Dynatrace can capture various types of infrastructure and application data, including host and application metrics, basic network metrics, real user metrics, mobile metrics, cloud infrastructure metrics, log metrics, and much more.
By default, Dynatrace doesn't collect personally identifiable information (PII). However, since Dynatrace can be configured to capture PII, we also provide you with robust data masking and data protection features. These features are designed to help you comply with your data privacy and data protection obligations.
Data is stored in Amazon Web Services (AWS), Microsoft Azure, or Google Cloud data centers. The available regions are listed below.
Available on request. Talk to your Dynatrace sales contact.
Available on request. Talk to your Dynatrace sales contact.
Available on request. Talk to your Dynatrace sales contact.
Also see Data retention periods.
Dynatrace OneAgent collects all monitoring data within your monitored environment. Optionally, all data collected by OneAgent can be routed through a Dynatrace ActiveGate, which works as a proxy between Dynatrace OneAgent and the Dynatrace Cluster. In the absence of an ActiveGate, data collected by OneAgent is sent directly to the Dynatrace Cluster.
Dynatrace SaaS uses a multi-tenant, high-availability architecture. Dynatrace allocates a dedicated tenant, a so-called Dynatrace environment, to each customer. Customers can also manage multiple environments within the Dynatrace account management system. Each environment gets its own individual domain.
With the latest Dynatrace, all Dynatrace platform data, including data from Grail, AppEngine, and AutomationEngine, is stored in a separate, dedicated storage space. Dynatrace SaaS environments hosted on AWS use dedicated AWS S3 buckets as storage space. Other data, such as Dynatrace Credential vault data or Dynatrace account data, is stored in databases using logical data separation.
Separate storage space is currently available only for Dynatrace SaaS on AWS. Support for Dynatrace SaaS on Azure and Google Cloud is planned.
All Dynatrace SaaS monitoring data is encrypted at rest using AES-256. With the latest Dynatrace, all Dynatrace platform data, including data from Grail, AppEngine, and AutomationEngine, is stored in a separate, dedicated storage space. Each storage space is encrypted with a unique encryption key, which is rotated every 365 days. Dynatrace manages the encryption keys.
Separate data storage and unique encryption keys are currently available only for Dynatrace SaaS on AWS. Support for Dynatrace SaaS on Azure and Google Cloud is planned.
All data exchanged between OneAgent, ActiveGate, and Dynatrace Cluster is encrypted in transit. Data is serialized and deserialized using Google Protocol Buffers.
Dynatrace SaaS supports TLS 1.2 and TLS 1.3 (SSL Labs Grade A+).
You can manage your users by setting up user groups and permissions and SAML.
Dynatrace components are signed using code signing certificates within the continuous delivery and integration (CI/CD) pipeline.
Code signing certificates are stored on hardware tokens with Extended Validation (EV) code signing certificates for Windows. Signature verification is performed automatically before an update or installation. When installing a component for the first time, signature verification must be conducted manually.
Dynatrace SaaS uses a clustered architecture, multiple availability zones (data centers), and automatic fail-over mechanisms to ensure high availability (99.5% availability SLA).
AWS: Every 24 hours, Dynatrace SaaS on AWS performs data backups to a different AWS account in the same AWS region. The backup includes the data captured for at least the last 30 days. The maximum recovery point objective (RPO) for a full cluster is 24 hours. The recovery time objective (RTO) takes up to 24 hours, depending on the size of the cluster.
Azure: Every 24 hours, Dynatrace SaaS on Azure performs data backups to a different Azure subscription in the same Azure region. The backup includes the data captured for at least the last 30 days. The maximum recovery point objective (RPO) for a full cluster is 24 hours. The recovery time objective (RTO) takes up to 24 hours, depending on the size of the cluster.
Google Cloud: Every 24 hours, Dynatrace SaaS on Google Cloud performs data backups to a different Google Cloud project in the same Google Cloud region. The backup includes the data captured for at least the last 30 days. The maximum recovery point objective (RPO) for a full cluster is 24 hours. The recovery time objective (RTO) takes up to 24 hours, depending on the size of the cluster.
A dedicated Dynatrace self-monitoring cluster monitors availability, performance, and security of all SaaS clusters. If a problem is detected, the Dynatrace ACE (Autonomous Cloud Enablement) team, which operates on a 24/7 basis, is notified immediately. Operational status and incidents are always available at dynatrace.status.io.
Using a fully automated CI/CD pipeline, Dynatrace is able to roll out updates and hot fixes within a few hours. The Dynatrace architecture allows for zero-downtime upgrades of clusters.
New features are delivered every two weeks. Updates of Dynatrace ActiveGates and OneAgents can be performed automatically or manually.
Dynatrace logs security-relevant events such as configuration changes and access to the environment. You can view these audit logs in Dynatrace or download them for further use via the GET audit log API call.
Access to Dynatrace SaaS environments is role-based. Role changes require justification and approval by the Dynatrace ACE (Autonomous Cloud Enablement) team. Access is restricted to the Dynatrace corporate network and requires multi-factor authentication when accessed remotely. Every access and all changes are audit logged and fully accessible.
Dynatrace can detect and prevent the leakage of Dynatrace secrets in source code repositories on GitHub. These secrets may include platform or API tokens that were inadvertently pushed to a source code repository. If a secret leak is detected, we will reach out to you and aid with remediation measures.
For details on reporting a security issue, see Report a security-related concern.
Dynatrace undergoes annual, independent third-party audits and conducts penetration tests and red team assessments with independent security firms.
Having achieved several global and local certifications and accreditations demonstrates that we adhere to the most recognized international standards for security management.
Dynatrace also benefits from secure Amazon, Azure, and Google data centers that are certified for ISO 27001, PCI-DSS Level 1, and SOC 1/SSAE-16.
For the full list of certifications, see Trust Center.