Does Datadog sign a BAA for HIPAA compliance?

Yes. Datadog will sign a Business Associate Agreement (BAA) with customers who need to send Protected Health Information (PHI) through their Datadog environment, but only for accounts on a qualifying tier (typically Enterprise). The BAA must be requested through Datadog Sales or your account manager — it is not auto-applied to all accounts. Once signed, the BAA covers the specific Datadog services explicitly listed in HIPAA-eligible scope (verify current scope at docs.datadoghq.com/account_management/compliance/).

How do I request a BAA from Datadog?

Three paths. (1) If you have a Datadog account manager, email them directly with the request — fastest. (2) If you don't have an account manager, contact Datadog Sales (sales@datadoghq.com) and state you need a BAA for HIPAA compliance. (3) For existing accounts, you can also submit through the in-app support channel asking for the HIPAA enablement process. Expect a 1-3 week timeline: BAA review, legal sign-off, and account configuration to enable HIPAA-scoped services. Don't start sending PHI before the BAA is fully executed and confirmed in writing.

Which Datadog tier is required for a BAA?

Datadog's BAA is typically reserved for Enterprise tier accounts. The Pro and Free tiers do not include BAA eligibility. Pricing for Enterprise is custom — expect a meaningful step up from Pro ($23/host/month for Infrastructure) to Enterprise (custom annual contract, often $50-100K+/year minimum). Budget for the tier upgrade as part of your HIPAA compliance cost, not a separate line item. If your spend is too small for Enterprise, you may need to either (a) wait until volume justifies Enterprise OR (b) use a different observability stack with lower BAA thresholds.

Which Datadog services are covered under the BAA?

Coverage varies and changes — always verify against Datadog's current HIPAA-eligible service list (docs.datadoghq.com/account_management/compliance/). Generally HIPAA-eligible: core Infrastructure Monitoring, APM, Logs, RUM, Synthetic Monitoring on supported regions (US1, US3, US5). Generally NOT covered without explicit confirmation: certain integrations, third-party data forwarders, beta/preview services, some AI/ML features. Critical: a BAA does NOT mean every Datadog feature can receive PHI — it means the explicitly-scoped services can. Sending PHI through a non-scoped service is a HIPAA violation even with a signed BAA in place.

Can I send PHI in Datadog logs and traces?

Only after the BAA is signed AND for the specific Datadog services covered, AND with proper PHI handling controls in place. Even with a BAA, you should minimize PHI in logs/traces wherever possible — use Datadog's Sensitive Data Scanner to detect and redact PHI patterns before transmission, configure log/trace ingestion to scrub identifiers at the agent level, and ensure your retention policies match HIPAA requirements (typically 6 years minimum for audit logs touching PHI). Sending unredacted PHI to Datadog without a BAA is a violation. Sending PHI to a Datadog service not in HIPAA scope is also a violation.

What region must I use for a HIPAA-compliant Datadog deployment?

HIPAA scope is region-specific. Datadog's US1, US3, and US5 regions typically support HIPAA workloads (verify current). EU1 and AP1 generally do NOT cover HIPAA in the BAA scope. If you're a US healthcare org and you provisioned Datadog in EU1, you'll need to either migrate to a HIPAA-eligible US region or accept that HIPAA workloads can't run there. Check region eligibility BEFORE signing the BAA — migrating Datadog tenants between regions is non-trivial.

How much does HIPAA-compliant Datadog cost compared to standard?

Three cost components on top of standard Datadog pricing. (1) Enterprise tier upgrade — typically $50-100K+/year minimum vs. month-to-month Pro. (2) Sensitive Data Scanner add-on — usage-based, scales with log volume. (3) Audit-grade retention — extended log retention (up to 15 months) at higher per-GB rates. Real-world: a startup paying $15K/year on Pro might face $80-120K/year on Enterprise+SDS+extended retention to be HIPAA-compliant. For early-stage healthcare startups, this is often the moment to evaluate whether Datadog is the right fit vs. alternatives like Honeycomb (HIPAA-eligible at lower spend), Grafana Cloud (BAA available), or Splunk (different cost structure).

