Data privacy with New Relic

New Relic takes your data privacy seriously. Our principles-based approach aims to go beyond the legal requirements for consent. We understand your concerns when you entrust us with your data, and we always strive to embrace your expectations and preferences.

This document provides links to detailed information about the privacy and security measures we take to protect you and your customers' data privacy. For additional information about policies, credentials, audits, and other resources, see our New Relic security website.

New Relic strives to comply with all applicable laws as they take effect. This includes the European Union's General Data Protection Regulation (GDPR) and all relevant US State laws, such as the California Consumer Protection Act.

For details about New Relic's contractual and regulatory privacy-related commitments for services, see:

Privacy by design and by default

New Relic follows "privacy by design" principles as part of our overarching security program. For example, when New Relic agents capture a webpage or referrer URL, all query parameters are stripped by default.

Here are examples of how New Relic incorporates privacy considerations into our data and security practices.

Personal data requests

For information about New Relic's process when responding to requests to access or delete personal data, see New Relic personal data requests.

Events and attributes

You can query events and attributes, as well as create charts and alert conditions about this data. For a complete list of all events and attributes tracked by New Relic agents, see the Event data dictionary.

Events and attributes example:

If you use the Infrastructure ProcessSample event's commandLine attribute, by default New Relic strips options and arguments from the full command line to prevent accidental leakage of sensitive information.

Masking (obfuscation)

Queries about transaction traces are obfuscated by default. For more information, see Security and transaction traces.

Security controls within New Relic

New Relic ensures that strong security measures are in place both for the data we receive and for our employees.

Technical security controls

New Relic uses a comprehensive set of technical controls to support general security needs as well as security for data we receive. For more information, see:

Organizational security controls

New Relic maintains a number of internal policies and procedures to guide employees in privacy-related subjects such as data classification and handling, data retention, handling of personal data, fulfilling personal data requests, incident response, etc. All employees must complete the security and privacy training upon hiring and renew this training annually.

Account security

New Relic uses a role-based structure so that you have direct control over who can access or change your account settings. For more information, see Users and roles, Add-on roles, and additional documentation about account maintenance, subscriptions, billing, etc.

Retention of customer data

New Relic stores different types of data for different periods of time. The retention period for a type of data varies depending on the product, the subscription level, and the feature. For more information, see Data retention and components as well as specific data retention details by product, including:

New Relic account emails

By default, we communicate with you for a variety of purposes related to your status as New Relic subscribers. This includes product engagement, support, alert notifications, updates, billings, etc.

Account changes (NrAuditEvent)

To view changes made to your account's users or to record configuration changes made in New Relic products, use New Relic Insights to query NrAuditEvent events. To be notified about account changes, create NRQL conditions with New Relic Alerts. For more information about available NrAuditEvent attributes, see the Event data dictionary.

Account usage (NrDailyUsage)

To view daily usage of New Relic products for your selected account for billing purposes, use New Relic Insights to query NrDailyUsage events. For more information about available NrDailyUsageattributes, see the Event data dictionary.

Security for products and services

New Relic publishes security bulletins with detailed information about vulnerabilities, remediation strategies, and applicable updates for affected software.

To receive notifications for future advisories, use New Relic's security bulletins RSS feed, or watch the topics in New Relic's Security notifications community channel to receive email alerts.

The following summarizes how individual New Relic products and components ensure security, with links to additional details.

Alerts

By default, New Relic Alerts does not record any personal data. In addition, it automatically sets default permissions for individual account users and access levels within account structures. For more information, see Rules and limits for New Relic Alerts.

APIs

APIs simply are interfaces for data exchange automation. APIs have no knowledge of the content being transferred.

New Relic requires authorized users to provide their API keys to monitor subscription usage, manage account user permissions, query data, and perform other automated tasks. For more information, see Introduction to New Relic APIs.

APM

APM agents monitor applications' performance. By default, APM agents do not record any personal data. For more information, see the APM security documentation.

Browser

The Browser agent allows customers to monitor the performance of their websites. By default, Browser does not record any personal data other than the visitor's IP address, which is used to derive high-level geographical information, such as their country, state, and city. These IP addresses are not stored; they are simply used for the geography lookup and then discarded.

For more information, see:

Infrastructure

The Infrastructure agent allows customers to monitor the performance of components in your ecosystem, such as servers, platforms, operating systems, databases, etc. Infrastructure may record the userID and username of users connecting to Infrastructure resources. For more information, see the Infrastructure security documentation.

Insights

The Insights service reports on data recorded by other New Relic products and services. It doesn’t record data on its own. For more information, see the Insights documentation about default data from other New Relic products and services.

Integrations

The Infrastructure integrations service allows customers to retrieve and load data into the New Relic database from a variety of sources, including:

  • Cloud-based integrations
  • On-host integrations in containerized environments, such as Kubernetes
  • On-host integrations built by New Relic
  • On-host integrations built by the open-source community
  • On-host integrations built by you

Depending on the integration, different types of data may be recorded so that you can monitor the integrations in New Relic.

The Infrastructure integrations service is data agnostic; it has no knowledge of whether the imported data contains any personal information. For more information, see the documentation for the specific integration, including:

Logs

Due to the nature of New Relic Logs, you have direct control over what data is reported to New Relic. To ensure data privacy and to limit the types of information New Relic receives, no customer data is captured except what you supply in your API calls or log forwarder configuration. All data for the Logs service is then reported to New Relic over HTTPS.

The Logs service does mask number patterns that appear to be for items such as credit cards or Social Security numbers. For more information, see the Logs security documentation.

Mobile

By default, Mobile collects two pieces of personal data:

  • The IP address is used to derive high-level geographical data, and then is discarded.
  • A device ID generated by New Relic, which is created for billing purposes.

For more information, see the Mobile security documentation.

New Relic One

New Relic One is a connected, unified UI that gathers all the data you already monitor with New Relic in one place. It is not a product, but rather, it's a way to interact with all your New Relic data more easily. For more information, see the introduction and security documentation for New Relic One.

Plugins

The New Relic Plugins service allows New Relic users, developers, technology vendors, or partners to publish publicly accessible plugins within the New Relic Plugins directory (Plugin Central). Anyone who has a New Relic account can install and use these plugins through their New Relic user interface.

For some plugins, New Relic, Inc. is the publisher, and will be clearly identified as the publisher in Plugin Central. For plugins in Plugin Central that are not created by New Relic, the plugin publisher must follow specific guidelines. For more information, see the Plugins security documentation.

Synthetics

The Synthetics service uses monitors distributed throughout data centers around the world. It captures what is essentially performance data of simulated traffic. By default, it does not capture any personal data. For more information, see the Introduction to New Relic Synthetics.

If you configure Synthetics to monitor areas of websites that are located behind a login page, take care to create a non-personal login dedicated to this purpose. This will reduce the risk of unintended personal data exposure. For example, to securely store sensitive information, such as passwords, API keys, and user names, you can use secured credentials for scripted browsers and API tests.

New Relic Synthetics monitoring also supports a variety of authentication mechanisms. Depending on the type of monitor you choose, this includes Basic, Digest, NTLM, and NTLMv2.

You can also control which of your users can access your monitors and private locations. For more information, see Synthetics permissions and user groups.

For more help

Recommendations for learning more: