Observability as a GDPR Blind Spot: Why Monitoring Tools Are Your Biggest Data Privacy Risk in 2026
Your GDPR compliance review probably covered your database, your payment processor, and your email provider. It almost certainly did not cover your APM tool. That is the blind spot.
When your application sends a trace to Datadog, that trace can contain HTTP request paths, user identifiers embedded in URLs, SQL query text, exception messages with personal data, and session correlation IDs. When New Relic ingests your logs for error tracking, it stores log lines that may include names, email addresses, and IP addresses in plaintext. When Dynatrace profiles your application, it captures method-level execution data alongside request parameters.
All of this telemetry is processed by US-incorporated companies operating infrastructure under the CLOUD Act. Your monitoring tool — the one running silently in the background of every production request — may be your most significant unaddressed GDPR data processor.
What Observability Tools Actually Collect
Understanding the GDPR exposure requires understanding what modern APM and observability platforms actually ingest. The category spans three data types with distinct regulatory profiles.
Metrics are low-risk in isolation: request counts, error rates, latency percentiles, CPU and memory utilisation. This is aggregated, statistical data. A time-series of http.requests.total{service="checkout"} contains no personal data. Metrics are the least legally sensitive observability data type.
Traces are moderate-to-high risk. Distributed tracing captures the full execution path of a request across services. A trace span typically includes the HTTP method and path (which can contain user IDs, product IDs, or session tokens in REST APIs), service name, duration, and parent/child span relationships. Many teams instrument traces with custom attributes — user.id, order.id, customer.email — that are explicitly personal data under GDPR Article 4(1). Even without custom attributes, URL paths like /api/users/88291/profile constitute personal data because they identify a natural person.
Logs are high-risk by default. Application logs routinely contain exception stack traces with object dumps, SQL queries with WHERE clause values, request bodies logged for debugging, authentication failures including the attempted username, IP addresses, and user-agent strings. Log ingestion platforms like Datadog Log Management and New Relic NRDB ingest these as raw text and apply parsing after the fact. The personal data enters the system before any filtering.
Session replay and browser monitoring (Datadog RUM, New Relic Browser, Dynatrace Real User Monitoring) capture client-side JavaScript execution, click events, page navigation, and in some configurations user input — directly implicating GDPR Article 9 for special category data if forms collect health or financial information.
Datadog: CLOUD Act Risk Analysis
Datadog, Inc. is incorporated in Delaware and headquartered in New York City. It is publicly listed on NASDAQ (ticker: DDOG). Founded 2010, annual revenue exceeds $2.4B.
Corporate structure: Datadog operates wholly-owned subsidiaries in Ireland (Datadog Ireland Limited) and other EU countries for VAT and sales purposes. The EU legal entities do not control data processing decisions — these remain with the US parent. Your DPA with Datadog is executed with Datadog, Inc. (or its Irish entity), with subprocessing by US-domiciled infrastructure and engineering teams.
US jurisdiction:
- CLOUD Act: Datadog as a US electronic communication service provider can be compelled to disclose customer data to US federal law enforcement and intelligence agencies without requiring EU customer notification
- FISA Section 702: US government can acquire data held by Datadog from foreign persons for foreign intelligence purposes
- EU data centers: Datadog offers AWS EU (Frankfurt), GCP EU (Belgium), and Azure EU regions. However, geographic data residency does not remove US jurisdiction over the US-incorporated operator. The Schrems II decision (C-311/18) established this principle explicitly
GDPR exposure: Datadog's sub-processors include AWS, GCP, Azure, Snowflake, and Salesforce — all US-incorporated. Your GDPR Article 28 DPA with Datadog obligates them to process your data only on your instructions, but it cannot immunise your trace and log data from US intelligence collection under FISA 702.
Datadog GDPR Risk Score:
| Risk Factor | Assessment | Score |
|---|---|---|
| US corporation (CLOUD Act subject) | Delaware/NY domicile | 5/5 |
| Data sensitivity | Traces + logs often contain personal data | 5/5 |
| Log retention by default | 15-day default log index retention | 4/5 |
| Sub-processor US jurisdiction | AWS/GCP/Azure/Snowflake | 3/5 |
| Session replay / RUM capability | Client-side user interaction capture | 4/5 |
Total: 21/25 — Very High
New Relic: CLOUD Act Risk Analysis
New Relic, Inc. is incorporated in Delaware, headquartered in San Francisco. It was taken private by Francisco Partners and TPG in 2023 (NASDAQ delisting). Annual revenue approximately $900M.
Corporate structure: New Relic's private equity ownership does not change its US legal status. Francisco Partners and TPG are both US-domiciled investment firms. The company operates New Relic GmbH (Germany) and New Relic Ltd (Ireland) for European commercial operations, but data processing control remains with the US parent.
