Datadog EEA Data Processing Addendum
This is the Datadog EEA Data Processing Addendum, which may be required for some Datadog customers. For a full copy, including the attached schedules, please click here. If you’re ready to sign the Datadog EEA DPA, please reach out to your Datadog CSM or sales representative. If you’re not sure who your CSM or sales representative is, please contact email@example.com.
Scope. This DPA is not intended to remove or lessen Customer’s obligations with respect to Personal Data under the Master Agreement. However, Datadog has agreed to enter into this DPA based on Customer’s belief that Customer Data may include Personal Data. Accordingly, this DPA supplements the Master Agreement and applies exclusively to Datadog’s Processing of Customer Personal Data in providing Services under the Master Agreement and Order(s) to Customer and Participating Affiliates. If and to the extent Datadog Processes Customer Personal Data on behalf of a Participating Affiliate, Customer is entering into this DPA on behalf of itself and such Participating Affiliate to the extent required under applicable EU Data Protection Law. For purposes of this DPA only, and except where indicated otherwise, the term “Customer” shall include any relevant Participating Affiliate.
Processing of Customer Personal Data.
An overview of the categories of Data Subjects, types of Customer Personal Data being Processed and the nature and purpose of the Processing is provided in Appendix 1 to Schedule B (Standard Contractual Clauses). The Parties acknowledge and agree that with regard to the Processing of Customer Personal Data under EU Data Protection Law and this DPA, subject to Section 13, Customer is the Controller and Datadog is the Processor. Each Party will comply with its respective obligations under EU Data Protection Law with respect to the Processing of Customer Personal Data.
By entering into this DPA, Customer instructs Datadog to Process Customer Personal Data: (a) to provide the Services in accordance with the features and functionality of the Services and the Documentation; (b) to enable Authorized User-initiated actions on and through the Services; (c) as set forth in the Master Agreement and applicable Order(s); and (d) as further documented by written instructions given by Customer. Notwithstanding the foregoing, Datadog will inform Customer promptly if it becomes aware that Customer’s instructions may violate applicable EU Data Protection Law.
Customer Responsibilities and Restrictions. Without limiting its responsibilities under the Master Agreement, Customer is solely responsible for: (a) Account Data, Customer Data and Customer Credentials (including activities conducted with Customer Credentials), subject to Datadog’s Processing obligations under the Master Agreement and this DPA; (b) providing any notices required by EU Data Protection Law to, and receiving any required consents and authorizations required by EU Data Protection Law from, persons whose Personal Data may be included in Account Data, Customer Data or Customer Credentials; and (c) ensuring no special categories of Personal Data (GDPR Article 9) or Personal Data relating to criminal convictions and offenses (GDPR Article 10) are submitted for Processing by the Services. Further, no provision of this DPA includes the right to, and Customer shall not, directly or indirectly, enable any person or entity other than Authorized Users to access and use the Services or use (or permit others to use) the Services other than as described in the applicable Order, Documentation, AUP, Master Agreement and this DPA, or for any unlawful purpose.
Duration. Unless earlier terminated as provided herein, the term of this DPA will continue through the expiration or earlier termination of the last applicable Order to be in effect.
Security. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects, Datadog shall in relation to Customer Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk (including those outlined in Schedule A, “Security Measures"). In assessing the appropriate level of security, Datadog shall take into account the risks that are presented by Processing Customer Personal Data including, in particular, the risks presented by a Customer Personal Data Breach (as defined in Section 9). Datadog may make such changes to the Security Measures as Datadog deems necessary or appropriate from time to time, including without limitation to comply with Applicable Law, but no such changes will reduce the overall level of protection for Customer Personal Data. Datadog will take appropriate steps to ensure compliance with the Security Measures by its employees, agents, contractors and Subprocessors to the extent applicable to their scope of performance, including ensuring that all persons authorized to Process Customer Personal Data have agreed to appropriate obligations of confidentiality.
Customer authorizes Datadog’s use of Datadog’s Affiliates as Subprocessors and both Datadog’s and its Affiliates’ use of third-party Subprocessors in connection with the provision of Services. As a condition to permitting a Subprocessor to Process Customer Personal Data, Datadog or a Datadog Affiliate will enter into a written agreement with the Subprocessor containing data protection obligations no less protective than those in this DPA with respect to Customer Personal Data. Datadog will restrict its Subprocessors’ access to only what is necessary to maintain the Services or to provide the Services to Customer and Authorized Users. Subject to this Section 6, Datadog reserves the right to engage and substitute Subprocessors as it deems appropriate, but shall: (a) remain responsible to Customer for the provision of the Services and (b) be liable for the actions and omissions of its Subprocessors undertaken in connection with Datadog’s performance of this DPA to the same extent Datadog would be liable if performing the Services directly.