What's the most common mistake when running Datadog with HIPAA?

Sending PHI before the BAA is signed. Teams often start collecting logs and traces in Datadog as part of normal engineering work, then discover the compliance gap during a SOC 2 or HIPAA audit. By that point, months of PHI have flowed through Datadog under no BAA — which is a HIPAA violation regardless of whether you later sign one. The fix: when handling PHI is on the roadmap, get the BAA executed BEFORE production data flows. Second most common mistake: assuming the BAA covers all Datadog features. It doesn't — verify per-service eligibility against the current HIPAA-eligible service list.

🏥 Datadog × HIPAA · 2026 Operator Read

Datadog will sign a BAA.
Here's how to actually get one.

The short answer: yes, Datadog signs BAAs, but only for Enterprise-tier accounts and only for explicitly-scoped services in supported regions. The longer answer is what trips teams up — request process, scope verification, region eligibility, and the cost step-up that nobody mentions until you're 80% through procurement.

PJ · Cardiff operator · 858-461-8054

⚡ TL;DR · 60-second read Datadog signs a BAA for Enterprise-tier accounts. Request through your account manager (or sales@datadoghq.com if you don't have one yet). Timeline 1-3 weeks for legal review + account configuration. Coverage is per-service — APM / Logs / Infrastructure / RUM / Synthetic on US1/US3/US5 regions are typically HIPAA-eligible; verify current scope at docs.datadoghq.com/account_management/compliance/. The cost step-up is real — Enterprise tier + Sensitive Data Scanner + extended retention typically takes a $15K/year Pro account to $80-120K/year. For early-stage healthcare startups, this is the moment to evaluate Datadog vs. Honeycomb / Grafana Cloud / Splunk on cost-per-HIPAA-scope.

How to actually request the BAA · 3-step process.

Most BAA delays come from going through the wrong channel. Here's the path that minimizes review cycles.

STEP 1

Identify the right contact (in priority order).

(a) Your existing Datadog account manager — fastest path. Email directly: "We need a BAA for HIPAA compliance. Our use case is [PHI-handling workload]. Please initiate the BAA process and confirm which services are eligible for our region."

(b) Datadog Sales if no account manager: sales@datadoghq.com. Same message + your current Datadog org name + contact info.

(c) In-app support as fallback — open a ticket, mention HIPAA + BAA explicitly so it gets routed to the compliance team, not L1.

STEP 2

Confirm the scope BEFORE signing.

Datadog will send you their standard BAA. Read the appendix listing HIPAA-eligible services. Verify the services you actually need (APM, Logs, Synthetic, RUM, etc.) are explicitly listed. If a service you depend on isn't in scope, raise it before signing — adding services post-signature requires another legal cycle.

Also confirm region eligibility. US1, US3, US5 typically support HIPAA. EU1 and AP1 generally do not. If you're already provisioned in a non-eligible region, plan for a region migration before HIPAA workloads start.

STEP 3

Wait for executed BAA + account flag confirmation.

The BAA isn't active just because you signed. Datadog needs to (1) countersign, (2) flag your account as HIPAA-enabled, and (3) confirm in writing that the scoped services are now ready for PHI. Don't send PHI before you have all three confirmations. Get the confirmation in email — your auditor will want it.

What's covered vs. what's not · verify against current docs.

A BAA does not mean "every Datadog feature can receive PHI." Coverage is service-by-service. This list is directional — Datadog updates eligibility quarterly, so always cross-reference the live docs.

