Overview of the PDPL
As data protection becomes increasingly important, many countries worldwide are enacting or updating data protection regulations. To that end, Indonesia enacted the Personal Data Protection Law (Law of the Republic of Indonesia Number 27 Year 2022) (PDPL) on October 17, 2022 to clarify Indonesia’s privacy framework (available in Indonesian here). The PDPL is applicable to entities: (a) residing within Indonesia; and (b) outside Indonesia if their actions have legal consequences in Indonesia or for Indonesian data subjects abroad. It will go into effect two years from promulgation, in October 2024.
The PDPL provides requirements for data controllers and data processors, which have similar definitions as the GDPR: a data controller is an entity that determines the reasons and exercises control over the processing of personal data, and a data processor is an entity that processes data on the instructions of a data controller.
The PDPL also largely mirrors the GDPR as to its requirements, providing for data subject rights, a requirement to conduct data protection impact assessments, various requirements placed on data controllers transferring data outside of Indonesia, implementing technical and organizational measures to protect data, and the appointment of a Data Protection Officer for certain processing activities.
To assist our customers in meeting their obligations under the PDPL, Datadog has implemented security and privacy programs, outlined in more detail below.
Data Security at Datadog
Datadog takes the security of your data seriously. We manage security in a hybrid model, with a layered approach that reflects our Software-as-a-Service (SaaS) framework, and have created a shared responsibility model that outlines the controls we’ve inherited from our cloud service providers (CSPs) and the security responsibility Datadog has to our customers.
Datadog implements and maintains technical and organizational security measures under globally recognized security assurance frameworks and certifications, including ISO 27001, ISO 27701, and SOC 2; and documents security controls on the Cloud Security Alliance’s (CSA) Security, Trust & Assurance Registry (STAR). All of these artifacts are available for download from Security Portal. Datadog also maintains a FedRAMP Moderate Impact (ATO) for products in our US1-FED environment and FedRAMP Low-Impact Authority to Operate (ATO) for the Infrastructure Metrics product in the US1 site. These security measures are designed to prevent unauthorized access to, or disclosure of, customer content.
Datadog provides you with services and tools to securely store your data. Access to Customer Data is strictly logged and monitored. Data at rest is encrypted with AES 256. All data transmitted between Datadog and Datadog users across public networks is protected using Transport Layer Security (TLS) and HTTP Strict Transport Security (HSTS). If encrypted communication is interrupted, the Datadog application is inaccessible.
Furthermore, Datadog grants access to assets and sensitive information strictly on a need-to- know basis based on an individual’s role. Access is controlled based on the principle of least privilege, meaning users have only the level of access required to perform their job functions. Additionally, we enforce multi-factor authentication, which includes strong passwords and a secondary factor.
We monitor and log access to all production environments for security purposes. Additionally, access is audited and baselined to meet our security and compliance requirements. Datadog monitors critical infrastructure for security-related events by using a custom implementation of open source and commercial technologies. Activity data such as API calls and operating system- level calls are logged to a central point, where the information is passed through a series of custom rules designed to identify malicious or unapproved behavior. The results of these rules are fed into an orchestration platform that triggers automated actions, which may include directly alerting the security team or prompting additional authentication requirements.
For more information about our security practices, please review our existing data security resources.
Data Privacy at Datadog
As a data processor for our customers, we understand that trust is paramount. That’s why we’ve implemented a data privacy program that meets the requirements of the world’s most demanding privacy and data protection laws.
When acting as a data processor, Datadog only processes Customer Data—the data you provide to Datadog—in accordance with your documented instructions, and we do not access, use, or share your data except as explicitly permitted under our agreements with our customers or as permitted or required under applicable law.
Moreover, to ensure that we meet our requirements as a data processor, we have implemented internal processes to complete data protection impact assessments (DPIAs) when required, perform transfer impact assessments (TIAs) for international data transfers, fulfill requests from data subjects who exercise their rights under privacy laws (including requests to access or delete personal data), and maintain a dedicated data privacy team.
For more information about our privacy program, please review the resources on our Security Portal, our Privacy at Datadog page, our Data Processing Addendum, and our Transfer Impact Assessment.
When you create a Datadog account, you can choose where your data is hosted—as of the date of this white paper, that includes hosting options in the United States, Germany, and Japan. If we receive a law enforcement request, we will challenge law enforcement requests for Customer Data from governmental bodies where the requests conflict with law, are overbroad, or where we otherwise have appropriate grounds to do so.
Datadog does not have visibility into or knowledge of what customers are uploading onto its network, including whether or not that data is deemed subject to the PDPL, customers are ultimately responsible for their own compliance with the PDPL and related regulations. The contents on this page supplement the privacy and security information that you can find on our Security Portal.
Please note that this document is for informational purposes only, and Datadog customers are responsible for making their own independent assessment of the information presented above. All of Datadog’s obligations and liabilities to our customers are outlined in our agreements, and this document does not form part of, or modify, any agreement between Datadog and our customers.