Data security controls

Types of data collected

Dynatrace captures a ton of data, including host and application metrics, basic network metrics, real user metrics, mobile metrics, cloud infrastructure metrics, log metrics, and much more. As such data may contain private or sensitive user information, Dynatrace offers data masking features to assist you in complying with your data privacy and data protection obligations.

Data collection

Data storage

Dynatrace offers two different types of deployment models: SaaS and Managed.

In Dynatrace SaaS, data is stored in AWS data centers. You can choose between four different geographical regions:

  • US-East: Virginia
  • US-West: Oregon
  • EU-West: Ireland
  • APAC: Sydney

In Dynatrace Managed, your monitoring data remains in your own data center.

Data storage

Also see Data retention periods.

Dynatrace components

Dynatrace OneAgent collects all monitoring data within your monitored environment. Optionally, all data collected by OneAgent can be routed through a Dynatrace ActiveGate, which works as a proxy between Dynatrace OneAgent and the Dynatrace Cluster. In the absence of an ActiveGate, data collected by OneAgent is sent directly to the Dynatrace Cluster.

Dynatrace Managed clusters periodically exchange information, such as license and consumption data, with Dynatrace Mission Control.


Data segregation between customer environments

Dynatrace SaaS allocates one dedicated environment per customer account. Data is segregated logically and each environment gets its own individual domain.

Dynatrace Managed allocates one cluster per customer account.

Data segregation

Data encryption in transit

All data exchanged between Dynatrace OneAgent, ActiveGate, and Dynatrace Cluster is encrypted in transit. Data is serialized and deserialized using Google Protocol Buffers.

Dynatrace SaaS uses TLS 1.2 (SSL Labs Grade A+). In Dynatrace Managed, you can configure TLS versions as well as cipher suites, and you can use your own SSL certificates.

Data encryption in transit

Data encryption at rest

Dynatrace SaaS uses Amazon Elastic File System (EFS) and Amazon Elastic Block Store (EBS) with AES 256 encryption. Encryption keys are managed by Dynatrace using AWS Key Management Service (KMS).

Dynatrace Managed customers must configure their own hard disk encryption and manage encryption keys on their own.

Data encryption at rest

User authentication

In Dynatrace Saas, you can manage your users by setting up user groups and permissions and SAML.

In Dynatrace Managed, users are managed by configuring user groups, SAML, OpenID, and LDAP.

User authentication

Integrity verification of Dynatrace components

Dynatrace components are signed using code signing certificates within the continuous delivery and integration (CI/CD) pipeline.

Code signing certificates are stored on hardware tokens with Extended Validation (EV) code signing certificates for Windows. Signature verification is performed automatically before an update or installation. When installing a component for the first time, signature verification must be conducted manually.

Integrity verification

Business continuity and high-availability

Dynatrace SaaS uses a clustered architecture, multiple AWS availability zones (data centers), and automatic fail-over mechanisms to ensure high availability (99.5% availability SLA).

In Dynatrace Managed, a high-availability setup can be achieved by setting up multiple cluster nodes. The Dynatrace Mission Control team monitors the service quality and hardware utilization of Dynatrace Managed clusters. It uses high-availability multi-node setup and sends alerts when additional hardware is required for monitoring the environment. For more details, download the Managed SLA.

High availability

Data backups and disaster recovery

Every 24 hours Dynatrace SaaS performs data backups to a different AWS data center in the same geographical region. The maximum recovery point objective (RPO) for a full cluster is 24 hours. The recovery time objective (RTO) takes up to 24 hours depending on the size of the cluster.

Dynatrace Managed offers a built-in backup mechanism that you must configure.

Data backup

Infrastructure monitoring

A dedicated Dynatrace self-monitoring cluster monitors availability, performance, and security of all SaaS clusters. If a problem is detected, the Dynatrace ACE (Autonomous Cloud Enablement) team, which operates on a 24/7 basis, is notified immediately. Operational status and incidents are always available at

Dynatrace Managed clusters send regular health checks to Dynatrace Mission Control. Optionally, Managed clusters can be monitored by the Dynatrace self-monitoring cluster.

Infrastructure monitoring

Roll out of updates and hot fixes

Using a fully automated CI/CD pipeline, Dynatrace is able to roll out updates and hot fixes within a few hours. The Dynatrace architecture allows for zero-downtime upgrades of clusters.

In Dynatrace SaaS, new features are delivered every two weeks. Updates of Dynatrace ActiveGates and OneAgents can be performed automatically or manually.

In Dynatrace Managed, updates are delivered via Dynatrace Mission Control. New features are delivered every 4 weeks. Upgrades of the cluster, OneAgents, and ActiveGates can be performed automatically or manually.

Updates rollout

Data access for Dynatrace support

Access to Dynatrace SaaS environments is role-based. Role changes require justification and approval by the Dynatrace ACE (Autonomous Cloud Enablement) team. Access is restricted to the Dynatrace corporate network and requires multi-factor authentication when accessed remotely. Every access and all changes are audit logged and fully accessible.

In Dynatrace Managed, you have complete control over the remote access to your cluster in case support is required. You can turn off remote access or configure it to require approval before access is granted. Dynatrace support has access to Dynatrace Managed software (application-level) only, not to your underlying infrastructure or the system level.

Remote access is established by Dynatrace Mission Control, which is only accessible from within the Dynatrace corporate network. Remote access by Dynatrace Mission Control requires multi-factor authentication. Each access and any changes that are made are audit-logged and fully accessible.

Data access

Compliance, certifications, and audits

Dynatrace is SOC 2 Type II certified; you can view the SOC3 report, but the full SOC2 report is available only under NDA. It can be used compliantly with GDPR (Europe), performs regular self-assessments (see Cloud Security Alliance CAIQ report), and conducts penetration tests with independent security firms.

Additionally, Dynatrace offers a FedRAMP authorized deployment option available in the FedRAMP marketplace and also benefits from Amazon's secure, world-class data centers that are certified for ISO 27001, PCI-DSS Level 1, and SOC 1/SSAE-16.