Datadog EU Alternative 2026: NYSE-Listed Delaware C-Corp, CLOUD Act Exposure for APM/Logs/Metrics, GDPR Monitoring Data Risk
Post #1 in the sota.io EU Monitoring Tools Series
Datadog was co-founded in 2010 by two French engineers, Olivier Pomel and Alexis Lê-Quôc, both originally from Paris. The company grew out of the problem they faced managing infrastructure at a US startup. That French origin story has become something of an irony: Datadog, Inc. is today a Delaware C-Corp listed on the New York Stock Exchange under the ticker DDOG, with headquarters at 620 8th Avenue, New York, NY 10018. For European engineering teams evaluating observability platforms, that corporate structure matters far more than the founders' passports.
This post analyses Datadog's legal exposure under the CLOUD Act, the specific GDPR risks of centralising monitoring data in a US-controlled platform, and the EU-native and self-hosted alternatives available for teams that need data sovereignty alongside observability.
Datadog's Corporate Structure
Datadog, Inc. is incorporated in Delaware. The Delaware General Corporation Law (DGCL) makes Delaware the corporate jurisdiction of choice for US public companies — and it also places Datadog squarely within the reach of the US Stored Communications Act (SCA) and the CLOUD Act (Clarifying Lawful Overseas Use of Data Act, 18 U.S.C. § 2703).
| Attribute | Value |
|---|---|
| Legal Entity | Datadog, Inc. |
| Incorporation | Delaware C-Corp |
| Stock Exchange | NYSE: DDOG |
| Global HQ | New York, NY, USA |
| EU Office | Paris, France (Datadog S.A.S.) |
| Founders | Olivier Pomel, Alexis Lê-Quôc (French citizens) |
| Revenue (FY2024) | ~$2.68B |
| Investors | Index Ventures, ICONIQ, OpenAI (via partnership) |
The French subsidiary, Datadog S.A.S., operates as a sales and engineering office. It is not the data controller for customer monitoring data. All SaaS contracts are executed with Datadog, Inc. in New York. The EU subsidiary does not change the data controller's jurisdiction or CLOUD Act exposure.
What Datadog Collects: The GDPR Data Inventory Problem
Before assessing legal risk, it is necessary to understand what Datadog actually ingests. This is where monitoring platforms differ fundamentally from communication tools like Slack or Zoom: observability platforms collect data about systems processing personal data, which means they often collect personal data themselves — embedded in logs, traces, and metrics.
Metrics
Datadog collects time-series metrics from every instrumented system. While aggregate metrics (CPU %, request rate) typically do not contain personal data, custom metrics and tagged metrics frequently do:
- User-tagged metrics: request duration tagged with
user_id,tenant_id,customer_plan - Business metrics: checkout_value, subscription_count per customer segment
- Per-session performance metrics in Real User Monitoring (RUM)
Under GDPR, any data that can identify a natural person — even indirectly through linkability with other datasets — is personal data. User-tagged metrics often cross this threshold.
Logs
Log ingestion is the highest-risk data category in Datadog. Application logs routinely contain:
- Authentication events: usernames, email addresses, IP addresses, failed login attempts
- API requests: full request paths including user identifiers, query parameters, session tokens
- Error stack traces: file paths, variable values, database queries that may include personal data
- Payment processing logs: references to order IDs, amounts, customer identifiers
- Email system logs: recipient addresses, message IDs
GDPR Article 5(1)(c) requires data minimisation. In practice, most organisations ingesting raw application logs into Datadog are ingesting personal data. Datadog's Sensitive Data Scanner can redact patterns, but configuration must be explicit and comprehensive — the default is to ingest everything.
APM / Distributed Traces
Application Performance Monitoring (APM) and distributed tracing capture request flows across services. A single distributed trace may contain:
- HTTP headers (including
Authorization,Cookie,X-User-ID) - Database query spans (which may include WHERE clauses containing personal data)
- Service-to-service call metadata with user context propagated via trace headers
- Span tags set by application code (frequently including user IDs)
Datadog APM's automatic instrumentation captures all of this without requiring explicit configuration. For teams that have not audited their span tags, it is common to inadvertently send personal data to Datadog through the APM pipeline.