Datadog’s current Subprocessors are listed in the Subprocessor List. Upon execution of this DPA, Datadog will subscribe Customer’s email address listed on the signature page of this DPA to notifications of Datadog’s use of new Subprocessors ("Change Notices"). Datadog will send a Change Notice before a new Subprocessor Processes any Customer Personal Data. Customer may object to any new Subprocessor on reasonable grounds relating to the protection of the Customer Personal Data, in which case Datadog shall have the right to satisfy the objection through one of the following:
a. Datadog will cancel its plans to use the Subprocessor with regard to Customer Personal Data or will offer an alternative to provide the Services without such Subprocessor;
b. Datadog will take the corrective steps requested by Customer in its Objection Notice (which remove Customer’s objection) and proceed to use the Subprocessor with regard to Customer Personal Data; or
c. Datadog may cease to provide, or Customer may agree not to use (temporarily or permanently), the particular aspect of the Services that would involve the use of such Subprocessor with regard to Personal Data, subject to a mutual agreement of the Parties to adjust the remuneration for the Services considering their reduced scope.
All objections under Section 6.2 must be submitted by email to Datadog at firstname.lastname@example.org within 14 days of the Change Notice (each, an “Objection Notice"). If none of the options outlined in Clause (a), (b) or (c) of Section 6.2 are reasonably available and Customer’s objection has not been resolved to the Parties’ mutual satisfaction within 30 days of Datadog’s receipt of the Objection Notice, either Party may terminate the affected Order and Datadog will refund to Customer a pro rata share of any unused amounts prepaid by Customer under the applicable Order for the Services on the basis of the remaining portion of the current terms of the Order.
If the Customer does not provide a timely Objection Notice with respect to a new Subprocessor, Customer will be deemed to have authorized Datadog to use of the Subprocessor and to have waived its right to object. Datadog may use a new or replacement Subprocessor while the objection procedures under this Section 6 are in process.
For clarity, providers of Customer Components shall not be deemed Subprocessors for any purpose under this DPA.
Data Subject Rights. If Datadog receives a request from a Data Subject in relation to Customer Personal Data then, to the extent legally permissible, Datadog will advise the Data Subject to submit their request to Customer and Customer will be responsible for responding to any such request including, where necessary, by using the functionality of the Services. Customer hereby agrees that Datadog may confirm to a Data Subject that his or her requests relates to Customer. To the extent Customer is unable through its use of the Services to address a particular Data Subject request, Datadog will, upon Customer’s request and taking into account the nature of Customer Personal Data Processed, provide reasonable assistance in addressing the Data Subject request (provided Datadog is legally permitted to do so and that the Data Subject request was made in accordance with EU Data Protection Law). To the extent permitted by Applicable Law, Customer shall be responsible for any costs arising from Datadog’s provision of such assistance.
Deletion Upon Expiration. Commencing 30 days after the effective date of termination of the Master Agreement, Datadog will initiate a process upon Customer’s written request that deletes Customer Personal Data retained in production within 90 days and in backups within 180 days. Any Customer Personal Data archived in backups will be isolated and protected from any further Processing, except as otherwise required by Applicable Law. Notwithstanding the foregoing, to the extent Datadog is required by Applicable Law to retain some or all Customer Personal Data, Datadog will not be obligated to delete the retained Customer Personal Data, but this DPA will continue to apply to the retained Customer Personal Data. Customer acknowledges that it is responsible for exporting any Customer Data that Customer wants to retain prior to expiration of the referenced 30-day period pursuant to the Master Agreement.
Customer Personal Data Breach Management. Datadog will notify Customer without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data Breach with respect to Customer Personal Data transmitted, stored or otherwise Processed by Datadog or its Subprocessors (a “Customer Personal Data Breach"). Such notice may be provided (1) by posting a notice in the Services; (2) by sending an email to the email address from which a Change Notice subscription request was made; (3) by sending an email to the email address for Customer listed on the signature page to this DPA; and/or (4) pursuant to the notice provisions of the Master Agreement. Customer shall ensure that its contact information is current and accurate at all times during the terms of this DPA. Datadog will promptly take all actions relating to its Security Measures (and those of its Subprocessors) that it deems necessary and advisable to identify and remediate the cause of a Customer Personal Data Breach. In addition, Datadog will promptly provide Customer with: (i) reasonable cooperation and assistance with regard to the Customer Personal Data Breach, (ii) reasonable information in Datadog’s possession concerning the Customer Personal Data Breach insofar as it affects Customer, including remediation efforts and any notification to Supervisory Authorities and, (iii) to the extent known: (a) the possible cause of the Customer Personal Data Breach; (b) the categories of Customer Personal Data involved; and (c) the possible consequences to Data Subjects. Datadog’s notification of or response to a Customer Personal Data Breach under this Section will not constitute an acknowledgment of fault or liability with respect to the Customer Personal Data Breach, and the obligations herein shall not apply to Personal Data Breaches that are caused by Customer, Authorized Users or providers of Customer Components. If Customer decides to notify a Supervisory Authority, Data Subjects or the public of a Customer Personal Data Breach, Customer will provide Datadog with advance copies of the proposed notices and, subject to Applicable Law (including any mandated deadlines under EU Data Protection Law), allow Datadog an opportunity to provide any clarifications or corrections to those notices. Subject to Applicable Law, Datadog will not reference Customer in any public filings, notices or press releases associated with the Customer Personal Data Breach without Customer’s prior consent.