Service / Feature	Typically HIPAA-Eligible	Notes
Infrastructure Monitoring	✓ Yes	Core service. PHI minimization still required — don't put patient identifiers in host tags.
APM (Application Performance Monitoring)	✓ Yes	Trace data can carry PHI in spans / attributes. Configure scrubbing at the agent level.
Logs	✓ Yes	The biggest PHI risk surface. Use Sensitive Data Scanner. Set retention to match HIPAA requirements (typically 6 years for audit logs).
RUM (Real User Monitoring)	✓ Yes	Frontend can capture PHI in URLs / form fields. Configure RUM to mask sensitive selectors.
Synthetic Monitoring	✓ Yes	Test scripts shouldn't contain real patient data. Use synthetic test accounts only.
Sensitive Data Scanner	✓ Yes (recommended)	Add-on for detecting/redacting PHI patterns automatically. Often required for audit-ready posture.
Beta / Preview features	⚠ Verify	New services are often NOT yet in HIPAA scope. Check before enabling.
Third-party integrations	⚠ Verify	Some integrations forward data outside Datadog's scope. Confirm each integration's HIPAA posture.
EU1 / AP1 regions	✗ No (typically)	HIPAA eligibility is US-region-only as of 2026. Verify current region scope.
Free / Pro tier accounts	✗ No	BAA requires Enterprise tier.

Disclosure: This is an independent operator read, not legal advice. HIPAA-eligible service scope changes — always verify against Datadog's current HIPAA documentation at docs.datadoghq.com/account_management/compliance/ and confirm with your Datadog account team before sending PHI.

The five anti-patterns that fail HIPAA audits.

Each one looks fine until the auditor pulls a sample. Worth a checklist before audit week.

✗Sending PHI to Datadog before the BAA is fully executed

Teams often start collecting logs and traces as part of normal engineering work, then discover the compliance gap during audit. By then, months of PHI have flowed through Datadog under no BAA — that's a violation regardless of whether you later sign one.

✓ Get the BAA executed BEFORE production data flows. If PHI handling is on the roadmap, start the BAA process first.

✗Assuming the BAA covers every Datadog feature

BAA scope is per-service. A signed BAA doesn't mean PHI can flow through every Datadog feature — only the explicitly-scoped ones in the BAA appendix.

✓ Verify per-service eligibility. Audit which features are HIPAA-enabled in your account vs. which contain PHI. Disable PHI flow to non-scoped services.

✗Sending unredacted PHI in logs

Even with a BAA, sending raw patient identifiers, SSNs, or PHI in plain log lines fails most HIPAA audits. The expectation is minimum-necessary: redact what you can.

✓ Enable Datadog Sensitive Data Scanner. Configure agent-level log scrubbing. Use structured logging with explicit PHI-classification fields.

✗Provisioned in EU1 / AP1 with PHI

HIPAA scope is region-specific. Sending US-jurisdiction PHI through a non-eligible region is a violation even with a signed BAA.

✓ Verify region eligibility BEFORE signing. If already in a non-eligible region, plan a US-region migration before PHI flows.

✗No written confirmation of HIPAA enablement

Auditors want to see (1) signed BAA, (2) Datadog's written confirmation that your account is HIPAA-flagged, (3) per-service scope appendix. Verbal confirmation from a sales rep doesn't survive an audit.

✓ Get all three in email. Save them in your compliance evidence locker (e.g., your Drata/Vanta/Secureframe portal). Re-verify annually.

Why this is an operator-translation problem.

Datadog's HIPAA documentation is technically correct and operationally opaque. The docs answer "what services are eligible" but don't answer "how do I actually get this done at my org with my budget on my timeline." That gap is where small healthcare-adjacent teams stall — not because the BAA is hard to get, but because the path isn't obvious.

The translation layer is the 3-step process: identify the right contact, confirm scope before signing, get all three confirmations in writing. None of that requires legal expertise — it requires knowing which questions to ask in which order. That's operator-translation, not law school.

Datadog will sign the BAA.
The blocker is the request path, not the policy.

Stuck on a Datadog HIPAA question?

If you're trying to figure out scope, region, or whether the Enterprise step-up is worth it for your stage — text the actual constraint and I'll send back which way I'd lean. Operator opinion, not legal advice. Always confirm specifics with Datadog + your compliance counsel.

Text PJ · 858-461-8054

Datadog will sign a BAA.Here's how to actually get one.