Please note that this page is for informational purposes only and Datadog customers are responsible for making their own independent assessment of the information presented below. All of Datadog’s obligations and liabilities to our customers are outlined in our agreements, and this page does not form part of, or modify, any agreement between Datadog and our customers. We may update or change this page from time to time. When we do so, we will update the “Current as of” date above.

1. Overview

   In July 2020, the Court of Justice of the European Union issued its long-awaited decision in Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems (“Schrems II”), holding that (1) the EU-U.S. Privacy Shield program could no longer be used for data transfers to the United States, and (2) the transfer mechanisms identified in the GDPR—including the European Commission-issued Standard Contractual Clauses (SCCs)—could only be used where the laws and practices in the data importer’s country do not impinge on the protections provided by the transfer mechanism.

   To address the concerns raised in the Schrems II decision, in October 2022, U.S. President Biden signed Executive Order 14086 on Enhancing Safeguards for United States Signals Intelligence Activities, which requires certain changes to the way U.S. intelligence agencies collect data under its collection authorities. In furtherance of Executive Order (EO) 14086, the Department of Commerce created the EU-U.S. Data Privacy Framework (DPF)—a framework to allow for international data transfers to the U.S.—for which the European Commission adopted an adequacy decision on July 10, 2023.

   Datadog has certified to, and is an active member of, the DPF. That said, we continue to believe that being transparent about our data-transfer practices is important to our customers, so we will continue to maintain this Transfer Impact Assessment so that our customers are confident in their ability to use our Services no matter where they are located.

2. Definitions

   The most important terms you should know as you review this Assessment are the following:

   • “Customer Data” means the data from our Customers’ Environments that are submitted to the Services or that are otherwise uploaded to the Services.
   • “Customer Personal Data” means Customer Data that consists of personal data (e.g., Logs events that include things like an individual’s full name or an IP address).
   • “Data Processing Addendum” and “DPA” mean the contract we sign with customers that governs how we process personal data; our current form DPA is here.
   • “EEA” means the European Economic Area.
   • “GDPR” means Europe’s General Data Protection Regulation.
   • “Personal data” means data related to an identified or identifiable natural person (e.g., a full name, an IP address, or a photograph of someone).
   • “Services” means the hosted products we provide to our customers.
   • “Standard Contractual Clauses” and “SCCs” mean the European Commission-approved contracts used to safeguard personal data when transferred out of the EEA.
   • “Subprocessor” means a vendor that processes Customer Personal Data on Datadog’s behalf.

3. Datadog’s Services

   Datadog’s Services include a number of SaaS-based products that can be used to collect, view, manage, and analyze a wide array of data relating to your computing infrastructure and software applications. These include, among other things, our Log Management product, which lets customers search, filter, and analyze their logs; and our Infrastructure Monitoring product, which gives customers visibility of the performance of their IT assets.

   Because we offer a number of distinct products within the Services and our customers use these products in unique ways, many different kinds of data may be sent to Datadog for processing. As a result, it’s possible that you may configure and use our Services in a way that results in the collection of personal data, including personal data that is governed by data protection laws like the GDPR.

4. Transfers of Your Personal Data

   1. Transfer Mechanisms Under the GDPR

      The GDPR prohibits the transfer of personal data outside of the EEA unless the transfer is made using an approved transfer mechanism: (1) the transfer is made to a country that the European Commission has determined provides an adequate level of data protection; (2) the transfer is subject to appropriate safeguards; or (3) the transfer is made in accordance with specific derogations. (While this Assessment focuses on the EU, the transfer frameworks in the UK and Switzerland are substantially the same.)

      • First, an organization may transfer personal data out of the EEA when the transfer is to a country that the European Commission has determined provides an adequate level of data protection. The European Commission maintains a list of the countries that have been deemed adequate, which as of July 2023, includes the U.S. (scoped to organizations that participate in the DPF).

      • Second, an organization may transfer personal data out of the EEA when the transfer is subject to appropriate safeguards under Article 46 of the GDPR. There are a few specific mechanisms that provide appropriate safeguards, the most popular of which is the SCCs, a form contract signed by the data exporter and the data importer.

      • Third, an organization may transfer personal data out of the EEA in specific (and limited) cases, including where the data subject (whose personal data will be transferred) has explicitly consented to the transfer. More information about these derogations is available in Article 49 of the GDPR. (After the UK withdrew from the European Union in 2020, it enacted its own version of the GDPR that essentially mirrors the relevant parts of the EU GDPR.)

