Datadog GDPR Compliance & DPA Guide for German Companies

Yes, Datadog is GDPR compliant. Datadog signs a Data Processing Agreement (DPA) under GDPR Article 28, offers EU-region data storage with Frankfurt as the primary location (AWS eu-central-1), and has Standard Contractual Clauses (SCCs) in place for international transfers. Datadog holds ISO 27001, SOC 2 Type II, and CSA STAR certifications. For German companies, the critical compliance tasks are: using the EU platform (app.datadoghq.eu), signing the DPA, and auditing what personal data your applications send to Datadog before enabling AI features such as Bits AI and Watchdog.

Is Datadog GDPR Compliant?

Yes. Datadog provides the following GDPR compliance infrastructure for customers:

• Data Processing Agreement (DPA): Available in Datadog’s account settings under Organization Settings → Legal Documents, covering all GDPR Article 28 processor obligations.
• EU data residency: Customers on app.datadoghq.eu have data processed and stored within the European Union.
• Standard Contractual Clauses (SCCs): In place for transfers involving processing outside the EU/EEA.
• Sub-processor list: Published and updated in the Datadog Trust Center; change notifications included.
• Certifications: ISO 27001, SOC 2 Type II, CSA STAR Level 1.

The compliance question is not whether Datadog is GDPR compliant — it is. The operative question is whether your Datadog configuration meets GDPR requirements: specifically, what personal data your applications transmit to Datadog, and whether that processing is documented in your Records of Processing Activities (RoPA).

What Data Does Datadog Process?

Datadog is an observability platform. The data it processes depends on how you instrument your systems. Understanding the data categories is essential before deploying in a GDPR context.

Agent Data, Logs, Metrics, and APM Traces

• Application logs: Frequently contain IP addresses, user IDs, email addresses, session identifiers, and query parameters — all of which qualify as personal data under GDPR.
• APM traces: Distributed tracing captures URL paths, HTTP headers, and query strings that may include personal identifiers.
• Metrics: Typically aggregated and less likely to contain personal data, but custom metrics can be tagged with user attributes.
• Real User Monitoring (RUM): Collects browser session data, which typically includes IP addresses and behavioral data.

Infrastructure Data

• Hostnames and IP addresses: Server and container metadata transmitted by the Datadog Agent.
• Custom tags: Organizations often tag infrastructure with environment, team, or project metadata. Avoid tagging with personal identifiers.
• Container and orchestration metadata: Kubernetes pod names, Docker labels — generally not personal data but reviewed in regulated contexts.

Before enabling AI features that query across this data, audit your log pipeline and apply masking or scrubbing rules. Datadog’s Sensitive Data Scanner identifies and masks patterns — email addresses, credit card numbers, custom regex — before data is indexed.

Datadog’s Data Processing Agreement (DPA)

Where to Sign Datadog’s DPA

Datadog’s DPA is available directly in your account:

1. Log in to your Datadog account.
2. Navigate to Organization Settings → Legal Documents.
3. Accept the Data Processing Addendum — no custom negotiation required for standard deployments.

For enterprise accounts, the DPA may be embedded in the Master Service Agreement. Review whether your contract already incorporates it, and retain a signed copy as part of your vendor compliance documentation.

GDPR Article 28 Checklist for Datadog

Requirement	Datadog Coverage
Processing only on documented instructions	Covered in standard DPA
Confidentiality for authorized persons	Included
Technical and organizational security measures	ISO 27001, SOC 2 Type II
Sub-processor management with prior notice	Published list; change notification included
Support for data subject rights	Deletion and export supported
Post-processing deletion or return of data	Covered
Audit cooperation	Available for enterprise accounts

Standard Contractual Clauses (SCCs)

If your organization uses the US platform (app.datadoghq.com) or if Datadog’s sub-processors transfer data outside the EU/EEA, Standard Contractual Clauses under Commission Implementing Decision (EU) 2021/914 must be in place. Datadog’s standard DPA incorporates SCCs. Confirm with your account team which AWS regions and sub-processors are active for your account, and document the transfer mechanism in your RoPA.

Datadog Data Residency: EU and Germany

Datadog EU Region — Frankfurt / AWS eu-central-1

Datadog operates a dedicated European platform at app.datadoghq.eu. Data is processed and stored within the European Union. The primary EU infrastructure runs on AWS eu-central-1 (Frankfurt).

Key points for German companies:

• EU platform is required for EU residency. If your organization uses app.datadoghq.com (the US platform), data is processed in the United States — SCCs must be confirmed and documented.
• Frankfurt as primary region. For companies with strict data localisation requirements — financial services, healthcare, regulated industries — confirm with your Datadog account team that your data is confined to eu-central-1.
• Sub-processors in the EU. Datadog’s EU-region sub-processors are published in the Trust Center. Review these during vendor onboarding.

Data Residency Add-On

For organizations with heightened data sovereignty requirements, Datadog offers a Data Residency add-on that contractually limits processing to a specified region. This is relevant for companies subject to sector-specific obligations beyond standard GDPR, such as financial services regulations or KRITIS requirements under German law. Request this option through your account team before signing the final contract.

