Data security controls
Overview of data security controls
Types of data collected
Dynatrace captures a ton of data, including host and application metrics, basic network metrics, real user metrics, mobile metrics, cloud infrastructure metrics, log metrics, and much more. As such data may contain private or sensitive user information, Dynatrace offers data masking features to assist you in complying with your data privacy and data protection obligations.
Dynatrace offers two different types of deployment models: SaaS and Managed.
In Dynatrace SaaS, data is stored in Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) data centers. You can choose from the regions listed below.
- US East (N. Virginia)
- US West (Oregon)
- Europe (Ireland)
- Asia Pacific (Sydney)
- Europe (London)1
- Europe (Frankfurt)1
- Canada (Central)1
- South America (São Paulo)1
- Asia Pacific (Singapore)1
Available on request. Talk to your Dynatrace sales contact.
Available on request. Talk to your Dynatrace sales contact.
In Dynatrace Managed, your monitoring data remains in your own data center.
Also see Data retention periods.
Dynatrace OneAgent collects all monitoring data within your monitored environment. Optionally, all data collected by OneAgent can be routed through a Dynatrace ActiveGate, which works as a proxy between Dynatrace OneAgent and the Dynatrace Cluster. In the absence of an ActiveGate, data collected by OneAgent is sent directly to the Dynatrace Cluster.
Dynatrace Managed clusters periodically exchange information, such as license and consumption data, with Dynatrace Mission Control.
Data segregation between customer environments
Dynatrace SaaS allocates one dedicated environment per customer account. Data is segregated logically and each environment gets its own individual domain.
Dynatrace Managed allocates one cluster per customer account.
Data encryption in transit
All data exchanged between OneAgent, ActiveGate, and Dynatrace Cluster is encrypted in transit. Data is serialized and deserialized using Google Protocol Buffers.
Dynatrace SaaS uses TLS 1.2 (SSL Labs Grade A+). In Dynatrace Managed, you can configure TLS versions as well as cipher suites, and you can use your own SSL certificates.
Data encryption at rest
AWS. Dynatrace SaaS on AWS uses Amazon Elastic File System (EFS) and Amazon Elastic Block Store (EBS) with AES-256 encryption. Dynatrace manages encryption keys using AWS Key Management Service (KMS).
Azure. Dynatrace SaaS on Azure uses Azure Storage with Microsoft-managed keys. Data in Azure Storage is encrypted and decrypted transparently using AES-256 encryption (FIPS 140-2 compliant).
GCP. Dynatrace SaaS on GCP uses persistent disks with keys managed by Google Cloud. Google Cloud encrypts all customer content stored at rest with 256-bit AES encryption and uses a FIPS 140-2 validated Level 1 encryption module (certificate 3318).
Dynatrace Managed customers must configure their own hard disk encryption and manage encryption keys on their own.
Integrity verification of Dynatrace components
Dynatrace components are signed using code signing certificates within the continuous delivery and integration (CI/CD) pipeline.
Code signing certificates are stored on hardware tokens with Extended Validation (EV) code signing certificates for Windows. Signature verification is performed automatically before an update or installation. When installing a component for the first time, signature verification must be conducted manually.
Business continuity and high-availability
Dynatrace SaaS uses a clustered architecture, multiple availability zones (data centers), and automatic fail-over mechanisms to ensure high availability (99.5% availability SLA).
In Dynatrace Managed, a high-availability setup can be achieved by setting up multiple cluster nodes. The Dynatrace Mission Control team monitors the service quality and hardware utilization of Dynatrace Managed clusters. It uses high-availability multi-node setup and sends alerts when additional hardware is required for monitoring the environment. For more details, download the Managed SLA.
Data backups and disaster recovery
AWS. Every 24 hours, Dynatrace SaaS on AWS performs data backups to a different AWS data center in the same geographic region. The maximum recovery point objective (RPO) for a full cluster is 24 hours. The recovery time objective (RTO) takes up to 24 hours, depending on the size of the cluster.
Azure. Every 24 hours, Dynatrace SaaS on Azure performs data backups to a different Azure subscription in the same Azure region. The maximum recovery point objective (RPO) for a full cluster is 24 hours. The recovery time objective (RTO) takes up to 24 hours, depending on the size of the cluster.
GCP. Every 24 hours, Dynatrace SaaS on GCP performs data backups to a different GCP project in the same GCP region. The maximum recovery point objective (RPO) for a full cluster is 24 hours. The recovery time objective (RTO) takes up to 24 hours, depending on the size of the cluster.
Dynatrace Managed offers a built-in backup mechanism that you must configure.
A dedicated Dynatrace self-monitoring cluster monitors availability, performance, and security of all SaaS clusters. If a problem is detected, the Dynatrace ACE (Autonomous Cloud Enablement) team, which operates on a 24/7 basis, is notified immediately. Operational status and incidents are always available at dynatrace.status.io.
Dynatrace Managed clusters send regular health checks to Dynatrace Mission Control. Optionally, Managed clusters can be monitored by the Dynatrace self-monitoring cluster.
Roll out of updates and hot fixes
Using a fully automated CI/CD pipeline, Dynatrace is able to roll out updates and hot fixes within a few hours. The Dynatrace architecture allows for zero-downtime upgrades of clusters.
In Dynatrace SaaS, new features are delivered every two weeks. Updates of Dynatrace ActiveGates and OneAgents can be performed automatically or manually.
In Dynatrace Managed, updates are delivered via Dynatrace Mission Control. New features are delivered every 4 weeks. Upgrades of the cluster, OneAgents, and ActiveGates can be performed automatically or manually.
Data access for Dynatrace support
Access to Dynatrace SaaS environments is role-based. Role changes require justification and approval by the Dynatrace ACE (Autonomous Cloud Enablement) team. Access is restricted to the Dynatrace corporate network and requires multi-factor authentication when accessed remotely. Every access and all changes are audit logged and fully accessible.
In Dynatrace Managed, you have complete control over the remote access to your cluster in case support is required. You can turn off remote access or configure it to require approval before access is granted. Dynatrace Support has access to Dynatrace Managed software (application-level) only, not to your underlying infrastructure or the system level.
Remote access is established by Dynatrace Mission Control, which is only accessible from within the Dynatrace corporate network. Remote access by Dynatrace Mission Control requires multi-factor authentication. Each access and any changes made are audit-logged and fully accessible.
Compliance, certifications, and audits
Dynatrace is SOC 2 Type II certified; you can view the SOC 3 report, but the full SOC 2 report is available only under NDA. Dynatrace can be used compliantly with GDPR (Europe), performs regular self-assessments (see Cloud Security Alliance CAIQ report), and conducts penetration tests with independent security firms.
Additionally, Dynatrace offers a FedRAMP authorized deployment option available in the FedRAMP marketplace and also benefits from Amazon's and Azure's secure, world-class data centers that are certified for ISO 27001, PCI-DSS Level 1, and SOC 1/SSAE-16.