New Relic takes your data privacy seriously. Our principles-based approach aims to go beyond the legal requirements for consent. We understand your concerns when you entrust us with your data, and we always strive to embrace your expectations and preferences.
This document provides links to detailed information about the privacy and security measures we take to protect you and your customers' data privacy. For additional information about policies, credentials, audits, and other resources, see our New Relic security website.
Compliance with legal requirements
New Relic strives to comply with all applicable laws as they take effect. This includes the European Union's General Data Protection Regulation (GDPR) and all relevant US State laws, such as the California Consumer Privacy Act (CCPA).
Our disk-based encryption provides additional security while your data is at rest (FIPS 140-2 compliant). In addition, we are authorized for Moderate Impact SaaS Services (FedRAMP Authorized Moderate) for accounts that meet specific criteria.
For details about New Relic's contractual and regulatory privacy-related commitments for services, see:
Privacy by design and by default
New Relic follows "privacy by design" principles as part of our overarching security program. For example, when New Relic agents capture a webpage or referrer URL, all query parameters are stripped by default.
Here are examples of how New Relic incorporates privacy considerations into our data and security practices.
- Personal data requests (GDPR, CCPA, etc.)
New Relic strives to comply with all applicable laws as they take effect. This includes the European Union's GDPR and ePrivacy Directive and all applicable privacy laws, such as the California Consumer Privacy Act (CCPA) in the USA. For information about New Relic's process when responding to requests to access or delete personal data, see New Relic personal data requests.
- Events and attributes
You can query events and attributes, as well as create charts and alert conditions about this data. For a complete list of all events and attributes tracked by New Relic agents, see the Event data dictionary.
Events and attributes example:
If you use the Infrastructure
commandLineattribute, by default New Relic strips options and arguments from the full command line to prevent accidental leakage of sensitive information.
- Masking (obfuscation)
When New Relic agents refer to data obfuscation, this means the data is masked and cannot be recovered. For example, queries about distributed traces and transaction traces are obfuscated by default. For more information, see the data security documentation.
Security controls within New Relic
New Relic ensures that strong security measures are in place both for the data we receive and for our employees.
- Technical security controls
New Relic uses a comprehensive set of technical controls to support general security needs as well as security for data we receive. For more information, see New Relic security: Protecting your data and content.
- Organizational security controls
New Relic maintains a number of internal policies and procedures to guide employees in privacy-related subjects such as data classification and handling, data retention, handling of personal data, fulfilling personal data requests, incident response, etc. All employees must complete the security and privacy training upon hiring and renew this training annually.
New Relic uses a role-based structure so that you have direct control over who can access or change your account settings. For more information, see Users and roles, Add-on roles, and additional documentation about account maintenance, subscriptions, billing, etc.
- Retention of customer data
New Relic stores different types of data for different periods of time. The retention period for a type of data varies depending on the product, the subscription level, and the feature. For more information, see Data retention and components as well as specific data retention details by product, including:
- New Relic account emails
By default, we communicate with you for a variety of purposes related to your status as New Relic subscribers. This includes product engagement, support, alert notifications, updates, billings, etc.
- Individual users can unsubscribe from certain communications.
- General email preferences are managed through the account user interface. For more information, see Account email settings.
- Email notifications from New Relic Alerts are managed by the Owner, Admins, or add-on managers for users in the selected account.
- Account changes (NrAuditEvent)
To view changes made to your account's users or to record configuration changes made in New Relic products, use New Relic Insights to query
NrAuditEventevents. To be notified about account changes, create NRQL conditions with New Relic Alerts. For more information about available
NrAuditEventattributes, see the Event data dictionary.
- Account usage (NrDailyUsage)
To view daily usage of New Relic products for your selected account for billing purposes, use New Relic Insights to query
NrDailyUsageevents. For more information about available
NrDailyUsageattributes, see the Event data dictionary.
Security for products and services
New Relic publishes security bulletins with detailed information about vulnerabilities, remediation strategies, and applicable updates for affected software.
The following summarizes how individual New Relic products and components ensure security, with links to additional details.