Real User Monitoring (RUM) / Browser Monitoring
Datadog RUM collects:
- Session identifiers (persistent across visits if session replay is enabled)
- User actions: clicks, scrolls, form interactions
- Session Replay: pixel-level recordings of user sessions that may capture form inputs, text entered in fields, and visible personal data on-screen
- Geographic location derived from IP address
- Device fingerprint data (browser, OS, screen resolution)
Session Replay is particularly sensitive under GDPR. EU data protection authorities have consistently found that session recordings constitute processing of personal data. Datadog's Session Replay includes masking options, but these require explicit implementation.
Infrastructure Topology
Datadog's infrastructure monitoring and Network Performance Monitoring (NPM) capture:
- Server hostnames and IP addresses (which may identify individuals in corporate IT environments)
- Process-level data (running processes, command-line arguments) — command-line args may include credentials or personal data
- Container names and Kubernetes labels (which frequently include service names referencing customer accounts)
- Network traffic flows between services
CLOUD Act Analysis: What US Law Enforcement Can Access
The Clarifying Lawful Overseas Use of Data Act (CLOUD Act, 2018) amended the SCA to allow US law enforcement agencies to compel US companies to provide data stored anywhere in the world, including EU data centres.
Key legal points for Datadog:
-
Datadog, Inc. is a "provider of electronic communication service or remote computing service" under 18 U.S.C. § 2703. This classification is established by case law and applies to cloud SaaS platforms.
-
A US law enforcement agency (FBI, DOJ, SEC, FTC, IRS) can serve Datadog with a warrant or subpoena requiring disclosure of customer data, including all metrics, logs, traces, and RUM data — regardless of where Datadog stores that data.
-
Datadog cannot notify the affected EU customer if the order includes a non-disclosure provision (gag order). This is standard for law enforcement orders.
-
The EU GDPR Art.48 conflict: GDPR Article 48 prohibits disclosing personal data to third-country authorities in response to requests that are not based on international agreements (like MLATs). This creates a legal conflict for Datadog: complying with a US CLOUD Act order may breach EU GDPR, and refusing it may breach US law.
-
Standard Contractual Clauses (SCCs) do not solve this: EU Data Protection Authorities, including the EDPB, have confirmed that SCCs cannot protect against government access — they govern controller-processor relationships, not law enforcement access.
-
The EU-US Data Privacy Framework (DPF) covers commercial data transfers but explicitly does not restrict US intelligence or law enforcement access. CLOUD Act orders fall outside the DPF's scope.
For European teams subject to GDPR, this creates a structural compliance problem with any Datadog deployment:
Datadog may be compelled to provide your monitoring data to US authorities under US law, in a manner that may violate GDPR, without the ability to notify you.
GDPR Risk by Data Category
| Data Category | GDPR Risk Level | Key Articles |
|---|---|---|
| Aggregate infrastructure metrics | Low | Art.5(1)(c) — if truly anonymous |
| User-tagged custom metrics | High | Art.6, Art.9 if health/financial data |
| Application logs (raw) | Critical | Art.5, Art.25 (privacy by design), Art.83(4) |
| APM traces with user context | High | Art.6, Art.13, Art.14 |
| Session Replay (RUM) | Critical | Art.9 (may capture special categories), DPA enforcement track record |
| Process-level data | Medium | Art.5(1)(c), IT environment-specific |
| Network topology | Low-Medium | Context-dependent |
Datadog's EU Data Residency Options
Datadog offers an EU region (AWS eu-west-1, Ireland) for data storage. Customers can configure their agents to send data to datadoghq.eu instead of datadoghq.com.
What the EU region covers:
- Metrics storage: EU ✅
- Log archive: EU ✅
- APM trace storage: EU ✅
- Some backend processing: EU ✅
What the EU region does NOT cover:
- CLOUD Act exposure: unchanged — Datadog, Inc. (Delaware) controls the EU region infrastructure. Legal jurisdiction is New York, not Ireland.
