Trust Center

Start your security review
View & download sensitive information
Search items
ControlK

Welcome to Datadog's Trust Center. Our commitment to data privacy and security is embedded in every part of our business. Use this Trust Center to learn about our security posture and request access to our security documentation.

Start your security review
View & download sensitive information
ISO 27001

Trust Center Updates

Datadog's Response to the OpenSSH Vulnerability

VulnerabilitiesCopy link

In response to the recently discovered Remote Unauthenticated Code Execution (RCE) vulnerability (CVE-2024-6387) in OpenSSH’s server (sshd), Datadog conducted an internal investigation, and has patched all impacted systems. Additionally, our environment is not publicly accessible via SSH. As such, we consider the vulnerability fully mitigated within the Datadog environment.

To check if your systems are vulnerable and guidance on how to remediate any affected systems, please refer to Datadog’s recent Security Labs blog post: RegreSSHion vulnerability CVE-2024-6387: Overview, detection, and remediation.

Published at N/A*

Datadog's Response to Attacks Against Snowflake Customers

VulnerabilitiesCopy link

In May 2024, Mandiant notified Snowflake of unauthorized access to certain customer accounts. It was determined that this access did not stem from a breach of Snowflake’s enterprise environment, but rather compromised customer credentials.

We deployed our internal Detection and Response teams to search for signs of impact, and after a thorough investigation, it was determined that there was no impact to Datadog.

As an added precaution, we have successfully rotated or deleted keys for Snowflake service accounts.

Published at N/A*

Datadog's Response to Sisense Breach

VulnerabilitiesCopy link

We're aware of Sisense's breach disclosure. We're not a customer of their platform so we have no direct impact. However, just like most companies are, we're still in the process of reaching out to all of our critical third-parties to identify any potential exposure from them. So far, we have not discovered any.

Published at N/A*

Datadog's Response to liblzma backdoor vulnerability CVE-2024-3094

VulnerabilitiesCopy link

On March 29, 2024, we became aware of a backdoor vulnerability liblzma [CVE-2024-3094] and promptly investigated all of our environments against this new threat. After thorough investigation, we found no vulnerable versions anywhere in our environment.

Additional resources:

Global announcement - OSS Security Notification: https://www.openwall.com/lists/oss-security/2024/03/29/4 https://access.redhat.com/security/cve/CVE-2024-3094

Link to CSM Security Center notification:
https://app.datadoghq.com/security/csm?panels=security-center%7Cscp-singleton%7CsecurityCardId%3A27&sort=&timestamp=1711753804867&live=true

Link to CSM Vulnerabilities explorer: https://app.datadoghq.com/security/csm/vm?query=status%3AOpen%20cve%3ACVE-2024-3094%20&group=vulnerability

Published at N/A

Datadog's Response to Leaky Vessels Vulnerability

VulnerabilitiesCopy link

Datadog is actively investigating the presence of one of the “Leaky Vessels” vulnerabilities (CVE-2024-21626) and working on patching our container environments identified as vulnerable. Datadog has controls in place that mitigate the risk from this vulnerability, including allowing only Datadog vetted container images to run in our environment; blocking container images from third-party (external) registries from being deployed directly onto our nodes; and enforcing strict access controls across Datadog resources. As such, we do not believe there is a substantial security risk to our customers due to this potential vulnerability in our environment.

We intend to patch our container environments in adherence with our Vulnerability Management process. Our process and remediation timelines are outlined in our Vulnerability Management at Datadog white paper, which is available via our Trust Portal.

Published at N/A

2023 Penetration Test

ComplianceCopy link

We're pleased to announce that a summary of Datadog's 2023 penetration test (as performed by Bishop Fox) is available on our security portal. This summary is accompanied by a Letter of Assessment. Please review the updated summary and Letter of Assessment at your convenience.