By default, New Relic Alerts does not record any personal data. In addition, it automatically sets default permissions for individual account users and access levels within account structures. For more information, see Rules and limits for New Relic Alerts.
APIs simply are interfaces for data exchange automation. APIs have no knowledge of the content being transferred.
New Relic requires authorized users to provide their API keys to monitor subscription usage, manage account user permissions, query data, and perform other automated tasks. For more information, see Introduction to New Relic APIs.
APM agents monitor applications' performance. By default, APM agents do not record any personal data. For more information, see the APM security documentation.
The Browser agent allows customers to monitor the performance of their websites. By default, Browser does not record any personal data other than the visitor's IP address, which is used to derive high-level geographical information, such as their country, state, and city. These IP addresses are not stored; they are simply used for the geography lookup and then discarded.
For more information, see:
New Relic Diagnostics inspects system information and New Relic product artifacts (logs, config files) that are relevant for performing diagnostic checks that assess New Relic product configuration and operability. By default, this data is not transmitted to New Relic.
You do have the option to upload this information to a support ticket over HTTPS. For more information, see the Diagnostics security documentation.
The Infrastructure agent allows customers to monitor the performance of components in your ecosystem, such as servers, platforms, operating systems, databases, etc. Infrastructure may record the
usernameof users connecting to Infrastructure resources. For more information, see the Infrastructure security documentation.
The Insights service reports on data recorded by other New Relic products and services. It doesn’t record data on its own. For more information, see the Insights documentation about default data from other New Relic products and services.
The Infrastructure integrations service allows customers to retrieve and load data into the New Relic database from a variety of sources, including:
- Cloud-based integrations
- On-host integrations in containerized environments, such as Kubernetes
- On-host integrations built by New Relic
- On-host integrations built by the open-source community
- On-host integrations built by you
Depending on the integration, different types of data may be recorded so that you can monitor the integrations in New Relic.
The Infrastructure integrations service is data agnostic; it has no knowledge of whether the imported data contains any personal information. For more information, see the documentation for the specific integration, including:
Due to the nature of New Relic Logs, you have direct control over what data is reported to New Relic. To ensure data privacy and to limit the types of information New Relic receives, no customer data is captured except what you supply in your API calls or log forwarder configuration. All data for the Logs service is then reported to New Relic over HTTPS.
The Logs service does mask number patterns that appear to be for items such as credit cards or Social Security numbers. For more information, see the Logs security documentation.
By default, Mobile collects two pieces of personal data:
- The IP address is used to derive high-level geographical data, and then is discarded.
- A device ID is generated by New Relic and is used for billing purposes.
For more information, see the Mobile security documentation.
- New Relic One
New Relic One is a connected, unified UI that gathers all the data you already monitor with New Relic in one place. It is not a product, but rather, it's a way to interact with all your New Relic data more easily. For more information, see the introduction and security documentation for New Relic One.
The New Relic Plugins service allows New Relic users, developers, technology vendors, or partners to publish publicly accessible plugins within the New Relic Plugins directory (Plugin Central). Anyone who has a New Relic account can install and use these plugins through their New Relic user interface.
For some plugins, New Relic, Inc. is the publisher, and will be clearly identified as the publisher in Plugin Central. For plugins in Plugin Central that are not created by New Relic, the plugin publisher must follow specific guidelines. For more information, see the Plugins security documentation.
The Synthetics service uses monitors distributed throughout data centers around the world. It captures what is essentially performance data of simulated traffic. By default, it does not capture any personal data. For more information, see the Introduction to New Relic Synthetics.
If you configure Synthetics to monitor areas of websites that are located behind a login page, take care to create a non-personal login dedicated to this purpose. This will reduce the risk of unintended personal data exposure. For example, to securely store sensitive information, such as passwords, API keys, and user names, you can use secured credentials for scripted browsers and API tests.
New Relic Synthetics monitoring also supports a variety of authentication mechanisms. Depending on the type of monitor you choose, this includes Basic, Digest, NTLM, and NTLMv2.