   2. Transfers to Datadog

      As noted in section 1 above, Datadog is certified to the EU-U.S. Data Privacy Framework (DPF). In addition to certification, and in order to safeguard the personal data transferred to us, we continue to incorporate a Data Processing Addendum (DPA) into our contracts with our customers that incorporates both (1) the European Commission-approved SCCs and (2) the UK-approved International data transfer addendum to the European Commission’s standard contractual clauses for international data transfers.

      • As a result, transfers of Customer Personal Data to Datadog are protected in multiple ways: under our certification to the DPF, through the obligations in the SCCs that we include in our DPA, and per the supplementary measures we have implemented to protect Customer Personal Data (outlined in section 5 below).

   3. Datadog’s Onward Transfers

      To provide our best-in-class Services, including 24/7 technical support, we may disclose your Customer Personal Data to certain of our affiliates and trusted vendors (our Subprocessors). These onward transfers are only made in accordance with our agreements with you.

      • Information about our Subprocessors is available on our Subprocessors List. There, we identify each of our Subprocessors along with the specific services that they provide to us and their locations. Before we engage a new Subprocessor, we subject it to rigorous review and onboarding processes to ensure that we can safely provide it with the Customer Personal Data we receive from our customers. This includes reviewing each vendor’s security and privacy practices to ensure that they meet our strict requirements, as well as requiring them to sign a DPA with us that (1) provides protections for Customer Personal Data at least as protective as those in our DPA with you, and (2) includes GDPR-compliant transfer mechanisms for any onward transfers of Customer Personal Data. After we vet a new Subprocessor and feel confident that Customer Personal Data will be fully protected when shared with the Subprocessor, we send a notice to each of our customers who has subscribed to receive a notification so that it has an opportunity to review the new Subprocessor. You can subscribe to our notifications of new Subprocessors by completing the form on our Subprocessors List.

   4. Relevant U.S. Collection Authorities

      The Schrems II court primarily focused on two U.S. legal frameworks related to the collection of personal data: Section 702 of the Foreign Intelligence Surveillance Act (FISA 702) and Executive Order (EO) 12333. Here, we briefly summarize those two frameworks and their impact on Datadog.

      • FISA 702 permits a specialized U.S. court to authorize the federal government to issue orders to U.S. companies to disclose data about specific non-U.S. persons reasonably believed to be outside the U.S. Under FISA 702, these orders may only be issued to “electronic communication service providers.” We have analyzed the scope of FISA 702 and do not believe that we are subject to government orders for communications under the statute.

      • EO 12333 outlines how U.S. intelligence agencies can collect the communications of non-U.S. persons reasonably believed to be outside of the U.S. Importantly, EO 12333 does not include any authorization to compel private companies to disclose personal data to the U.S. government. We do not believe that EO 12333 introduces a substantial risk to our customers with respect to the Services because (1) the kinds of data that our customers send to us through the Services would not constitute the types of communications that are relevant for the U.S. government during intelligence operations, and (2) we encrypt all Customer Personal Data in transit across public networks. As a result, we believe we are at little risk of having any Customer Personal Data in the clear intercepted under EO 12333 operations.

   5. Executive Order 14086 and the EU-U.S. Data Privacy Framework

      In October 2022, the Biden administration issued Executive Order (EO) 14086 to address the concerns raised in Schrems II. EO 14086 outlines several changes to how the U.S. government can collect personal data under FISA 702 and EO 12333. In light of these changes, the U.S. Department of Commerce developed the EU-U.S. Data Privacy Framework (DPF) to facilitate international data transfers in compliance with EU law, which organizations can self-certify to.

      • Based on the changes identified in EU 14086, the European Commission adopted an adequacy decision for the DPF, concluding that “the United States ensures an adequate level of protection for personal data transferred under the EU-U.S. DPF from a controller or a processor in the Union to certified organisations in the United States.” As a result, Datadog’s customers benefit from these changes now that Datadog has certified to the DPF.

   6. Government Access Requests in General

      Taken together, we believe that there is little risk that the U.S. government would collect the Customer Personal Data of our customers.

      • That said, if we ever were to receive any kind of request from a governmental body requesting the personal data you have submitted to our Services, to the extent permitted by applicable laws, we would (1) attempt to fight or quash the request by raising nonfrivolous objections; (2) provide you with reasonable notice of the request so that you have the opportunity to seek a protective order or other appropriate remedy; (3) attempt to redirect the governmental body to request the information from you directly; and (4) if ultimately required to disclose your personal data to the government, limit the disclosure to the minimum amount of data legally necessary to comply with the request.

