Datadog access reviews come up in compliance contexts more often than many security teams expect. As an observability platform with broad visibility into infrastructure, logs, and application performance data, Datadog frequently contains sensitive operational information — and increasingly, it’s in scope for SOC 2, ISO 27001, and similar frameworks specifically because of that visibility. Here’s how to approach a Datadog access review, what the manual process looks like, and when automation makes the process more tractable.

Why Is Datadog Access Review a Compliance Concern? Datadog sits in an unusual position relative to other enterprise SaaS applications: it’s observability infrastructure rather than a core business application, which means it tends to get added to compliance review scopes later than systems like HRIS, CRM, or ERP. But the access it provides — logs, metrics, traces, infrastructure data, incident records, security monitoring data — is genuinely sensitive. A Datadog user with Admin or Standard role access can see infrastructure configuration, application performance data, security alerts, and potentially log data containing sensitive information depending on what’s being ingested. For organizations under SOC 2 or ISO 27001, the question of who has access to what Datadog data, at what role level, and whether that access is still appropriate is a legitimate control question. Auditors who look at Datadog access are typically checking: whether access is proportionate to role (not everyone needs Admin), whether former employees or contractors still have active accounts, and whether the access has been reviewed within the required review cycle.

What Does the Manual Review Process Look Like? Step 1: Export the Current User List Datadog provides user management through the Organization Settings interface. Admins can see all users, their roles, their status (Active, Pending, Disabled), and their last login date. The export path: Organization Settings → Users → Export to CSV. This produces a list of all users in your Datadog organization, their assigned roles, and their current status. For organizations with multiple Datadog organizations (separate orgs for production, staging, or different business units), the export needs to cover each org separately. Step 2: Cross-Reference Against HR Data The most important check in a Datadog access review is confirming that all active users are current employees or active contractors. Cross-reference the Datadog user list against your HRMS to identify: Former employees with active Datadog accounts. These should be flagged for immediate revocation. Users whose employment status has changed (role change, department change) who may have Datadog access that no longer fits their current responsibilities. Contractor accounts that may have been provisioned for a specific project and never deprovisioned. Step 3: Review Role Assignments Datadog has a tiered role model: Admin roles have full access including user management, billing, and configuration changes. Standard roles have access to monitors, dashboards, and data based on the permissions configured for that role. Read-Only roles have view-only access. For compliance purposes, the review should examine whether Admin access is appropriately limited — only users who need to manage users, configure the organization, or handle billing should hold Admin roles. Standard users with broad monitor and dashboard access in sensitive environments should be confirmed as appropriate for their current responsibilities. Step 4: Review API Key and Application Key Access This is the most commonly missed element in manual Datadog access reviews. Datadog’s API keys and application keys provide programmatic access to the Datadog API — for log ingestion, metric collection, dashboard automation, and similar purposes. These are not user accounts, but they represent access to Datadog data and configuration that needs to be reviewed and governed. Check which API keys and application keys exist, who owns them, what their scope is, when they were last used, and whether they’re still needed. Unused API keys that haven’t been accessed in 90 days or more are candidates for rotation or deletion. Step 5: Document the Review Decisions For each user, document the review decision: Retain (access is appropriate), Modify (role change needed), or Revoke (access should be removed). For the manual process, this documentation typically happens in a spreadsheet with the user list exported from Datadog, annotated with review decisions and reviewer attribution. The limitation of the manual approach is evidence quality: a spreadsheet is modifiable, doesn’t automatically capture timestamps, and doesn’t provide enforced reviewer accountability. For a first-pass review or a low-complexity environment, this may be sufficient. For SOC 2 or ISO 27001 evidence that needs to survive auditor scrutiny, the manual approach typically needs to be supplemented with additional controls — at minimum, a version-controlled document with dated review records and reviewer sign-off.

What Does the Automated Approach Look Like? Automation addresses the three core limitations of the manual approach: staleness (the export is out of date by the time it’s reviewed), evidence quality (the spreadsheet doesn’t satisfy compliance requirements), and scalability (manual reviews are feasible for 50 users, difficult for 500). Datadog has a reasonably complete API that exposes user management functions: listing users, their roles, their status, and their last activity. An automated review process uses this API to pull current user data rather than a point-in-time export. The automation connects to the Datadog API, pulls the current user list with role assignments and last activity data, cross-references against HRMS data to flag former employees and role changes, and presents the results to reviewers in a structured workflow with enforced deadlines and decision attribution. For organizations managing Datadog alongside other applications — Okta, GitHub, Salesforce, AWS — the value of automation increases significantly because a single governance platform can run a combined access review covering all applications simultaneously rather than requiring separate manual exports from each. The reviewer sees all of a user’s access across all reviewed applications in one interface, makes revocation decisions with a single interaction, and the resulting evidence package covers the full scope.

What Evidence Does a Compliant Datadog Access Review Need to Produce? For SOC 2 Type II, the evidence package from a Datadog access review needs to show: That the review happened within the required interval. Who reviewed which user’s access, when, and what decision they made. What happened to access that was flagged for revocation — confirmation that the access was actually removed. A non-editable format that demonstrates the record wasn’t modified after the fact. For ISO 27001, the requirements are similar with additional emphasis on documented process and reviewer objectivity — users shouldn’t be certifying their own access. The manual approach can satisfy these requirements with sufficient care, but it requires additional process discipline: version-controlled records, dated approvals, confirmed remediation documentation, and a format that resists post-hoc modification. The automated approach produces these outputs as a byproduct of the review workflow — the system generates the timestamped report, records the reviewer attribution for each decision, confirms the execution of revocations, and produces the final evidence package in a format that auditors accept without supplemental controls.

When Does Manual Make Sense vs. Automated? Manual reviews are appropriate when: Datadog is one of very few applications in your compliance scope. Your user population is small enough that a one-person review is tractable (under 50 users is typically manageable). Your compliance requirement is relatively light — a single annual review rather than quarterly certification. You’re running a first-pass review to establish a baseline before investing in automation. Automated reviews are appropriate when: Datadog is one of many applications in a larger compliance program. Your user population is large enough that manual export and review is error-prone. You need quarterly review cycles and the manual overhead is unsustainable. Your compliance framework requires evidence quality that manual exports can’t reliably produce. You want the review for Datadog to be part of a unified access review covering all your applications rather than a separate exercise.