Data collection specifics: New Relic One's NRDB (New Relic Database) ingests log lines, trace spans, metric data, and events into a columnar store retained for 13 months by default. New Relic's OpenTelemetry integration means that any application instrumented with OTel and pointed at New Relic endpoints sends the full span and log payload to US-controlled infrastructure.
New Relic GDPR Risk Score:
| Risk Factor | Assessment | Score |
|---|---|---|
| US corporation (CLOUD Act subject) | Delaware domicile | 5/5 |
| 13-month log retention default | Long exposure window | 4/5 |
| Private equity controlled | Less EU DPA accountability pressure | 3/5 |
| Full log ingestion including raw text | Personal data in logs | 4/5 |
| No EU-only data residency option | EU infra under US control | 4/5 |
Total: 20/25 — Very High
Dynatrace: CLOUD Act Risk Analysis
Dynatrace, Inc. is incorporated in Delaware, headquartered in Waltham, Massachusetts. Publicly listed on NYSE (ticker: DT). Annual revenue approximately $1.5B. Originally Austrian (Linz), Dynatrace was acquired by US private equity (Thoma Bravo) in 2014 and relisted as a US corporation.
The Austrian origin trap: Many EU teams assume Dynatrace retains EU legal status because it was founded in Austria. It does not. The operational entity is Dynatrace, Inc. (Delaware), and the Linz engineering office is a wholly-owned subsidiary. This is the same structure as other US technology companies with European engineering hubs — the European office creates no legal barrier to CLOUD Act compulsion directed at the US parent.
OneAgent data collection: Dynatrace's OneAgent runs as a kernel-level process on monitored hosts and captures process-level data, network connections, and service-to-service communication graphs. This creates a more invasive data collection profile than standard APM agents. The Davis AI engine processes this data to generate root cause analysis, requiring centralised access to your full infrastructure topology.
Dynatrace GDPR Risk Score:
| Risk Factor | Assessment | Score |
|---|---|---|
| US corporation (CLOUD Act subject) | Delaware domicile, NYSE listed | 5/5 |
| OneAgent kernel-level data collection | Infrastructure topology exposure | 4/5 |
| Austrian origin misconception | Creates false EU compliance confidence | 3/5 |
| Full-stack observability scope | Broader data surface than APM-only | 4/5 |
| Sub-processor US cloud infrastructure | AWS/Azure sub-processors | 3/5 |
Total: 19/25 — High
The GDPR Article 28 Problem with US Monitoring Tools
GDPR Article 28 requires that when a controller uses a processor, a Data Processing Agreement (DPA) must be in place. The DPA must specify the nature, purpose, and duration of processing; the type of personal data; the categories of data subjects; and the processor's obligations and rights.
All three platforms offer standard DPAs. The problem is not the absence of a DPA — it is what a DPA cannot accomplish.
A DPA cannot override US law. When Datadog's DPA states that it will process your data only on your instructions, that contractual commitment is subordinate to a US government order issued under the CLOUD Act or FISA. The EU-US Data Privacy Framework provides some procedural protections for transfers, but the EDPB has noted in Opinion 28/2024 that FISA 702 batch collection remains a concern that the DPF does not fully resolve.
A DPA cannot create EU jurisdiction. Standard Contractual Clauses (SCCs) under GDPR Article 46 are the approved transfer mechanism for US-based processors. SCCs require you to conduct a Transfer Impact Assessment (TIA) evaluating whether the legal framework of the destination country provides essentially equivalent protection to EU law. For US monitoring tools processing personal data in logs and traces, a TIA that honestly assesses FISA 702 and CLOUD Act risk will identify a residual risk that SCCs cannot cure.
The data minimisation obligation applies upstream. GDPR Article 5(1)(c) requires personal data to be adequate, relevant, and limited to what is necessary. If your monitoring configuration sends log lines containing user_email and full_name to a US APM platform, you may be in breach of data minimisation before the CLOUD Act question even arises. EU supervisory authorities have started issuing guidance on monitoring tool configuration — the German DSK published a position paper in 2023 on analytics and monitoring tools that applies Article 5 directly to telemetry configuration.
EU-Native Observability Alternatives
AppSignal (Netherlands) — Purpose-Built EU-Native APM
Company: AppSignal B.V., incorporated in the Netherlands (Rotterdam), founded 2013. Privately held, no US investors with controlling interest.
GDPR Jurisdiction: Dutch law (GDPR directly applicable). Netherlands data center infrastructure. No US parent entity, no CLOUD Act exposure.
Products: AppSignal for Ruby, Elixir, Node.js, Python, PHP, and Go — with OpenTelemetry support across all runtimes. Host monitoring, uptime monitoring, log management, and anomaly detection.
Data collection: AppSignal collects metrics, traces, and errors. Log management is available but configured separately, giving teams explicit control over what log data is sent. The platform is designed with GDPR defaults: data is stored in EU infrastructure, retention periods are configurable, and PII scrubbing is built into the agent.
AppSignal GDPR Risk Score:
| Risk Factor | Assessment | Score |
|---|---|---|
| EU corporation (no CLOUD Act) | Dutch B.V., no US parent | 0/5 |
| EU data centers only | Rotterdam-based infrastructure | 0/5 |
| Configurable PII scrubbing | Agent-level filtering | 1/5 |
| Transparent sub-processors | EU-only sub-processors listed | 1/5 |
| OpenTelemetry native | Standard protocol, no vendor lock-in | 0/5 |
Total: 2/25 — Minimal
AppSignal Momentum in 2026: AppSignal has seen strong adoption growth in EU markets as GDPR enforcement has intensified. The platform's pricing is competitive with Datadog for smaller teams (starting at €19/month for up to 3 hosts), and the OpenTelemetry compatibility means migration from Datadog or New Relic agents requires configuration changes, not code rewrites.
Best for: Startups, scaleups, and SMEs that want managed APM without CLOUD Act exposure. Strong for Rails, Phoenix, and Node.js stacks. Excellent fit for sota.io-hosted applications.
Sentry (EU Region) — Error Tracking with EU Data Residency
Company: Functional Software, Inc. (San Francisco, Delaware) — Sentry is US-incorporated, which creates CLOUD Act exposure. However, Sentry offers a dedicated EU data residency option (sentry.io configured with EU region) that processes and stores data exclusively in EU infrastructure.
GDPR Risk with EU Region: The US parent corporation retains theoretical CLOUD Act exposure. However, the EU region substantially reduces the practical risk because data is processed in EU infrastructure by EU-based operations staff. This is a partial mitigation — appropriate for teams with moderate risk tolerance.
Sentry Self-Hosted: The fully EU-sovereign option. Sentry's open-source server (getsentry/self-hosted) can be deployed on EU-sovereign infrastructure (Hetzner, OVHcloud, Exoscale) with zero data leaving your jurisdiction. Self-hosted Sentry provides all error tracking features including release tracking, performance monitoring, and alert routing.
Sentry GDPR Risk Score (EU Region):
| Risk Factor | Assessment | Score |
|---|---|---|
| US parent corporation | CLOUD Act theoretical exposure | 3/5 |
| EU data residency option | EU infrastructure processing | -2/5 offset |
| Data sovereignty | EU region provides substantial protection | 2/5 |
Effective Score: ~8/25 — Low-Moderate (EU Region configured)
Prometheus + Grafana (Self-Hosted) — Maximum EU Sovereignty
Architecture: Prometheus (CNCF project, open-source) for metrics collection and storage, Grafana (Grafana Labs — US company, but self-hostable) for dashboards and alerting, Loki for log aggregation, Tempo for distributed tracing. All components run entirely within your infrastructure.
GDPR Risk: 0/25 — No data leaves your infrastructure. No sub-processors. No CLOUD Act exposure. The EU sovereignty ceiling for observability.
Operational requirements: Self-hosted Prometheus+Grafana requires infrastructure management — storage sizing for metric retention, high availability setup for production use, and operational expertise. For EU-hosted deployments (Hetzner, Scaleway, OVHcloud), the total cost of ownership is competitive with managed APM for teams with DevOps capacity.
OpenTelemetry compatibility: Both Prometheus and Grafana's LGTM stack (Loki, Grafana, Tempo, Mimir) are fully OpenTelemetry compatible. Applications instrumented with OTel can send to a self-hosted collector endpoint without code changes — only the OTEL_EXPORTER_OTLP_ENDPOINT environment variable changes.
Comparison: GDPR Risk Matrix
| Platform | Jurisdiction | CLOUD Act | GDPR Risk | Best For |
|---|---|---|---|---|
| Datadog | US (Delaware) | Yes | 21/25 — Very High | Feature-rich APM, US-focused teams |
| New Relic | US (Delaware) | Yes | 20/25 — Very High | Full-stack observability, US teams |
| Dynatrace | US (Delaware) | Yes | 19/25 — High | Enterprise AIOps, auto-discovery |
| AppSignal | EU (NL) | No | 2/25 — Minimal | EU teams, Rails/Elixir/Node |
| Sentry (EU Region) | US parent / EU data | Partial | ~8/25 — Low-Moderate | Error tracking, EU residency |
| Prometheus+Grafana (self-hosted) | Your infrastructure | No | 0/25 — None | Maximum sovereignty |
GDPR Compliance Checklist for Your Monitoring Stack
Before your next APM contract renewal or monitoring architecture decision:
- Have you identified which monitoring tools receive personal data (user IDs in traces, email addresses in logs)?
- Does your ROPA (Record of Processing Activities) include your APM platform as a data processor?
- Have you executed a GDPR Article 28 DPA with your APM vendor? Does it cover all sub-processors?
- Have you conducted a Transfer Impact Assessment (TIA) for your US-based APM provider?
- Is your monitoring configuration scrubbing PII before sending telemetry upstream?
- Have you evaluated whether your log retention period is proportionate under GDPR Article 5(1)(e)?
- For NIS2-covered entities: does your ICT supply chain risk register include your APM platform?
- For DORA-covered financial entities: does your ICT third-party risk framework address monitoring tool jurisdiction?
Practical Migration Path: From Datadog to EU-Native Monitoring
Step 1 — OpenTelemetry instrumentation (Week 1-2)
If you are using Datadog's native agent, migrating to OpenTelemetry instrumentation first decouples your application code from the vendor. Install the appropriate OTel SDK, configure the OTLP exporter to point at a local OTel Collector, and validate trace propagation. Your Datadog agent can receive from the local collector during transition.
Step 2 — AppSignal or self-hosted LGTM stack evaluation (Week 2-4)
Sign up for AppSignal EU (free trial available) or deploy a minimal Prometheus+Grafana stack on EU infrastructure. Configure your OTel Collector to fan-out to both your existing Datadog endpoint and the new destination. Run both in parallel to validate coverage.
Step 3 — PII audit of your telemetry (Week 2-3)
Before completing migration, audit what personal data your current telemetry sends. Use Datadog's log pipeline export or New Relic's query console to sample trace attributes and log lines. Configure OTel Collector attribute processors to redact or hash fields containing user identifiers. This step is required for GDPR compliance regardless of which monitoring tool you use.
Step 4 — Cutover and DPA update (Week 4-6)
Update your OTel Collector endpoint to point exclusively at your EU-native destination. Terminate your US APM subscription. Update your ROPA and DPA documentation to reflect the new processor. Notify your DPO.
Cost consideration: AppSignal starts at €19/month for up to 3 hosts with unlimited metrics and traces. At 10 hosts, you are at approximately €49/month — substantially below Datadog's list pricing for equivalent host monitoring. Self-hosted Prometheus+Grafana on Hetzner costs approximately €30-60/month in infrastructure for a production-grade three-node setup.
The Regulatory Trajectory
Observability tool data processing is moving up the DPA enforcement agenda. The German DSK's 2023 guidance on analytics and monitoring was a first signal. The French CNIL has published draft guidance on software development data protection that addresses APM tools explicitly. The EDPB's coordinated enforcement on data transfers — which resulted in major fines for Meta, TikTok, and others — is expected to expand to software-as-a-service tooling used in development and operations contexts.
NIS2 Article 21 supply chain security obligations apply to entities' ICT service providers, which includes monitoring infrastructure. For NIS2-covered organisations in energy, banking, healthcare, digital infrastructure, and managed services, the monitoring tool used for production observability is an ICT third-party risk that requires documented assessment.
The combination of GDPR enforcement momentum, NIS2 supply chain requirements, and DORA ICT third-party risk frameworks is creating a regulatory environment where "we use Datadog" is no longer a sufficient answer to a supervisory authority inquiry about production monitoring data flows.
Conclusion: Your Monitoring Tool Sees Everything — So Does the US Government
The architectural reality of modern APM is that your monitoring tool has more visibility into your production application than any other external service. It receives every request trace, every exception, every slow database query, and potentially every log line your application emits. If that monitoring tool is a US-incorporated company under the CLOUD Act, you have handed a comprehensive view of your application's data processing to a party subject to US government compulsion.
This is not a theoretical risk for EU businesses. It is a concrete GDPR Article 28 compliance gap, a GDPR Article 46 transfer mechanism question, and — for regulated sectors — an active supervisory authority concern.
AppSignal provides a fully EU-native, CLOUD Act-free alternative for managed APM. Self-hosted Prometheus, Loki, Grafana, and Tempo provide maximum sovereignty at the cost of operational overhead. Sentry's EU Region provides a middle ground for error tracking.
The monitoring blind spot is closeable. The question is whether your next infrastructure review will close it.
Deploy on sota.io — European cloud hosting with GDPR-compliant infrastructure in EU-sovereign data centers. Start free.
EU-Native Hosting
Ready to move to EU-sovereign infrastructure?
sota.io is a German-hosted PaaS — no CLOUD Act exposure, no US jurisdiction, full GDPR compliance by design. Deploy your first app in minutes.