This is a reference copy of the Datadog’s Data Processing Addendum (DPA), which may be required for some Datadog customers. To sign the DPA, please reach out to your Datadog CSM or sales representative. If you’re not sure who your CSM or sales representative is, please contact firstname.lastname@example.org.
This DPA applies exclusively to Datadog’s Processing of Personal Data in providing the Services under the Agreement to Customer and its Participating Affiliates. If Datadog Processes Personal Data on behalf of a Participating Affiliate, Customer is entering into this DPA on behalf of itself and such Participating Affiliate to the extent required under Applicable Laws. For purposes of this DPA, “Customer” includes relevant Participating Affiliates. Each Party must comply with all Data Protection Laws applicable to its performance under this DPA.
Roles of the Parties
Customer Personal Data. The Parties agree that Datadog is a Processor with respect to the Processing of Customer Personal Data. Customer instructs Datadog to Process Customer Personal Data to provide the Services as documented in the Agreement, Orders, and this DPA (“Documented Instructions”). Datadog agrees to Process Customer Personal Data only in accordance with the Documented Instructions and Data Protection Laws. The categories of Data Subjects, Customer Personal Data being Processed, and the nature and purpose of the Processing are provided in Schedule A to this DPA. Datadog will promptly inform Customer if it becomes aware that the Documented Instructions violate Data Protection Laws.
Account Data. The Parties agree that Customer and Datadog are independent Controllers with respect to the Processing of Account Data, and each Party will comply with its obligations as a Controller and agrees to provide reasonable assistance to the other Party when required by Data Protection Laws.
Customer Responsibilities and Restrictions
Without limiting its responsibilities under the Agreement, Customer is responsible for ensuring that no special categories of Personal Data (under GDPR Article 9), Personal Data relating to criminal convictions and offenses (under GDPR Article 10), or similarly sensitive Personal Data (defined in Data Protection Laws) are submitted to Datadog for Processing. Further, no provision of this DPA includes the right to, and Customer may not, directly or indirectly, enable any person or entity other than Authorized Users to access or use the Services, or use (or permit others to use) the Services other than as described in the applicable Order, Documentation, AUP, Agreement, and this DPA, or for any unlawful purpose.
Unless terminated as provided below, this DPA continues in force until the termination of the Agreement.
Security and Confidentiality
In order to ensure an appropriate level of security with respect to Datadog’s Processing of Customer Personal Data and Account Data, and taking into account the state of the art; the costs of implementation; the nature, scope, context, and purposes of Processing; and the risk of varying likelihood and severity for the rights and freedoms of Data Subjects, Datadog will maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including those outlined in Schedule B to this DPA (the “Security Measures”). Customer acknowledges that Datadog may make changes to the Security Measures as Datadog deems necessary or appropriate, including to comply with Data Protection Laws, but that no such changes will reduce the overall level of protection for Customer Personal Data or Account Data. Datadog will take appropriate steps to ensure compliance with the Security Measures by its employees, agents, contractors, and Subprocessors to the extent applicable to their scope of performance, including ensuring that all persons authorized to Process Customer Personal Data have agreed to appropriate confidentiality obligations.
Authorization. Customer generally authorizes Datadog to engage Subprocessors in accordance with this Section 6, and approves Datadog’s use of the Subprocessors listed in the Subprocessors List.
Subprocessor Requirements. Datadog will enter into a written agreement with each Subprocessor that contains data protection obligations equivalent to those in this DPA. Datadog will be liable for the actions and omissions of its Subprocessors undertaken in connection with Datadog’s performance under this DPA to the same extent Datadog would be liable if performing the Services directly.
