Privacy at Datadog | Datadog

Privacy at Datadog

Datadog takes great pride in our respect for customer and employee privacy and has a team dedicated to ensuring that the company meets its global privacy requirements and protects the privacy of individuals, customers, applicants, and employees.

Our Core Privacy Tenets

Transparency

We believe that our customer’s trust in us is best solidified by utmost transparency. From our data handling practices to our policies and procedures, Datadog knows the strongest customer relationships are built upon honesty and visibility. We are equally committed to the privacy of our employees, and promote transparency about how employee data is managed.

Privacy as a Feature

Datadog doesn’t just think of customer privacy once something goes wrong. Privacy is embedded into our products, with direct impact into how features are engineered and implemented.

Global Compliance

At Datadog we know our customers do business all over the world. Our Privacy Team is trained on data protection laws and regulations spanning the globe. We translate those requirements into measurable controls in order to ensure compliance.

Data Handling

Methods of collection

You manage the quantity and types of data that is sent to Datadog through your use and configuration of the Datadog Agent, APIs, and integrations. These APIs, agents, and integrations may be made available by Datadog or your component providers, or they may be built by your own teams. Those made available by Datadog are primarily open source and subject to one of several open source licenses. As open source tools, their code can be independently vetted by you for copyright, errors, and malicious code.

Types of data

Datadog provides you with a single pane of glass to enable effective analysis of the operations of your infrastructure and applications. In addition to the basic business information provided to use our services, such as name and email address, Datadog will collect data needed to provide the product we offer. For customers sharing more sensitive information, including personal data, additional contractual obligations may be required to meet regulatory requirements. We provide Service-Specific and Other Supplemental Terms, a data processing addendum (DPA), or a Business Associate Agreement (BAA), depending on the type of data that will be shared.

Exclusion of data

Datadog provides instructions, tools, and recommendations to enable you to scrub, obfuscate, filter, and otherwise reduce the inclusion of, and access to, any unnecessary private or personal data that may be contained in the data you choose to share with Datadog. For more information on these tools and recommendations please review our docs.

Location of data

Your team selects the country where your data will be hosted from a pre-specified list of locations when setting up the account. Datadog will not change your data’s hosting location. Data may be accessed by your personnel and Datadog’s personnel outside of your host country as part of our follow-the-sun support model.

Security of data

Privacy, security, and confidentiality are part of the design of the Datadog platform and each service we offer. Datadog provides privacy and security training for all its employees. You can visit our security page for an overview of our security posture and discussion of our SOC 2 Type 2 audit, ISO 27001 certification, and participation in the Cloud Security Alliance. Datadog has created a self-service portal that customers and prospects can use to review the documents that support its privacy, security, and compliance programs. Please reach out to your Datadog representative who can assist you with gaining access to this portal for detailed documentation relevant to the security of Datadog’s platform, including copies of our independent third-party audit certificates, BC/DR plans, and more.

Privacy by Region

EMEA

General Data Protection Regulation (GDPR)

In July 2020, the Court of Justice of the European Union issued a decision in Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems (“Schrems II”), in which it held, among other things, that (1) the U.S.’s Privacy Shield program could no longer be used for data transfers to the U.S., and (2) the transfer mechanisms identified in the GDPR — including the European Commission-issued Standard Contractual Clauses (“SCCs”) — could only be used where the laws and practices in the data importer’s country do not impinge on the protections provided by the transfer tool.

Transfer Impact Assessment

In July 2020, the Court of Justice of the European Union issued a decision in Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems (“Schrems II”), in which it held, among other things, that (1) the U.S.’s Privacy Shield program could no longer be used for data transfers to the U.S., and (2) the transfer mechanisms identified in the GDPR — including the European Commission-issued Standard Contractual Clauses (“SCCs”) — could only be used where the laws and practices in the data importer’s country do not impinge on the protections provided by the transfer tool. As a result of the decision, organizations are required to carry out assessments of the laws and practices in the countries they transfer data to. And if you use Datadog as a vendor, that means assessing transfers to Datadog in the United States. On this page, we have added a summary of data transfers at Datadog. Additionally, we put together an Assessment to provide you with the information needed for you to perform your own transfer assessment.

