New Relic takes your data privacy seriously. Our principles-based approach aims to go beyond the legal requirements for consent. We understand your concerns when you entrust us with your data, and we always strive to embrace your expectations and preferences.
This document provides links to detailed information about the privacy and security measures we take to protect you and your customers' data privacy. Our monitoring tools are data-agnostic; they don't require sensitive materials, and many of them don't require any personal data.
You are responsible for ensuring that your systems are appropriately set up and configured so that they don't send inappropriate personal data or sensitive materials to New Relic monitoring tools. For additional information about policies, credentials, audits, and other resources, see our New Relic security website.
Tip
New Relic includes the option of HIPAA-enabled accounts for customers meeting certain requirements. To learn more, see HIPAA readiness at New Relic.
Personal data transfer (Data Privacy Framework and SCC)
As of October 2023, the U.S. Department of Commerce has formally approved New Relic's certification under the EU-U.S. Data Privacy Framework, the Swiss-U.S. Data Privacy Framework, and the UK extension to the Data Privacy Framework.
The Data Privacy Framework replaces the Privacy Shield for data transfers to the U.S. The Privacy Shield was invalidated in the Schrems case. The Schrems case reaffirmed the validity of Standard Contractual Clauses (SCC) as an appropriate legal mechanism to transfer personal data outside of the European Union. Since then, New Relic has relied on the Standard Contractual Clauses as a mechanism to transfer personal data from the EU, Switzerland and the UK (the SCC were updated in 2021). You can find more information in EU-U.S. Data Privacy Framework (DPF) & International Data Transfers.
If you want to send personal data from the EU, Switzerland, and/or the UK, we offer an appropriate data processing addendum (DPA) that makes reference to the Data Privacy Framework and/or the SCC, as applicable. In the event that the Data Privacy Framework is invalidated, the SCC will automatically apply in order to ensure that there is a valid data transfer mechanism in place to govern the transfer of that data. For more information, consult our Data Processing Addendum FAQ, or download our pre-signed DPA.
Compliance with legal requirements
We always strive to comply with all applicable laws as they take effect. This includes the European Union's General Data Protection Regulation (GDPR) and all relevant US State laws, such as the California Consumer Privacy Act (CCPA).
If you have further questions, please contact your account team, or privacy@newrelic.com. Please note that we are unable to provide assistance to our customers with privacy questions via any third party platforms, including, e.g., any data privacy or data privacy compliance platforms. The only method by which we can provide assistance is as set out above.
Privacy by design and by default
New Relic follows "privacy by design" principles as part of our overarching security program. For example, when New Relic agents capture a webpage or referrer URL, all query parameters are stripped by default.
Here are examples of how we incorporate privacy considerations into our data and security practices.
New Relic strives to comply with all applicable laws as they take effect. This includes the European Union's GDPR and ePrivacy Directive and all applicable privacy laws, such as the California Consumer Privacy Act (CCPA) in the US. For more information about our process when responding to requests to access or delete personal data, see New Relic personal data requests.
You can query events and attributes, as well as create charts and alert conditions about this data. For a complete list of all events and attributes tracked by New Relic agents, see our data dictionary.
Dropping data gives you control over the data that you send to New Relic, including any personal data that you configured to be collected. By dropping specific events or attributes from events, you determine what data New Relic ultimately stores so that you can query, alert on, and analyze it. For more information, see Drop data using NerdGraph.
When our agents refer to data obfuscation, the agent actually removes the data before sending it to New Relic. The data cannot be recovered. For example, with APM queries, the Record SQL? value defaults to obfuscated. This strips the string literals and numeric sequences and then replaces them with the ? character.
You can mask sensitive information in HTTP or HTTPS requests. For example, queries about distributed traces and transaction traces are obfuscated by default, in which case they cannot be recovered. For more information, see the documentation for specific New Relic services, including:
We use a comprehensive set of technical controls to support general security needs as well as security for data we receive. For more information, see our documentation about data security, data encryption, and high-security mode for APM agents.
New Relic maintains a number of internal policies and procedures to guide employees in privacy-related subjects such as data classification and handling, data retention, handling of personal data, fulfilling personal data requests, incident response, etc. All employees must complete the security and privacy training upon hiring and renew this training annually.
Account security
Our role-based account structure gives you direct control over who can access or change your account settings. For more information, see Users and roles. New Relic periodically audits and deactivates accounts for terminated employees that a customer may have provisioned for support.
The New Relics platform gives you a single source of truth for all your operational data, empowering you to ask and answer any question in milliseconds. This platform stores different types of data for different periods of time. The Data retention page in our UI provides information on how long your data will be stored in the New Relic database (NRDB). For more information, see Manage data retention.
By default, we communicate with you for a variety of purposes related to your status as New Relic subscribers. This includes product engagement, support, alert notifications, updates, billings, etc.
Individual users can unsubscribe from certain communications. General email preferences are managed through the account user interface. For more information, see Account email settings.
New Relic customers should be vigilant of phishing attempts that target their employees. New Relic also makes available SAML, SSO, and SCIM provisioning, which is available here. Additionally, customers configured with SAML, SSO, and SCIM, are strongly encouraged to enable MFA.
To view changes made to your account's users or to record configuration changes, query NrAuditEvent events. To be notified about account changes, create NRQL alert conditions. For more about available NrAuditEvent attributes, see our data dictionary.