Changes to the Subprocessors List. At least 30 days before Datadog appoints a new Subprocessor, it will update the Subprocessors List. Datadog will provide Customer with a mechanism to receive a notification of the update (a “Change Notice”), which today is available through the Subprocessors List. Customer may object to the new Subprocessor on reasonable grounds relating to the protection of Customer Personal Data by sending an email to email@example.com within 15 days of a Change Notice (an “Objection Notice”), in which case Datadog may satisfy the objection through one of the following:
- (a) Datadog will cancel its plans to use the Subprocessor to Process Customer Personal Data or will offer an alternative to provide the Services without the Subprocessor;
- (b) Datadog will take the corrective steps requested by Customer in its Objection Notice and proceed to use the Subprocessor regarding Customer Personal Data; or
- (c) Datadog will cease to provide, or Customer may agree not to use (temporarily or permanently), the aspect of the Services that would involve the Subprocessor Processing Customer Personal Data, subject to a mutual agreement of the Parties to adjust the remuneration for the Services considering their reduced scope.
If none of the options outlined above are reasonably available and Customer’s objection has not been resolved to the Parties’ mutual satisfaction within 15 days of Datadog’s receipt of the Objection Notice, either Party may terminate the affected Order and Datadog will refund to Customer a pro rata share of any unused amounts prepaid by Customer under the applicable Order for the Services on the basis of the remaining portion of the current terms of the Order. If the Customer does not provide a timely Objection Notice with respect to a new Subprocessor, Customer will be deemed to have authorized Datadog’s use of the Subprocessor and to have waived its right to object.
Data Subject Requests
If Datadog receives a request from a Data Subject that relates to Customer Personal Data and identifies Customer (a “Data Subject Request”), Datadog will (a) advise the Data Subject to submit the Data Subject Request to Customer, and (b) promptly notify Customer of the Data Subject Request. Where required by Data Protection Laws, to the extent Customer is unable through its use of the Services to address a particular Data Subject Request, Datadog will, upon Customer’s request and taking into account the nature of Customer Personal Data Processed, provide reasonable assistance to Customer in fulfilling the Data Subject Request. To the extent permitted by Applicable Law, Customer will be responsible for any costs arising from Datadog’s assistance.
Deletion Upon Expiration
Commencing 30 days after the effective date of termination of the Agreement, Datadog will initiate a process upon Customer’s written request that deletes Customer Personal Data retained in production within 90 days and in backups within 180 days. Any Customer Personal Data archived in backups will be isolated and protected from any further Processing, except as otherwise required by Applicable Laws. Notwithstanding the foregoing, to the extent Datadog is required by Applicable Laws to retain some or all Customer Personal Data, Datadog will not be obligated to delete the retained Customer Personal Data, but this DPA will continue to apply to the retained Customer Personal Data. Customer acknowledges that it is responsible for exporting any Customer Data that Customer wants to retain prior to expiration of the referenced 30-day period pursuant to the Agreement.
Personal Data Breaches
Breach Notification. Datadog will notify Customer without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data Breach (1) by sending an email to the email address for Customer listed on the signature page of this DPA; or (2) pursuant to the notice provisions of the Agreement. Customer is responsible for ensuring that its contact information is current and accurate at all times during the terms of this DPA. Datadog’s notification to Customer will describe (a) the nature of the Personal Data Breach, including, if known, the categories and approximate number of Data Subjects and Personal Data records concerned; (b) the measures Datadog has taken, or plans to take, to respond to and mitigate the Personal Data Breach; (c) any measures Datadog recommends that Customer take to address the Personal Data Breach; and (d) information related to Datadog’s point of contact with respect to the Personal Data Breach. If Datadog cannot provide all the information above in the initial notification, Datadog will provide the information to Customer as soon as it is available.
Breach Response. Datadog will promptly take all actions relating to its Security Measures that it deems necessary and advisable to identify and remediate the cause of a Personal Data Breach.
General. Datadog’s notification of or response to a Personal Data Breach will not constitute an acknowledgment of fault or liability with respect to the Personal Data Breach. The obligations in this Section 9 do not apply to Personal Data Breaches that are caused by Customer, Authorized Users, or providers of Customer Components. Except as may otherwise be required by Applicable Law (including any mandated deadlines under Data Protection Laws), if Customer decides to notify a Supervisory Authority, Data Subjects, or the public of a Personal Data Breach, Customer will make reasonable efforts to provide Datadog with advance copies of the notice(s) and allow Datadog an opportunity to provide any clarifications or corrections to them.