GDPR Roles: Controller vs. Processor

Understanding the role allocation is required for your RoPA entry and DPA.

Your company is the data controller. You determine the purposes and means of processing — what data is sent to Datadog, for what operational purpose, and under which legal basis.

Datadog is the data processor. Datadog processes personal data on your instructions, as defined in the DPA. Datadog’s sub-processors (cloud infrastructure providers) are further processors acting under Datadog’s instructions.

This means the legal basis for processing monitoring data — typically legitimate interests under GDPR Article 6(1)(f) for operational stability, or a contractual necessity basis where monitoring supports service delivery — is your responsibility to establish and document, not Datadog’s.

Key Certifications: SOC 2, ISO 27001, CSA STAR

Datadog’s security certifications support Article 28 compliance by evidencing technical and organizational measures (TOMs):

• ISO/IEC 27001: International standard for information security management systems. Relevant for vendor risk assessments.
• SOC 2 Type II: Independent audit of security, availability, and confidentiality controls over a period of time (stronger than Type I). Request the report under NDA for your vendor assessment documentation.
• CSA STAR Level 1: Cloud Security Alliance self-assessment against the Cloud Controls Matrix (CCM). Available publicly in the CSA STAR registry.

These certifications satisfy the Article 28(3)(c) requirement for TOMs without requiring you to conduct your own audit for standard deployments.

Legal Basis for Processing Monitoring Data

Most infrastructure monitoring under Datadog falls under legitimate interests (GDPR Article 6(1)(f)):

• Purpose: Operational stability, security monitoring, performance optimisation.
• Necessity: Monitoring is necessary to detect incidents, ensure uptime, and protect systems.
• Balancing test: The processing is proportionate; impact on individuals is minimal when personal data is incidental to operational metrics.

When monitoring extends to employee activity — access logs, developer activity, or performance metrics linked to individuals — the legal basis shifts. In Germany, § 26 BDSG governs employee data processing. A works council co-determination requirement under § 87(1)(6) BetrVG applies when Datadog is used to monitor employee behaviour. Obtain works council approval or conclude a works agreement (Betriebsvereinbarung) before deploying monitoring that captures employee-linked activity.

For high-risk processing, consider whether a Data Protection Impact Assessment (DPIA) under GDPR Article 35 is required. Standard DevOps monitoring typically does not require a DPIA; systematic employee behaviour monitoring typically does.

Checklist: Using Datadog Compliantly in Germany

1. Use the EU platform — confirm your organization is on app.datadoghq.eu.
2. Sign the DPA — via Organization Settings → Legal Documents; retain a copy.
3. Audit personal data in your pipeline — logs, APM traces, RUM sessions.
4. Configure data masking — Sensitive Data Scanner and APM obfuscation rules.
5. Update your RoPA — add Datadog as processor with purpose, data categories, and retention.
6. Works council check — assess § 87(1)(6) BetrVG applicability if employee activity is visible.
7. Confirm EU region — verify AWS eu-central-1 is active if Frankfurt-only is required.

How Compound Law Helps

German companies deploying Datadog frequently need legal support with:

• DPA review — checking Datadog’s standard DPA against your processing context and data flows
• RoPA entry — documenting Datadog as a processor in your Article 30 records
• DPIA — when Datadog processes significant personal data or employee-linked activity at scale
• Works council coordination — § 87(1)(6) BetrVG analysis and Betriebsvereinbarung drafting
• Vendor risk assessment — review of certifications and sub-processor list

For related compliance guides, see our AWS Bedrock GDPR guide, Azure OpenAI GDPR & DPA guide, Claude Enterprise DPA guide, and GDPR compliance hub.

Frequently Asked Questions

Does Datadog have a GDPR DPA?

Yes. Datadog provides a standard Data Processing Addendum (DPA) under GDPR Article 28. It is available in your Datadog account under Organization Settings → Legal Documents and can be accepted without custom negotiation. Enterprise customers may have the DPA incorporated in their Master Service Agreement.

Where does Datadog store data by default?

By default, Datadog stores data on its US platform (app.datadoghq.com) using AWS infrastructure in the United States. To store data in the EU, your organization must use the EU platform at app.datadoghq.eu, which uses AWS eu-central-1 (Frankfurt) as the primary region. These are separate platforms — migrating between them requires creating a new Datadog organization.

Can I restrict data to EU data centres?

Yes. Using app.datadoghq.eu restricts processing to EU infrastructure. Datadog’s Data Residency add-on provides contractual guarantees for region-specific storage. Confirm the exact AWS regions active for your account with your Datadog account team, particularly if your compliance obligations require Frankfurt-only data storage.

What personal data does Datadog collect?

Datadog does not independently collect personal data — it processes whatever your applications transmit to it. Common personal data categories found in Datadog instances include: IP addresses (GDPR Recital 30), user IDs and email addresses in application logs, session identifiers in access logs, and URL paths or query parameters captured by APM. Apply Datadog’s Sensitive Data Scanner and APM obfuscation rules to reduce personal data exposure in your instance.