghq.com/) and other web pages designated by Datadog. Subject to the terms of an Order, the Services will support Customer’s collection, monitoring, management and analysis of Customer Data. For purposes of this DPA, the term Services does not include alpha, beta or other pre-commercial releases of a Datadog product or service (or feature of functionality of a Service).
- “Standard Contractual Clauses” means the agreements executed by and between Datadog and Customer and attached to this DPA as Schedule A and Schedule B pursuant to the European Commission’s decision (EU) 2021/914 of 4 June 2021 on Standard Contractual Clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection.
- “Subprocessor” means any Processor engaged by Datadog or a Datadog Affiliate to Process Customer Personal Data on Datadog’s or its Affiliate’s behalf in the course of providing the Services.
- “Subprocessor List” means the list of Subprocessors available at https://www.datadoghq.com/subprocessors/.
This DPA, including the attached Standard Contractual Clauses, may be executed in counterparts, each of which shall be deemed an original, but all of which together shall be deemed to be one and the same agreement. Delivery of an executed counterpart of a signature page to this DPA by fax or by email of a scanned copy, or execution and delivery through an electronic signature service (such as DocuSign), shall be effective as delivery of an original executed counterpart of this DPA.