- Global control plane: authentication, billing, API management remain US-based
- AI features (Bits AI, LLM Observability): process data in US systems
- Incident intelligence and anomaly detection: US-based ML processing
The EU region is a data residency feature, not a data sovereignty solution. The legal controller remains Datadog, Inc. A CLOUD Act order served on Datadog, Inc. covers data in the EU region.
EU Alternatives: Decision Framework
The monitoring and observability space has matured significantly. European teams now have credible alternatives across the full stack: metrics, logs, tracing, and user monitoring.
Option A: Self-Hosted Open Source Stack (Maximum Control)
Prometheus + Grafana + Loki + Tempo + OpenTelemetry
The CNCF-standard observability stack can be deployed entirely within EU infrastructure under your own control.
| Component | Purpose | License |
|---|---|---|
| Prometheus | Metrics collection and storage | Apache 2.0 |
| Grafana | Dashboards and visualisation | AGPL 3.0 |
| Loki | Log aggregation | AGPL 3.0 |
| Tempo | Distributed tracing | AGPL 3.0 |
| OpenTelemetry Collector | Vendor-neutral telemetry pipeline | Apache 2.0 |
| Alertmanager | Alert routing and notification | Apache 2.0 |
GDPR position: You are the data controller and processor. No third-country transfers. Full control over retention, access, and deletion. Fully compliant when deployed on EU infrastructure.
Operational cost: High. Requires dedicated platform engineering to maintain at Datadog-equivalent scale. Suitable for teams with existing Kubernetes expertise.
sota.io relevance: sota.io deploys Prometheus and Grafana for internal monitoring. We can deploy the full CNCF stack in your sota.io environment, giving you Datadog-equivalent observability with zero third-country data transfer risk.
Option B: VictoriaMetrics (Open Source, EU Self-Hosted)
VictoriaMetrics is a high-performance time-series database and monitoring solution. It is compatible with the Prometheus ecosystem (PromQL, Prometheus remote_write) and significantly more resource-efficient at scale.
| Attribute | Value |
|---|---|
| License | Apache 2.0 (community), commercial (Enterprise) |
| Protocol Compatibility | Prometheus, Graphite, InfluxDB, OpenTSDB |
| Query Language | MetricsQL (PromQL superset) |
| EU Deployment | Self-hosted on your EU infrastructure |
| Data Controller | You |
VictoriaMetrics reduces infrastructure cost compared to vanilla Prometheus by 5-10x at large metric volumes. Grafana connects natively as a data source.
GDPR position: No third-country transfer when self-hosted in EU.
Option C: Better Stack — Czech Republic EU-Native SaaS
Better Stack (formerly Logtail) is a monitoring and log management platform operated by Better Stack, s.r.o., incorporated in the Czech Republic. The Czech Republic is an EU member state, subject to GDPR with supervision by the Czech Data Protection Authority (ÚOOÚ).
| Attribute | Value |
|---|---|
| Legal Entity | Better Stack, s.r.o. |
| Incorporation | Czech Republic (EU) |
| CLOUD Act Exposure | None — Czech entity, EU law applies |
| HQ | Prague, Czech Republic |
| Key Features | Logs, uptime monitoring, dashboards, incident management |
| Pricing | Starts free; paid from ~$24/month |
Better Stack covers log management, uptime monitoring, status pages, and basic dashboards. It does not offer full APM/distributed tracing — for traces, a self-hosted Jaeger or Tempo deployment is needed alongside Better Stack.
GDPR position: EU controller, EU processor, no CLOUD Act exposure. Strong choice for log centralisation with minimal operational overhead.
Option D: Elastic (Complex Jurisdictional Picture)
Elastic N.V. was founded in the Netherlands and remains incorporated as a Dutch Naamloze Vennootschap (N.V.), listed on NYSE (ESTC). This creates a more complex legal picture than straightforward US C-Corps.
| Attribute | Value |
|---|---|
| Legal Entity | Elastic N.V. |
| Incorporation | Netherlands (N.V.) |
| Stock Exchange | NYSE: ESTC |
| Global HQ | Mountain View, CA, USA |
| EU Office | Amsterdam, Netherlands |
| CLOUD Act Exposure | Partial — depends on which entity processes data |
The complexity: Elastic N.V. is Dutch, but its primary operational presence and contract execution entity is effectively US-based. Elastic Cloud (the SaaS) stores data in AWS/GCP regions including EU. Whether CLOUD Act applies depends on whether US subsidiaries (Elasticsearch, Inc.) process the data or the Dutch parent does.