Audit New Relic user activity
New Relic collects user activity data when a user queries for data or makes configuration changes within an organization. You can query these events to address security-related concerns around user activity within your New Relic organization. Surfacing user activity information empowers security-sensitive customers to understand how members of their org access data in the New Relic platform.
You can surface user activity information with these events:
Records user activity when a user queries data within the account
You can surface user activity data by going to one.newrelic.com > All Capabilities, then working with two capabilities: Metrics & Events and Query your data. In general, you can use:
Metrics & Events for looking at broad, general trends
Query your data for answering specific, scoped questions with NRQL queries
To surface user activity information, go to one.newrelic.com > All Capabilities > Metrics & Events, then search for either NrAuditEvent or NrdbQuery from the Event type column. For example:
Go to one.newrelic.com > All Capabilities > Metrics & Events: Search NrAuditEvent or NrdbQuery from the Event type column, then click Dimensions to view attributes.
You can select Raw data to view event attributes as key-value pairs. Attribute keys like ID, description, or timestamp are organized in the table's horizontal row while their values are listed out in the table's columns. Keep in mind that these attributes are subject to data limits.
You can also use our Query your data tool to retrieve attributes and fields of interest. For example, take this example query:
FROM NrdbQuery SELECTuser, query, productCapability, source.name whereuser='demonewrelic@gmail.com'limit max since 1 week ago until 1day ago
Go to one.newrelic.com > All Capabilities > Query your data: Build a query to answer specific questions about user activity.
This query surfaces data from the NrdbQuery event but limits the data to:
These attributes: SELECT user, query, productCapability, source.name
A specific user: where user = 'demonewrelic@gmail.com'
With no set maximum number of results: limit max
Scoped to this time parameter: since 1 week ago until 1 day ago
This surfaces data about specific parameters rather than showing broad trends like in Metrics & Events.
We recommend reviewing How to query with NRQL to learn more about using NRQL syntax to surface the information you need.
Security for products and services
We publish security bulletins with detailed information about vulnerabilities, remediation strategies, and applicable updates for affected software.
To receive notifications for future advisories, use either of these options:
The following summarizes how individual New Relic products and components ensure security, with links to additional details.
By default, our alerting services do not record any personal data. In addition, they automatically set default permissions for individual account users and access levels within account structures. For more information, see our documentation about alerts, as well as our rules and limits for alerts.
APIs simply are interfaces for data exchange automation. APIs have no knowledge of the content being transferred.
We require authorized users to provide their API keys to monitor subscription usage, manage account user permissions, query data, and perform other automated tasks. For more information, see Introduction to New Relic APIs.
APM agents monitor your applications' performance. By default, APM agents do not record any personal data. For more information, see our APM security documentation.
Our agent allows you to monitor the performance of their websites. For more information, see:
The New Relic Diagnostics service inspects relevant system information and any other necessary information (such as logs and config files) to perform diagnostic checks that assess configuration and operability. By default, this data is not transmitted to New Relic.
You do have the option to upload this information to a support ticket over HTTPS. For more information, see the Diagnostics security documentation.
The Infrastructure agent allows you to monitor the performance of components in your ecosystem, such as servers, platforms, operating systems, databases, etc. Infrastructure may record the userID and username of users connecting to Infrastructure resources. For more information, see the security documentation for infrastructure monitoring.
Our integrations services allow you to retrieve and load data into the New Relic database from a variety of sources, including:
Cloud-based integrations
On-host integrations in containerized environments, such as Kubernetes
On-host integrations built by New Relic
On-host integrations built by the open-source community
On-host integrations built by you
Depending on the integration, different types of data may be recorded so that you can monitor the integrations in New Relic.
The integration services are data agnostic. They will have no knowledge of whether the imported data contains any personal information. For more information, see the documentation for the specific integration, including:
Due to the nature of our logs management service, you have direct control over what data is reported to New Relic. To ensure data privacy and to limit the types of information New Relic receives, no customer data is captured except what you supply in your API calls or log forwarder configuration. All data for the logs service is then reported to New Relic over HTTPS.
The logs service automatically masks number patterns that appear to be for items such as credit cards or Social Security numbers. You can also manage obfuscation rules and expressions to hash or mask your log data. For more information, see our obfuscation and Logs security documentation.
By default, our service collects two pieces of personal data:
The IP address is used to derive high-level geographical data, and then is discarded.
A device ID is generated by New Relic and is used for billing purposes.
Auto-telemetry with Pixie is New Relic's integration of Community Cloud for Pixie, a managed version of Pixie open source software. The data that Pixie collects is stored entirely within your Kubernetes cluster. This data does not persist outside of your environment, and it will never be stored by Community Cloud for Pixie. This means that your sensitive data remains within your environment and control. For example, you can:
Control who has access to your Pixie data.
Manage auto-update and two-way communication.
For more information, see our security documentation for auto-telemetry with Pixie data.
The synthetic monitoring service uses monitors distributed throughout data centers around the world. It captures what is essentially performance data of simulated traffic. By default, it does not capture any personal data. For more information, see the data privacy and security documentation for synthetic monitoring.
If you configure the synthetic service to monitor areas of websites that are located behind a login page, take care to create a non-personal login dedicated to this purpose. This will reduce the risk of unintended personal data exposure. For example, to securely store sensitive information, such as passwords, API keys, and user names, you can use secured credentials for scripted browsers and API tests.
The synthetic monitoring service also supports a variety of authentication mechanisms. Depending on the type of monitor you choose, this includes Basic, Digest, NTLM, and NTLMv2.
