Product security is of paramount importance at Datadog. Datadog uses a software development lifecycle in line with general Agile principles. When security effort is applied throughout the Agile release cycle, security oriented software defects are able to be discovered and addressed more rapidly than in longer release cycle development methodologies. Software patches are released as part of our continuous integration process. Patches that can impact end users will be applied as soon as possible but may necessitate end user notification and scheduling a service window.
Datadog performs continuous integration. In this way we are able to respond rapidly to both functional and security issues. Well defined change management policies and procedures determine when and how changes occur. This philosophy is central to DevOps security and the development methodologies that have driven Datadog adoption. In this way, Datadog is able to achieve extremely short mean time to resolution for security vulnerabilities and functional issues alike. Datadog is continuously improving our DevOps practice in an iterative fashion.
The Datadog production infrastructure is hosted in Amazon Web Services (AWS). Physical and environmental security related controls for Datadog production servers, which includes buildings, locks or keys used on doors, are managed by AWS. “Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff. Authorized staff must pass two-factor authentication a minimum of two times to access data center floors.”1
Datadog recognizes the diminishing utility of perimeter in relationship to modern network security. Once a perimeter is breached, services that rely on network perimeter security guarantees quickly fall. As such, Datadog leverages internal services that require transport level security for network access and individually authenticate users, commonly by way of a central identity provider and leveraging two factor authentication wherever possible.
All Datadog personnel undergo an annual security awareness training that weaves security into technical and non-technical roles; all employees are encouraged to participate in helping secure our customer data and company assets. Security training materials are developed for individual roles to ensure employees are equipped to handle the specific security oriented challenges of their roles.
Customers can send data to the Datadog service by using a locally installed agent or through our HTTP API. While use of Datadog does not strictly require use of the Datadog agent, the vast majority of users will leverage the agent.
The Datadog Agent is open source and you can view the source code on GitHub for Agent v5 and Agent v6. Agent v6 is the latest major version of the Datadog Agent and is a complete rewrite of the core Agent in Golang, which allows Datadog to take advantage of concurrency: there is now a single process where Agent v5 used to run its forwarder, collector, DogStatsD and supervisor as 4 separate processes.
Agent v6 comes bundled with a Graphical User Interface (GUI) by default, which launches in your default web browser. The GUI will only be launched if the user launching it has the correct user permissions, including the ability to open the agent’s configuration file. The GUI can only be accessed from the local network interface (localhost/127.0.0.1). Finally, the user’s cookies must be enabled, as the GUI generates and saves a token used for authenticating all communications with the GUI server. The GUI can also be disabled altogether if needed.
End users may log in to Datadog using an Identity Provider, leveraging Datadog’s support for the Security Assertion Markup Language (SAML) or via the “Sign-in with Google” OpenID service. These services will authenticate an individual’s identity and may provide the option to share certain personally identifying information with Datadog, such as your name and email address to pre-populate our sign up form. Datadog’s SAML support allow organizations to control authentication to Datadog and enforce specific password policies, account recovery strategies and multi-factor authentication technologies.
All requests to the Datadog API must be authenticated. Requests that write data require at least reporting access as well as an API key. Requests that read data require full user access as well as an application key. These keys act as bearer tokens allowing access to Datadog service functionality.
Data submitted to the Datadog service by authorized users is considered confidential. This data is protected in transit across public networks and encrypted at rest. Customer Data is not authorized to exit the Datadog production service environment, except in limited circumstances such as in support of a customer request.
All data transmitted between Datadog and Datadog users is protected using Transport Layer Security (TLS) and HTTP Strict Transport Security (HSTS). If encrypted communication is interrupted the Datadog application is inaccessible.
Customer Data currently resides in the United States of America and primarily in the state of Virginia. Datadog utilizes encryption at various points to protect Customer Data and Datadog secrets, including encryption at rest (e.g. AES-256), asymmetric encryption (e.g. PGP) for system backups, KMS-based protections for the protection of secrets (passwords, access tokens, API keys, etc.) and GPG encryption.
Access to Customer Data is limited to functions with a business requirement to do so. Datadog has implemented multiple layers of access controls for administrative roles and privileges. Access to environments that contain Customer Data requires a series of authentication and authorization controls, including Multi-Factor Authentication (MFA). Datadog enforces the principles of least privilege and need-to-know for access to Customer Data, and access to those environments is monitored and logged for security purposes. Datadog has implemented controls to ensure the integrity and confidentiality of administrative credentials and access mechanisms, and enforces full-disk encryption and unique credentials for workstations.
Datadog monitors critical infrastructure for security related events by using a custom implementation of open source and commercial technologies. Activity data such as API calls and operating system level calls are logged to a central point where the information is passed through a series of custom rules designed to identify malicious or unapproved behavior. The results of these rules are fed into an orchestration platform that triggers automated actions, which may include directly alerting the security team or triggering additional authentication requirements.
Datadog has certified its compliance with the EU-U.S. Privacy Shield Framework and is a STAR Registrant for the Cloud Security Alliance (CSA). Datadog also pursues key independent third-party validations of its security, processes, and services, including completion of the SOC 2 Type II audit.
Datadog’s solution is compliant with all data protection laws and regulations applicable to the services we provide.
Datadog will comply with the General Data Protection Regulation (GDPR) when it becomes enforceable on May 25, 2018. Datadog is actively working to enhance products, processes, and procedures to meet obligations as a data processor.
GDPR standardizes EU regulations and expands the rights of EU residents (Data Subjects) pertaining to personal data while expanding the definition of what constitutes personal data. GDPR provides Data Subjects with increased rights to control and delete their personal data, and it broadly prohibits the processing of special categories of personal data. Any organization or entity that processes the personal data of Data Subjects needs to understand GDPR in order to achieve compliance.
For more information on GDPR, please visit https://www.datadoghq.com/gdpr/.
We have modified our products, processes, and procedures to meet our obligations as a data processor (Processor). If a customer believes that it has included personal data in the information processed by Datadog, Datadog will assist the customer in meeting its obligations in accordance with the requirements of GDPR and the terms of our Data Processing Agreement. Such a customer would be considered the data controller (Controller) and Datadog, the Processor or Sub-Processor.
Datadog is implementing an online portal to intake, review, and process customer requests arising from Data Subject Access Requests (DSAR) they receive. As a result of a DSAR, customers might request that Datadog securely delete or return the Data Subject’s personal data. Due to their sensitivity, such requests will be handled by Datadog on a case-by-case basis.
If you believe you’ve discovered a bug in Datadog’s security, please get in touch at email@example.com and we will get back to you within 24 hours, and usually earlier. Our PGP key is available for download in case you need to encrypt communications with us. We request that you not publicly disclose the issue until we have had a chance to address it.