Trust Center

As some patches for the curl vulnerabilities (CVE-2023-38545 & CVE-2023-38546) have recently been released, Datadog is actively investigating and working on patching code identified as vulnerable. Patching will be performed in adherence with our Vulnerability Management process. Our process and remediation timelines are outlined in our whitepaper Vulnerability Management at Datadog, which is available via our Trust Portal.

In late August 2023, a zero-day vulnerability was discovered that exploits the standard HTTP/2 protocol, known as the HTTP/2 Rapid Reset Vulnerability (CVE-2023-44487).

Datadog has conducted an internal investigation and can confirm that we do not have any Datadog-owned, internet-facing resources that are vulnerable to CVE-2023-44487 (running vulnerable HTTP/2).

Datadog’s Cloud Service Providers (CSPs) have implemented mitigations to address this issue, which can be found below:

• AWS
• GCP
• Azure

We are thrilled to announce that Datadog has completed its self-certification with the EU-U.S. Data Privacy Framework, including UK Extension and Swiss-U.S. Framework (together, the “DPF”). Our participant profile can be viewed on the DPF public website here.

The DPF is designed to provide protections for personal data transferred from the European Union to the United States that are comparable to those provided under EU law, and it formed the basis of the European Commission’s July 10 adequacy decision for the United States. You can read more about the background of the DPF on the Department of Commerce’s website here.

Datadog’s participation in the DPF demonstrates Datadog’s commitment to protecting the privacy of its customers and partners. As a member of the DPF, our customers now have another GDPR-compliant way to transfer personal data to us (in addition to the European Commission-approved Standard Contractual Clauses that we will continue to include in our customer DPAs). For more information about how we think about data transfers, please review our Transfer Impact Assessment.

You can now configure up to two email addresses to receive security-related notifications specific to your Datadog account. These notifications may include alerts for Datadog keys you accidentally expose on the internet, critical changes to your organization settings or other messages from Datadog relating to the security of your Datadog account.

To add or update a Security Contact, simply sign in to your Datadog account as an Administrator, navigate to Organization Settings and select "Security Contacts" under Preferences. As a best practice, we recommend using an email alias or a distribution list for your Security Contact(s), for example, security@yourdomain[.]com (rather than an email address for an individual).

Want more information? Please reach out to your Datadog Representative and they will be happy to assist you with any inquiries you may have.

On June 15, 2023, Progress published a public advisory regarding a vulnerability with its MOVEit Transfer product “that could lead to escalated privileges and potential unauthorized access to the environment.”

Datadog promptly conducted an internal investigation and determined that we do not use, and therefore are not vulnerable to the vulnerability affecting MOVEit Transfer.

We're pleased to announce that we recently completed our ISO 27001, ISO 27701 and SOC 2 audits! As such, our updated ISO certificates and SOC 2 report are now available.

On January 4th 2023, CircleCI published a public advisory stating that all users should rotate “any and all” credentials stored in CircleCI due a breach at their company.

What we are doing: Datadog is promptly rotating its secrets stored in CircleCI and investigating the potential unauthorized access or use of these secrets. No impact has been identified at this time.

What you should do: If you store Datadog API and APP keys in CircleCI, we highly recommend you follow the guidance posted in the aforementioned advisory and rotate them immediately. As a proactive measure to keep your account safe, Datadog Security will notify you directly if we observe suspicious API activity from your account.