The below Security Policy applies only to customers with an existing New Relic agreement in place that explicitly references this Security Policy applying to the Service purchased in an Order. Capitalized terms not defined below shall take on the meaning set forth in such New Relic agreement.
New Relic Security Policy
1. Data Security
1.1. New Relic shall establish and maintain data security procedures and other safeguards designed to protect against the loss, theft or other unauthorized access or alteration of Customer Data in the possession or under the control of New Relic or to which New Relic has access, which are no less rigorous than accepted security standards in the industry.
1.2. New Relic shall maintain an information security policy that outlines a definition of information security and its overall objectives; a framework for setting control objectives and controls, including the structure of risk assessment and risk management; a brief explanation of the compliance requirements, and procedures for managing information security incidents.
2. Data Access
2.1. Access to Customer Data stored on New Relic’s systems shall not be granted to members of New Relic unless they have been uniquely identified and have sufficient credentials.
2.2. Access permissions shall be established in a manner that allows for the minimum access level(s) required for each employee.
2.3. Access to Customer Data shall be logged with sufficient information to determine the nature and scope of any inappropriate access.
3. Server Security
3.1. New Relic shall establish and follow reasonable server configuration guidelines and processes to prevent unauthorized access to Customer Data.
3.2. New Relic shall establish and follow reasonable configuration change management procedures for its servers containing Customer Data.
4. Network Security
4.1. New Relic network architecture shall be designed to limit site access and restrict the availability of information services that are considered to be vulnerable to attack.
4.2. New Relic shall utilize SSL certificates for all Internet activity. By default, Customer Data transmitted to and from the New Relic network shall be sent over encrypted medium or an encrypted format.
4.3. New Relic network shall use IDS technologies for network intrusion detection.
4.4. Access to New Relic systems containing Customer Data shall be restricted to authorized personnel.
5. Security Audits
5.1. New Relic shall conduct at least annually a SOC 2 or industry equivalent audit. New Relic shall provide to Customer audit results upon request, and shall explain and provide remediation plans to correct any problems to the extent reasonably possible.
6. Security and Incident Response
6.1. New Relic shall maintain an Information Security Incident Response plan, and make that plan available to Customer if requested.
6.2. In the event of an actual theft, loss, or unauthorized access of Customer Data by New Relic’s personnel and/or any unauthorized individual or entity, New Relic shall: (a) investigate such breach, (b) attempt to cure such breach, and (c) provide notification to Customer that describes such breach.
7. Disaster Recovery
7.1. New Relic shall have in effect a disaster recovery plan designed to respond to both a component failure of New Relic equipment within its data center and a catastrophic loss of service. This plan shall include documented policies and procedures to restore service in the event of either type of failure.
7.2. New Relic shall establish and follow backup and restore procedures for servers containing Customer Data.
8. Copies and Removal
8.1. In addition to any obligations of New Relic in the Agreement, upon expiration or termination of this Agreement for any reason: (a) New Relic shall, and shall cause its personnel, to cease and desist all access and use of any Customer Data, (b) New Relic shall delete all copies of Customer Data within ninety (90) days.
9. Disclosure by Law
9.1. In the event the New Relic is required by law, regulation, or legal process to disclose any Customer Data, New Relic shall (a) give Customer, to the extent possible, reasonable advance notice prior to disclosure so Customer may contest the disclosure or seek a protective order, and (b) reasonably limit the disclosure to the minimum amount that is legally required to be disclosed.