For self-hosted Elasticsearch/Kibana, CLOUD Act does not apply — you control the deployment.
Recommendation: Use Elastic self-hosted (open-source Elasticsearch + Kibana) for EU data sovereignty. Avoid Elastic Cloud SaaS if CLOUD Act exposure is a concern, as the operational entity is ambiguous.
Option E: Coralogix (Israel — GDPR Adequacy Decision)
Coralogix is an observability platform headquartered in Tel Aviv, Israel.
| Attribute | Value |
|---|---|
| Legal Entity | Coralogix Ltd. |
| Incorporation | Israel |
| EU Data Centres | EU regions available |
| GDPR Status | Israel has a GDPR adequacy decision (Commission Decision 2011/61/EU, updated) |
Israel holds a European Commission adequacy decision under GDPR, meaning transfers to Israeli companies are lawful without SCCs — the EC has determined that Israeli data protection law provides equivalent protection.
CLOUD Act position: Israel is not bound by the US CLOUD Act. An Israeli company is not a "US person" and cannot be served with a CLOUD Act order for data it controls. However, US government access is not zero — US intelligence agencies have cooperation agreements with Israeli intelligence — but this is a different threat model than direct CLOUD Act compulsion.
Coralogix features: logs, metrics, distributed tracing, security analytics. Pricing is consumption-based.
GDPR position: Adequate country, no SCCs required. No direct CLOUD Act exposure. Good middle-ground between US SaaS and full self-hosted.
Option F: Grafana Labs (Complex — Swedish Roots, US Incorporated)
Grafana Labs was founded in Sweden by Torkel Ödegaard but is incorporated as Grafana Labs, Inc. in Delaware. The SaaS product (Grafana Cloud) is a US-incorporated company and subject to CLOUD Act.
Self-hosted Grafana (OSS or Enterprise) deployed on your EU infrastructure has no third-country transfer issue — you control it.
| Deployment Model | GDPR Position |
|---|---|
| Grafana Cloud (SaaS) | Subject to CLOUD Act — Grafana Labs, Inc. Delaware |
| Self-hosted Grafana OSS | No CLOUD Act — you are the controller |
| Self-hosted Grafana Enterprise | No CLOUD Act — you are the controller (license from Grafana Labs, data stays local) |
EU-Native Alternatives Comparison Table
| Alternative | Type | EU Entity | CLOUD Act | APM | Logs | Metrics | Best For |
|---|---|---|---|---|---|---|---|
| Prometheus + Grafana (self-hosted) | OSS stack | You | None | Via Tempo | Via Loki | ✅ | Full control, platform eng team |
| VictoriaMetrics (self-hosted) | OSS | You | None | Via Jaeger | Via Vector | ✅ | High-volume metrics, PromQL |
| Better Stack (SaaS) | SaaS | Czech Republic | None | Partial | ✅ | Basic | Log mgmt + uptime, minimal ops |
| Coralogix (SaaS) | SaaS | Israel (adequate) | None | ✅ | ✅ | ✅ | Full-stack, no self-hosting |
| Elastic (self-hosted) | OSS | You | None | Via APM Server | ✅ | Via Metricbeat | Enterprise search + observability |
| Grafana Cloud (SaaS) | SaaS | Delaware (US) | ⚠️ YES | Via Tempo | Via Loki | ✅ | Not recommended for EU sovereignty |
Data Minimisation Before Platform Migration
Regardless of which platform you choose, the highest-impact action for GDPR compliance in observability is data minimisation at the ingestion layer:
-
Audit span tags in APM: Remove
user_id,email,customer_namefrom span tags. Use opaque identifiers (UUIDs) that require a lookup to deanonymise. -
Implement structured logging with redaction: Log sanitisation at the application level (not at the collector) is more reliable. Libraries like
logfmtor structured JSON logging make field-level redaction straightforward. -
Session Replay masking: If using any session recording tool, enable element masking for all form inputs. Default to masking, not unmasking.