Datadog’s Audit Reports. To help Customer assess Datadog’s compliance with the terms of this DPA, on Customer’s request, and subject to the confidentiality provisions of the Agreement, Datadog will make available to Customer copies of, or extracts from, Datadog’s audit reports related to the security of the Services, including, for example, its ISO 27001 certification, SOC 2 Type 2 report, and Consensus Assessments Initiative Questionnaire (CAIQ).
Customer’s Audit Rights. Datadog will allow Customer (directly or through a third-party auditor subject to written confidentiality obligations) to verify Datadog’s compliance with the terms of this DPA if such an audit is required by Data Protection Laws and Datadog’s compliance cannot be demonstrated by means that are less burdensome on Datadog (including under Section 10.1). Customer may only perform an audit under this section as follows:
- (a) Customer must provide Datadog at least 30 days’ prior written notice of a proposed audit unless otherwise required by a competent supervisory authority or Data Protection Laws;
- (b) Customer may not perform more than one audit in any 12-month period, except where required by a competent supervisory authority;
- (c) Customer and Datadog must mutually agree on the audit’s participants, schedule, scope, and methodology of the audit in advance, in order to minimize the disruption to Datadog’s normal business operations;
- (d) Customer must reimburse Datadog for its time expended in connection with an audit at Datadog’s reasonable professional service rates, which will be made available to Customer on request;
- (e) Customer must ensure that its representatives performing an audit protect the confidentiality of all information obtained through the audit in accordance with the Agreement, execute an enhanced mutually agreeable nondisclosure agreement if requested by Datadog, and abide by Datadog’s security policies while on Datadog’s premises; and
- (f) Customer must promptly disclose to Datadog any written audit report created, and any findings of noncompliance discovered, as a result of the audit.
Impact Assessments and Prior Consultation
Taking into account the nature of the Processing and the information available to Datadog, Datadog will, when required by Data Protection Laws, assist Customer with its obligations related to data protection impact assessments (where related to the Services, and only to the extent that Customer does not otherwise have access to the relevant information) and prior consultation with supervisory authorities, including by providing the information outlined in Section 10.1 above.
To protect transfers of Personal Data out of the EEA, Switzerland, and the UK, the Parties agree to enter into the SCCs and the UK Transfer Addendum as described below.
Transfers from the EEA. Where a Restricted Transfer is made from the EEA, the SCCs are incorporated into this DPA and apply to the transfer as follows:
- (a) with respect to Restricted Transfers from Customer to Datadog, Module One applies where both Customer and Datadog are Controllers, Module Two applies where Customer is a Controller and Datadog is a Processor, and Module Three applies where both Customer and Datadog are Processors;
- (b) in Clause 7, the optional docking clause does not apply;
- (c) in Clause 9(a) of Modules Two and Three, Option 2 applies, and the period for prior notice of subprocessor changes is set forth in Section 6 of this DPA;
- (d) in Clause 11(a), the optional language does not apply;
- (e) in Clause 17, Option 1 applies with the governing law being that of Ireland;
- (f) in Clause 18(b), disputes will be resolved before the courts in Dublin, Ireland;
- (g) Annex I of the SCCs is completed with the information in Schedule A to this DPA;
- (h) Annex II of the SCCs is completed with the information in Schedule B to this DPA; and (i) Annex III of the SCCs is completed with the information in the Subprocessors List.
Transfers from Switzerland. Where a Restricted Transfer is made from Switzerland, the SCCs are incorporated into this DPA and apply to the transfer as modified in Section 12.1, except that:
- (a) in Clause 13, the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner if the Restricted Transfer is governed by the Swiss Federal Act on Data Protection;
- (b) references to “Member State” in the SCCs refer to Switzerland, and data subjects located in Switzerland may exercise and enforce their rights under the SCCs in Switzerland; and
- (c) references to the “General Data Protection Regulation,” “Regulation 2016/679,” and “GDPR” in the SCCs refer to the Swiss Federal Act on Data Protection (as amended or replaced).
Transfers from the UK. Where a Restricted Transfer is made from the UK, the UK Transfer Addendum is incorporated into this DPA and applies to the transfer. The UK Transfer Addendum is completed with the information in Section 12.1, the Subprocessors List, and Schedules A and B to this DPA; and both “Importer” and “Exporter” are selected in Table 4.
