Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Datadog is a cloud-based observability platform providing infrastructure monitoring, APM (Application Performance Monitoring), log management, security monitoring, and Real User Monitoring (RUM). For GDPR, the key distinctions are: server-side monitoring (infrastructure metrics, APM traces) can rely on legitimate interest, while RUM and session replay capture browser-side user behaviour requiring more careful assessment. An EU region (Frankfurt) is available for organisations with EU data residency requirements.
Datadog is a cloud-based observability and security platform providing infrastructure monitoring (server metrics, container health), Application Performance Monitoring (APM, distributed tracing), log management, Real User Monitoring (RUM), security monitoring (CSPM, SIEM), synthetic testing, and dashboarding. It is widely used by engineering teams to understand the performance and reliability of applications and infrastructure. Datadog collects a wide variety of telemetry data, some of which may contain personal data.
Infrastructure metrics, APM traces, and server-side logs are generally operations data with low personal data content. Legitimate interest supports this monitoring as an operational necessity. However, logs often contain IP addresses and user identifiers. Configure log scrubbing to remove or hash PII from log entries. Set minimum log retention periods consistent with operational needs.
Datadog RUM captures browser-side user behaviour: page URLs visited, user interactions, JavaScript errors, performance metrics, and (with session replay) a visual recording of user sessions. RUM constitutes processing of end-user personal data. Session replay specifically records individual user sessions and requires consent under CNIL and ePrivacy guidelines. Configure RUM with strict masking and obtain consent before enabling session replay.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Datadog''s EU region (AWS eu-central-1, Frankfurt) stores all telemetry data within the EU. Select the EU region when creating your Datadog account if EU data residency is required. US-region accounts require SCCs for EU personal data in logs and traces.
Sign the Datadog DPA. Select EU region if required. Configure log scrubbing to remove PII. Set minimum retention for all data types. For RUM: enable strict privacy mode, mask all input fields, and consent-gate session replay. Disclose Datadog as a monitoring processor in your privacy policy distinguishing operational monitoring from end-user monitoring.
Websites using Datadog must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended for Datadog deployments using RUM session replay and log management where personal data may appear in logs. The combination of user behaviour monitoring, log analysis, and APM tracing across large user bases warrants documented risk assessment.
Sample consent text
This application uses Datadog for performance monitoring and error tracking. Datadog may collect technical information about your browser and interactions to help us maintain application performance. This is conducted under legitimate interest for operational purposes.
Third-party domains contacted
datadoghq.comdatadoghq.eubrowser-intake-datadoghq.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| _dd_s | session | Session | Datadog RUM session cookie grouping browser events and performance metrics within a single user session |
Datadog collects user analytics data — you legally need a consent banner. Try FlowConsent free.
Legitimate interest (Art. 6(1)(f)) for infrastructure monitoring, APM, and log management as operational necessities. For RUM and session replay involving end-user data, careful assessment is needed — session replay specifically requires consent.
Yes. Datadog's EU region (AWS eu-central-1, Frankfurt) is available for all paying customers. Select the EU site (datadoghq.eu) when creating your Datadog account. This stores all telemetry data within the EU and eliminates SCCs for primary data flows.
Datadog RUM (basic page views and errors) may rely on legitimate interest as operational performance monitoring. Datadog RUM session replay specifically records individual user sessions and requires consent. Configure session replay to be consent-gated or disabled by default.
Use Datadog's log scrubbing configuration (Log Management, Configuration, Log Pipeline) to add scrubbing rules for common PII patterns: emails, credit cards, phone numbers, IP addresses. Test rules before enabling in production. Also configure APM trace scrubbing to remove PII from distributed traces.
Datadog RUM sets _dd_s (session tracking cookie) for grouping browser events into sessions. This requires consent under the ePrivacy Directive when used for RUM monitoring of end users. Infrastructure monitoring (no browser cookies) does not set end-user cookies.
Yes. Sign the Datadog Data Processing Addendum available from Datadog's security and compliance page. For EU-region accounts, verify the DPA covers your specific region configuration.
Set minimum retention periods for all data types in Datadog. Infrastructure metrics: 15 months (Datadog default). Log management: configure index retention to the minimum needed (1-3 days for debug logs, longer for audit logs). APM traces: 15 days default. RUM session replays: configure for minimum needed.
Yes, when configured with the EU region (datadoghq.eu). The EU region stores all telemetry data within the EU and eliminates SCCs. Datadog holds ISO27001 and SOC2 Type II certifications and provides a comprehensive DPA.