-
Retention policies: Define per-data-category retention. Logs rarely need >30 days for operational purposes. GDPR's storage limitation principle (Art.5(1)(e)) requires documented, time-bounded retention.
-
OpenTelemetry as the abstraction layer: Instrumenting with OpenTelemetry (vendor-neutral) means you can switch the backend — from Datadog to a self-hosted stack — by changing collector configuration, not application code.
Migration Path: From Datadog to EU-Compliant Stack
A phased migration minimises operational risk:
Phase 1 — Data audit (2-4 weeks)
- Inventory all Datadog monitors, dashboards, and alert policies
- Tag all data types ingested: metrics, logs, APM, RUM, synthetics
- Identify personal data in logs (regex scan of last 30 days)
- Document retention requirements per data category
Phase 2 — Parallel deployment (4-8 weeks)
- Deploy Prometheus + Grafana stack in EU infrastructure
- Route OpenTelemetry collector output to both Datadog and self-hosted stack
- Validate metric parity and alert equivalence
- Migrate dashboards (Grafana can import Datadog dashboard JSON with tooling)
Phase 3 — Cutover (1-2 weeks)
- Disable Datadog agent data collection
- Maintain Datadog account for 30-day log retention window
- Terminate Datadog contract after final log export
Phase 4 — Data deletion (post-migration)
- Submit GDPR Art.17 deletion request to Datadog for all EU personal data
- Datadog DPA commitments require deletion within 30 days of contract termination
- Document deletion confirmation for GDPR accountability records (Art.5(2))
sota.io's Role in EU Observability
sota.io runs on worker infrastructure in the EU. We deploy Prometheus-compatible monitoring for all customer workloads and expose Grafana dashboards scoped to each project. All monitoring data stays within the EU; we do not use Datadog or any US-controlled monitoring SaaS for customer data.
If you need Datadog-grade observability — dashboards, alerting, APM traces, log search — on infrastructure where you control the data, sota.io can deploy and manage the full CNCF stack (Prometheus, Grafana, Loki, Tempo, OpenTelemetry Collector) as part of your deployment environment. You get the Datadog user experience with EU data sovereignty and no CLOUD Act exposure.
Summary: Datadog's GDPR Risk Profile
| Risk Factor | Assessment |
|---|---|
| Corporate jurisdiction | Delaware C-Corp, NYSE-listed |
| CLOUD Act exposure | Yes — all data including EU-region |
| Data types at risk | Metrics, logs, APM traces, RUM sessions, infra topology |
| EU data residency | Available but does not remove CLOUD Act exposure |
| SCCs effectiveness | Cannot protect against law enforcement access |
| DPF coverage | Does not cover CLOUD Act law enforcement requests |
| EU-native SaaS alternatives | Better Stack (CZ), Coralogix (IL — adequate) |
| Self-hosted alternatives | Prometheus/Grafana, VictoriaMetrics, Elastic, Signoz |
| sota.io option | EU-managed CNCF stack — no US controller |
Datadog is technically excellent. For European teams where GDPR compliance, NIS2 supply chain risk, or enterprise customer data sovereignty requirements apply, the CLOUD Act exposure is a structural problem that EU data residency options do not solve. The self-hosted CNCF stack or EU-controlled SaaS alternatives (Better Stack, Coralogix) provide equivalent observability capability without the jurisdictional risk.
This post is part of the sota.io EU Monitoring Tools Series. Next: New Relic — Broadcom acquisition adds private equity complexity to an already US-incorporated APM platform.
See also: EU DevOps CI/CD Comparison 2026 — same CLOUD Act analysis applied to build pipelines. GitHub Actions EU Alternative 2026 — Microsoft's CLOUD Act exposure in your CI/CD pipeline.
EU-Native Hosting
Ready to move to EU-sovereign infrastructure?
sota.io is a German-hosted PaaS — no CLOUD Act exposure, no US jurisdiction, full GDPR compliance by design. Deploy your first app in minutes.