When enterprise customers send data to Datadog's monitoring platform, Datadog acts as a data processor on their behalf, and the privacy policy covering that data is the Data Processing Addendum in the customer's contract, not this public policy.
This analysis describes what Datadog's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision establishes that personal data transmitted within enterprise customers' monitoring payloads is governed by a separate contractual document, meaning individuals whose data appears in those payloads must look to the enterprise customer, not to Datadog's public privacy policy, for rights fulfillment.
If personal data about employees, end users, or third parties appears in monitoring data that an organization sends to Datadog, those individuals' data rights are governed by the enterprise contract and DPA, not by the publicly available privacy policy; this may limit the practical ability of those individuals to directly exercise access or deletion rights against Datadog.
How other platforms handle this
Egnyte is a data controller with respect to personal data it collects from visitors to its website and through its marketing activities. Egnyte acts as a data processor with respect to the content and data that customers store within the Egnyte platform. In that capacity, Egnyte processes data on be...
At Workday, we believe privacy is a fundamental right, regardless of where you live. When you connect with Workday, we understand you are trusting us to handle your personal information appropriately. That is why we are committed to transparency about how we collect, use, and share that information.
When you visit a website built on Squarespace, Squarespace acts as a service provider or data processor, meaning that we process your information on behalf of the website owner. In this case, the website owner is responsible for the information they collect through their website and you should conta...
Monitoring
Datadog has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"When we provide services to our customers, we may process personal data on behalf of our customers. Our customers are generally the controllers of the data they submit to our services and we are the data processor. The processing of such data is governed by the applicable terms between Datadog and the customer, including our Data Processing Addendum. This Privacy Policy does not apply to the personal data we process on behalf of our customers in their capacity as data controllers.— Excerpt from Datadog's Datadog Privacy Policy
REGULATORY LANDSCAPE: The controller/processor distinction directly engages GDPR Articles 4, 24, 28, and 29, which establish obligations for both controllers and processors and require a written data processing agreement. The UK GDPR contains equivalent requirements. CCPA similarly distinguishes between businesses and service providers, affecting the categorization of data sharing and applicable obligations. EU data protection authorities and the UK ICO are primary enforcement bodies. GOVERNANCE EXPOSURE: High. Enterprise customers that transmit personal data in monitoring payloads bear primary controller obligations and must ensure their DPA with Datadog adequately covers the scope of processing, subprocessor engagement, data subject rights fulfillment, and international transfer mechanisms. Failure to execute a compliant DPA may result in GDPR Article 28 violations. JURISDICTION FLAGS: EU and UK customers face the highest exposure given GDPR and UK GDPR Article 28 requirements for written processor agreements. California businesses should assess whether Datadog qualifies as a service provider under CCPA and whether the service provider contract terms are sufficient to prevent the data sharing from being classified as a sale. Healthcare organizations must separately assess whether monitoring payloads may contain PHI and whether a Business Associate Agreement is required. CONTRACT AND VENDOR IMPLICATIONS: This provision creates a direct due diligence trigger: legal and procurement teams must confirm a current, jurisdiction-appropriate DPA is in place before transmitting personal data to Datadog. The DPA should be reviewed for subprocessor disclosure and objection rights, data retention and deletion timelines, and audit rights. The policy's statement that the DPA governs processor-role processing means the public privacy policy cannot be relied upon for contractual compliance purposes. COMPLIANCE CONSIDERATIONS: Organizations should map which personal data categories may appear in monitoring payloads (employee identifiers, end-user session data, log data containing email addresses or IP addresses) and ensure the DPA scope covers those categories. Data subject request workflows must account for the controller/processor split so that requests received by the enterprise customer can be forwarded to Datadog within applicable timeframes.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
We read the privacy policies and terms of service of 38 AI platforms. Here is what they say about training, retention, arbitration, and liability.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision establishes that personal data transmitted within enterprise customers' monitoring payloads is governed by a separate contractual document, meaning individuals whose data appears in those payloads must look to the enterprise customer, not to Datadog's public privacy policy, for rights fulfillment.
If personal data about employees, end users, or third parties appears in monitoring data that an organization sends to Datadog, those individuals' data rights are governed by the enterprise contract and DPA, not by the publicly available privacy policy; this may limit the practical ability of those individuals to directly exercise access or deletion rights against Datadog.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Datadog.