Compliance and Reviews.
As of the date of this DPA, Datadog participates in the Cloud Security Alliance STAR self-assessment program and has completed the associated Consensus Assessments Initiative Questionnaire (CAIQ), currently available at https://cloudsecurityalliance.org/star/registry/datadog/. Subject to the confidentiality obligations of the Master Agreement, Datadog will additionally make available to Customer upon request such other attestations, certifications, reports or extracts thereof from external auditors or organizations as Datadog may possess from time to time to assist Customer in assessing Datadog’s compliance with the terms of this DPA.
Where required by EU Data Protection Law, Datadog will allow Customer (directly or through a third-party auditor subject to written confidentiality obligations) to conduct an audit of Datadog’s procedures relevant to the protection of Customer Personal Data to verify Datadog’s compliance with its obligations under this DPA. In such case:
a. Customer shall: (i) provide Datadog at least 30 days’ prior written notice of any proposed audit; (ii) undertake an audit no more than once in any 12-month period, except where required by a competent Supervisory Authority or where an audit is required due to a Customer Personal Data Breach; and (iii) conduct any audit in a manner designed to minimize disruption of Datadog’s normal business operations. To that end and before the commencement of any such audit, Customer and Datadog shall mutually agree upon the audit’s participants, schedule and scope, which shall in no event permit Customer or its third-party auditor to access the Services’ hosting sites, underlying systems or infrastructure.
b. Customer shall reimburse Datadog for its time expended in connection with an audit at Datadog’s then-current professional service rates, which shall be made available to Customer upon request and shall be reasonable taking into account the time and effort required by Datadog.
c. Representatives of Customer performing an audit shall protect the confidentiality of all information obtained through such audits in accordance with the Master Agreement, may be required to execute an enhanced mutually agreeable nondisclosure agreement and shall abide by Datadog’s security policies while on Datadog’s premises. Upon completion of an audit, Customer agrees to promptly furnish to Datadog any written audit report or, if no written report is prepared, to promptly notify Datadog of any non-compliance discovered during the course of the audit.
Impact Assessment and Additional Information. Datadog will provide Customer with reasonable cooperation, information and assistance as needed to fulfill Customer’s obligation under EU Data Protection Law, including as needed to carry out a data protection impact assessment related to Customer’s use of the Services (in each case to the extent Customer does not otherwise have access to the relevant information, and such information is in Datadog’s control). Without limiting the foregoing, Datadog shall provide reasonable assistance to Customer in the cooperation or prior consultation with the Supervisory Authority in the performance of its tasks relating to this Section to the extent required by EU Data Protection Law.
Transfer Mechanisms. Subject to the terms and conditions of the Master Agreement and EU Data Protection Law, Datadog currently makes available the Standard Contractual Clauses as a transfer mechanism. The Standard Contractual Clauses apply to any transfer of Customer Personal Data under this DPA from the EEA to a country which is not deemed to have Adequacy (to the extent such transfers are subject to EU Data Protection Law). The Standard Contractual Clauses and the terms of this Section 12 apply to the legal entity that executed the Standard Contractual Clauses as “data exporter” and its Participating Affiliates, all of which shall be deemed “data exporters.” Subject to Applicable Law, the Parties agree that the audits described in Clause 5(f) and 12(2) of the Standard Contractual Clauses shall be carried out as set out in, and subject to the requirements of Section 10 of this DPA. In addition, pursuant to Clause 5(h), 5(j) and 11(1) of the Standard Contractual Clauses, Customer acknowledges that Datadog may engage Subprocessors as described in Section 6 of this DPA.
Processing as Controller. The Parties believe Datadog’s role is as a Processor with respect to Customer Personal Data. In relation to the Processing of Account Data, and to the extent (if any) that Datadog may be considered a Controller in relation to certain Processing of Customer Personal Data, each Party will comply with its obligations as a Controller and agrees to provide reasonable assistance as is necessary: (a) to each other to enable each Party to comply with any Data Subject access requests and to respond to any other queries or complaints from Data Subjects in accordance with the EU Data Protection Law; and (b) to each other to facilitate the handling of any Personal Data Breach as required under EU Data Protection Law.