Published at N/A

Datadog's Response to curl Vulnerabilities

VulnerabilitiesCopy link

As some patches for the curl vulnerabilities (CVE-2023-38545 & CVE-2023-38546) have recently been released, Datadog is actively investigating and working on patching code identified as vulnerable. Patching will be performed in adherence with our Vulnerability Management process. Our process and remediation timelines are outlined in our whitepaper Vulnerability Management at Datadog, which is available via our Trust Portal.

Published at N/A

Datadog's Response to the HTTP/2 Rapid Reset Vulnerability

VulnerabilitiesCopy link

In late August 2023, a zero-day vulnerability was discovered that exploits the standard HTTP/2 protocol, known as the HTTP/2 Rapid Reset Vulnerability (CVE-2023-44487).

Datadog has conducted an internal investigation and can confirm that we do not have any Datadog-owned, internet-facing resources that are vulnerable to CVE-2023-44487 (running vulnerable HTTP/2).

Datadog’s Cloud Service Providers (CSPs) have implemented mitigations to address this issue, which can be found below:

Published at N/A

Datadog Certified Against the EU-US Data Privacy Framework

ComplianceCopy link

We are thrilled to announce that Datadog has completed its self-certification with the EU-U.S. Data Privacy Framework, including UK Extension and Swiss-U.S. Framework (together, the “DPF”). Our participant profile can be viewed on the DPF public website here.

The DPF is designed to provide protections for personal data transferred from the European Union to the United States that are comparable to those provided under EU law, and it formed the basis of the European Commission’s July 10 adequacy decision for the United States. You can read more about the background of the DPF on the Department of Commerce’s website here.

Datadog’s participation in the DPF demonstrates Datadog’s commitment to protecting the privacy of its customers and partners. As a member of the DPF, our customers now have another GDPR-compliant way to transfer personal data to us (in addition to the European Commission-approved Standard Contractual Clauses that we will continue to include in our customer DPAs). For more information about how we think about data transfers, please review our Transfer Impact Assessment.

Published at N/A*

Add Security Contacts to Your Datadog Account for Timely Notifications

GeneralCopy link

You can now configure up to two email addresses to receive security-related notifications specific to your Datadog account. These notifications may include alerts for Datadog keys you accidentally expose on the internet, critical changes to your organization settings or other messages from Datadog relating to the security of your Datadog account.

To add or update a Security Contact, simply sign in to your Datadog account as an Administrator, navigate to Organization Settings and select "Security Contacts" under Preferences. As a best practice, we recommend using an email alias or a distribution list for your Security Contact(s), for example, security@yourdomain[.]com (rather than an email address for an individual).

Want more information? Please reach out to your Datadog Representative and they will be happy to assist you with any inquiries you may have.

Published at N/A

Datadog's Response to MOVEit Transfer

IncidentsCopy link

On June 15, 2023, Progress published a public advisory regarding a vulnerability with its MOVEit Transfer product “that could lead to escalated privileges and potential unauthorized access to the environment.”

Datadog promptly conducted an internal investigation and determined that we do not use, and therefore are not vulnerable to the vulnerability affecting MOVEit Transfer.

Published at N/A*

SOC 2 and ISO Updates

ComplianceCopy link

We're pleased to announce that we recently completed our ISO 27001, ISO 27701 and SOC 2 audits! As such, our updated ISO certificates and SOC 2 report are now available.

Published at N/A

Datadog's Response to CircleCI

IncidentsCopy link

On January 4th 2023, CircleCI published a public advisory stating that all users should rotate “any and all” credentials stored in CircleCI due a breach at their company.

What we are doing: Datadog is promptly rotating its secrets stored in CircleCI and investigating the potential unauthorized access or use of these secrets. No impact has been identified at this time.

What you should do: If you store Datadog API and APP keys in CircleCI, we highly recommend you follow the guidance posted in the aforementioned advisory and rotate them immediately. As a proactive measure to keep your account safe, Datadog Security will notify you directly if we observe suspicious API activity from your account.

Published at N/A
Powered bySafeBase Logo