International Data Transfers

Datadog is based in the United States and operates globally. As a result, your personal data may be transferred to, and processed in, any country where we operate or where our service providers operate, including the United States. We protect your personal data in accordance with our Privacy Policy no matter where it is transferred or processed. If you are located in the EEA, UK, or Switzerland, and your personal data is transferred to a country that has not been recognized as providing an adequate level of data protection by the relevant data protection authorities, the transfer will only be made when protected under the European Commission’s approved standard contractual clauses, amended as needed to satisfy country-specific requirements. To learn more about our international data transfers, please see our EEA Data Transfers FAQs. In order to ensure that all transfers of personal data to Datadog are made under a GDPR-compliant transfer mechanism, we will sign a Data Processing Addendum (“DPA”) with you that includes a section on international data transfers and that incorporates the European Commission-approved Standard Contractual Clauses (“SCCs”) or the UK’s International Data Transfer Addendum, as required. For more information about transfers of personal data to Datadog, please refer to Schedule A of our DPA. If you haven’t yet signed a DPA with us and believe that you need one, you can request a copy from your customer success manager or sales representative, as outlined in the link above.

Datadog’s Subprocessors

In order to provide our Services, including 24/7 support, we may disclose your data to certain of our trusted vendors (subprocessors). These onward transfers are only made in specific cases — for example, we may need to share your personal data with the cloud services provider you selected to host your data, or with one of our global affiliates in order to provide you with technical support after the close of business local time. At least 30 days before we engage a new subprocessor, we will add it to our Subprocessors List. You can subscribe to receive notifications of these updates by completing the form at the bottom of our Subprocessors List. Before we engage a new subprocessor, we subject it to a rigorous vendor-onboarding process in order to ensure that we can safely provide it with the personal data we receive from our customers. This includes reviewing each vendor’s security and privacy practices to ensure that they meet our strict requirements, as well as requiring them to sign a DPA with us that (1) provides protections for personal data at least as protective as those in our DPA with you, and (2) includes the SCCs for any onward transfers of personal data.

United States

California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)

The CCPA is a landmark state law that established certain privacy rights and more control over the personal data for California consumers. Most notably, the CCPA includes an individual’s right to know, right to delete, right top opt-out, and right to non-discrimination. The CPRA expanded the CCPA to further privacy protections and expand the rights of California consumers in relation to their personal data. For more information about how the CCPA applies to Datadog, please navigate here.

Health Insurance Portability and Accountability Act (HIPAA)

HIPAA is a US federal law that establishes national standards for protecting certain health data, Protected Health Information (PHI). For our HIPAA-regulated customers, Datadog may act as a business associate, and will sign a Business Associate Agreement (BAA) in order to protect any PHI transferred. Datadog’s HIPAA program extends to all of our HIPAA-Eligible Services.

Key Definitions

Personal Data

Data that can be used, either directly or indirectly, to identify an individual. An example of Personal Data that Datadog may process is account email addresses to authenticate and use the Datadog services.

Customer Data

Data from our customer’s environments that are sent to Datadog. In GDPR terms, we are a Processor of this data, but the customer remains the Controller. The customer has control over the types and amount of this data we receive.

Account Data

Data about the customer that the customer provides to Datadog when creating accounts. This includes fields like first and last names as well as email addresses for logins or billings. It is easiest to think about this as data from the employees of our customers.

Usage Data

Any data related to our customer’s configuration and use of Datadog products.

Processing

Under the GDPR, Processing refers to any operation an organization takes that involves personal data. Examples include, recording, structuring, combination, alteration, and more.

Data Processing Agreement (DPA)

Under the GDPR, any data processing activities by a third party require a DPA to outline stipulations like the purpose for processing this data, data subject rights, data breach procedures, and more. Read Datadog’s DPA here.

Business Associate Agreement (BAA)

A BAA is a contract that HIPAA-covered entities are required to enter into with any third parties that may process protected health information. Navigate here to view which services are HIPAA-enabled.

Standard Contractual Clauses (SCCs)

SCCs are clauses added to our DPAs to ensure there are adequate data protection safeguards in place for any data sent from the EU to third party countries that are not a part of the Union.

Services

In our DPA, Services refers to the product to which a customer subscribes (accessible via https://app.datadoghq.com/ and other web pages). The Services is the technology collecting and processing Customer Data. In our DPA, Services does not include alpha, beta, and other pre-commercial releases of Datadog products.

Subprocessors

Click here to learn more about our subprocessors.