Trust Center

Datadog has identified a campaign where trial accounts were abused to send spam and phishing emails in breach of our Terms of Service. The accounts responsible have been terminated, and we have implemented controls to block monitor notifications from being sent to recipients outside the sending organization. We will continue to detect and respond to further attempts and are actively refining our controls to prevent unauthorized activity.

No Datadog customer data was exposed and no action is needed on your end.

If you received one of these emails, please disregard and delete it. Do not interact with any links it contains. If you clicked a link or took any action, we recommend reporting it to your organization's IT or security team.

We're pleased to announce that Datadog for Government has achieved FedRAMP High certification, the U.S. federal government's most rigorous authorization for cloud service providers handling sensitive, unclassified data.

For details on what this means for your organization and our ongoing commitment to trust and accountability, please see our press release and blog post.

We are aware of the recently disclosed Linux kernel local privilege escalation vulnerability, CVE-2026-31431, nicknamed "CopyFail," for which a working public exploit was published on April 30, 2026. Upon disclosure, Datadog's security team immediately launched an investigation to assess our exposure across our products and infrastructure.

From our investigation, we have identified no impact to Datadog's services or customer data. Datadog has multiple defense in depth measures in place to guard against this class of vulnerability, including hardened execution environments for untrusted workloads.
No action is required from customers at this time.

If you have any questions or concerns, please reach out via your Customer Success Manager, Account Executive, or through Support channels.

Datadog Security

We're pleased to announce that our Datadog, Cloudcraft, and Eppo SOC 2 Type II reports are available on our Trust Center.

GitHub recently disclosed a bug active between September 11, 2025 and January 5, 2026, where webhook secrets were inadvertently included in an X-Github-Encoded-Secret HTTP header on webhook deliveries. Webhook deliveries were encrypted in transit via TLS, and the header was only accessible to the receiving endpoint. GitHub fixed the issue on January 26, 2026 and notified affected webhook owners directly.

Upon learning of this issue, Datadog immediately launched an investigation and rotated webhook secrets for all internal Datadog-owned webhooks. We have no evidence that any webhook secrets have been misused.

Your Datadog account is not at risk. Datadog validates webhook requests using a Datadog API key rather than the webhook secret, meaning an exposed secret cannot be used to impersonate GitHub or send forged webhook traffic to your Datadog org. If you use Datadog's GitHub Marketplace App integration, Datadog has already rotated the webhook secret and no action is required on your end. If you use a custom GitHub app configuration, you can rotate the webhook secret as a precaution in GitHub without impacting your integration.

For additional details on the distinction between the Marketplace and custom apps, please see here.

If you have any questions or concerns, please reach out via your Customer Success Manager, Account Executive, or through Support channels.