Specific application of the SCCs. The following terms apply to the SCCs:
- (a) Customer may exercise its audit rights under the SCCs as set out in Section 10 above.
- (b) Datadog may appoint Subprocessors under the SCCs as set out in Section 6 above.
- (c) With respect to Restricted Transfers made to Datadog, Datadog may neither participate in, nor permit any Subprocessor to participate in, any further Restricted Transfer unless the further Restricted Transfer is made in full compliance with Data Protection Laws and in accordance with applicable SCCs or an alternative legally compliant transfer mechanism adopted by the importer.
- (d) If any provision of this Section 12 is inconsistent with any terms in the SCCs, the SCCs will prevail.
Limitation of Liability
Each Party’s (and each of its Affiliate’s) liability taken together in the aggregate, arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitation of liability provisions of the Agreement.
This DPA, including the SCCs, may be executed in counterparts, each of which is deemed an original, but all of which together are deemed to be one and the same agreement. Delivery of an executed counterpart of a signature page of this DPA by fax or by email of a scanned copy, or execution and delivery through an electronic signature service, is deemed effective as delivery of an original executed counterpart of this DPA.
In the event of a conflict or inconsistency between the Agreement, this DPA, and the SCCs, the terms of the following documents will prevail (in order of precedence): the SCCs; then this DPA; and then the Agreement.
Capitalized terms not otherwise defined in this DPA or the Agreement have the meanings assigned to them below.
- “Account Data” means information about Customer that Customer provides to Datadog in connection with the creation or administration of its Datadog accounts, such as first and last name, username, and email address of an Authorized User or Customer’s billing contact.
- “Controller” means the entity that determines the purposes and means of Processing Personal Data.
- “Customer Data” means data from Customer’s Environment that are submitted for Processing by the Services. Through Customer’s configuration and use of the Services, Customer has control over the types and amounts of Customer Data.
- “Customer Personal Data” means Customer Data comprising Personal Data.
- “Data Protection Laws” means data protection or privacy laws and regulations directly applicable to a Party’s Processing of Personal Data under the Agreement, including European Data Protection Laws.
- “Data Subject” means the identified or identifiable natural person to whom Personal Data relates.
- “EEA” means the European Economic Area.
- “European Data Protection Laws” means the GDPR; the UK GDPR; and any national data protection laws, implementing regulations, or binding decisions made under the GDPR or the UK GDPR.
- “GDPR” means the General Data Protection Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of such data, and repealing of Directive 95/46/EC.
- “Personal Data” means any information relating to an identified or identifiable natural person.
- “Personal Data Breach” means a breach of Datadog’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data.
- “Process” and “Processing” mean any operation or set of operations which is performed on Personal Data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
- “Processor” means the entity that Processes Personal Data on behalf of a Controller.
- “Restricted Transfer” means (i) where the GDPR applies, a transfer of Customer Personal Data or Account Data from the EEA to a country outside of the EEA that is not subject to an adequacy determination by the European Commission; (ii) where the Swiss Federal Act on Data Protection applies, a transfer of Customer Personal Data or Account Data from Switzerland to a country that is not subject to an adequacy determination by the Swiss Federal Data Protection and Information Commissioner; and (iii) where the UK GDPR applies, a transfer of Customer Personal Data or Account Data from the UK to a country that is not the subject of adequacy regulations under section 17A of the United Kingdom Data Protection Act of 2018.
- “SCCs” means the standard contractual clauses for international transfers annexed to the European Commission’s commission implementing decision on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, published on June 4, 2021, including as incorporated into the UK Transfer Addendum, if applicable.
- “Subprocessor” means any Processor engaged by Datadog or a Datadog Affiliate to Process Customer Personal Data on Datadog’s or its Affiliate’s behalf while providing the Services.
- “Subprocessors List” means the list of Subprocessors available at https://www.datadoghq.com/subprocessors/.
- “UK” means the United Kingdom.
- “UK GDPR” means the EU GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018.
- “UK Transfer Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, published by the UK Information Commissioner’s Office on March 21, 2022.