Limitation of Liability. Each Party’s (and each of its Affiliate’s) liability taken together in the aggregate, arising out of or related to this DPA, including without limitation under the Standard Contractual Clauses, whether in contract, tort, or under any other theory of liability, is subject to the limitation of liability provisions of the Master Agreement.
Terms such as “Personal Data”, “Data Subject”, “Processing”, “Controller”, “Processor”, “Personal Data Breach”, and “Supervisory Authority” that are defined in Article 4 of the General Data Protection Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing of Directive 95/46/EC ("GDPR") shall have the meanings assigned to them in such Article.
Other capitalized terms not otherwise defined in this DPA shall have the respective meanings assigned to them in this Section.
“Account Data” means information about Customer that Customer provides to Datadog in connection with the creation or administration of its Datadog accounts, such as first and last name, user name and email address of an Authorized User or Customer’s billing contact. Customer shall ensure that all Account Data is current and accurate at all times during the term of the applicable Order.
“Adequacy” means where the European Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organization in question, ensures an adequate level of protection.
“Affiliate” means, unless otherwise defined in the Master Agreement, a business entity that directly or indirectly controls, is controlled by or is under common control with, such Party; “control” means the direct or indirect ownership of more than 50% of the voting securities of a business entity.
“Applicable Laws” means any and all governmental laws, rules, directives, regulations or orders that are applicable to a particular Party’s performance under this DPA, including applicable EU Data Protection Law.
“AUP” means Datadog’s standard Acceptable Use Policy, currently available at https://www.datadoghq.com/legal/acceptable-use/.
“Authorized User” means an individual employee, agent or contractor of Customer or a Participating Affiliate for whom subscriptions to Services have been purchased pursuant to the terms of the Master Agreement and applicable Order, and who have been supplied user credentials for the Services by Customer or the Participating Affiliate (or by Datadog at Customer’s or a Participating Affiliate’s request).
“Customer Component” means each individual component of Customer’s Environment.
“Customer Credentials” means access passwords, keys, tokens or other credentials used by Customer in connection with the Services.
“Customer Data” means data from Customer’s Environment that are submitted for Processing by the Services. Through Customer’s configuration and use of the Services, Customer has control over the types and amounts of Customer Data.
“Customer’s Environment” means, exclusive of Services, the systems, platforms, services, software, devices, sites and/or networks that Customer uses in its own internal business operations.
“Customer Personal Data” means Customer Data comprising Personal Data of Data Subjects located in the EEA.
“Documentation” means Datadog’s standard user documentation for the Services, currently available at https://docs.datadoghq.com/.
“EEA” means the European Economic Area, which constitutes the member states of the European Union ("EU") and Norway, Iceland and Liechtenstein, as well as for purposes of this DPA, the United Kingdom.
“EU Data Protection Law” means the GDPR, and shall include the data protection or privacy laws of the United Kingdom in place after its withdrawal from the EU.
“Order” means a separate order for Services pursuant to the Master Agreement: (a) completed and submitted by Customer online at the Datadog site and accepted by Datadog or (b) executed by Datadog and Customer.
“Participating Affiliate” means an Affiliate of Customer that: (a) has not entered into an Order or other separate agreement directly with Datadog and (b) Customer has authorized to access and use the Services under an existing Order between Datadog and Customer.
“Party” means each of Datadog and Customer.
“Services” means the hosted services to which Customer subscribes through, or otherwise uses following, an Order that are made available by Datadog online via the applicable login page (currently https://app.datadoghq.com/) and other web pages designated by Datadog. Subject to the terms of an Order, the Services will support Customer’s collection, monitoring, management and analysis of Customer Data. For purposes of this DPA, the term Services does not include alpha, beta or other pre-commercial releases of a Datadog product or service (or feature of functionality of a Service).
“Standard Contractual Clauses” means the agreement executed by and between Datadog and Customer and attached to this DPA as Schedule B pursuant to the European Commission’s decision (C(2010)593) of 5 February 2010 on Standard Contractual Clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection.
“Subprocessor” means any Processor engaged by Datadog or a Datadog Affiliate to Process Customer Personal Data on Datadog’s or its Affiliate’s behalf in the course of providing the Services.
“Subprocessor List” means the list of Subprocessors available at https://www.datadoghq.com/subprocessors/.
Counterparts. This DPA, including the attached Standard Contractual Clauses, may be executed in counterparts, each of which shall be deemed an original, but all of which together shall be deemed to be one and the same agreement. Delivery of an executed counterpart of a signature page to this DPA by fax or by email of a scanned copy, or execution and delivery through an electronic signature service (such as DocuSign), shall be effective as delivery of an original executed counterpart of this DPA.