5. Supplementary Measures

   Even though we believe that the risk of the U.S. government collecting Customer Personal Data is low, we take the privacy and security of your personal data seriously. To ensure that we meet state of the art practices for privacy and security, we have implemented the following technical, contractual, and organizational measures to protect your personal data.

   1. Technical Measures

      We have implemented the following technical measures to safeguard all personal data you transfer to us.

      • Hosting locations. You can choose between multiple hosting locations for your Customer Personal Data, which today includes hosting locations in the U.S., the EU, and Japan. While your data may leave your hosting region in some cases (for example, if you open a support request and one of our support engineers needs to access your data to support you), we ensure that your data is never stored in a separate region.

      • Encryption. All Customer Personal Data you send to us is encrypted in transit using Transport Layer Security (TLS) with HTTP Strict Transport Security (HSTS) by default, and can be configured by our customers to use TLS 1.2 where supported. Moreover, all Customer Personal Data is encrypted at rest with FIPS 140-2-compliant encryption standards, as well as FIPS 140-2-approved cryptographic devices for the generation, storage, and revocation of encryption keys.

      • Data retention. We rely on the principle of storage minimization to ensure that your Customer Personal Data is not retained for longer than is necessary for your purposes. For more information on our default retention periods, please refer to our Data Collection, Resolution, and Retention page.

   2. Contractual Measures

      We have implemented the following contractual measures to safeguard all Customer Personal Data you transfer to us.

      • DPAs. In addition to our certification to the DPF, we sign DPAs, which include the SCCs as a transfer mechanism, with every customer who needs one, and every Subprocessor to whom we may transfer your Customer Personal Data. Our DPAs with Subprocessors provide at least the same level of data protection as our DPA with you does, and they always include the SCCs as a transfer mechanism.

   3. Organizational Measures

      We have implemented the following organizational measures to safeguard all Customer Personal Data transferred to us.

      • Subprocessor onboarding. Prior to onboarding a new Subprocessor, we conduct a comprehensive vendor assessment, which includes a review of the Subprocessor’s security and privacy practices. Moreover, we require annual audit documentation from our Subprocessors to demonstrate compliance with the security terms of its data processing agreement.

      • Government requests. As outlined above, we have not received any disclosure requests from the U.S. government, including requests for access under FISA 702, in connection with Customer Personal Data. Should we ever receive such a request, we will review the legality of government access requests and challenge such requests where they are unlawful.

      • Incident response and business continuity planning. We have a robust vulnerability management program in place to stay ahead of security incidents. We use many tools and tactics to discover security vulnerabilities, including a private bug bounty program, infrastructure scans, internal security testing, and annual third-party pen tests. We also have a detailed incident response plan and dedicated incident response team that guides our investigation and mitigation of any identified or potential breach. Moreover, we have a thorough business continuity plan designed so that our teams work diligently to recover operations in a timely manner, if needed.

      • Dedicated privacy team. We have a dedicated Legal Privacy team that specializes in privacy and data-protection issues. They stay up to date on all privacy regulations and requirements that apply to us, ensuring that your regulatory requirements with respect to Datadog are always met.

      • Recurring audits. We conduct a series of annual audits, including ISO 27001 and SOC 2 Type 2 audits, to ensure compliance with our technical and organizational measures, and we make our relevant audit reports available to you.

      • Confidentiality obligations. All of our employees are required to sign confidentiality agreements, where local law allows. In addition, all of our Subprocessors who handle Customer Personal Data are required to adhere to confidentiality terms.

      • Access controls. We enforce strict access controls to ensure that the only people who have access to Customer Personal Data are those that absolutely need it to perform their job functions. To further ensure that this is the case, we log all access to Customer Data.

      • Employee training. We provide privacy and security training to all of our employees when they join the company, and yearly thereafter. As a result, our employees are always kept up to date on security and privacy best practices.

      • Privacy by design. To ensure that all of our Services are built with privacy in mind, we make sure that data protection reviews and considerations are explicitly included in the product design life cycle. This has led to the inclusion of a number of customer-facing privacy features in our products (including Logs, APM, and RUM), as well as a stronger, privacy-focused culture on our product and engineering teams.

6. Reevaluation

   We know that the global privacy landscape is in constant flux, and that new risks are routinely uncovered. Accordingly, we do not view this as a static Assessment—instead, we are committed to continuously analyzing our policies and practices to ensure that we can process Customer Personal Data in a way that complies with all applicable privacy and data protection laws. We’re always willing to work with you if you have specific concerns not covered in the Assessment above. You can reach out to Datadog’s privacy team at privacy@datadoghq.com.