Data privacy with New Relic

New Relic takes your data privacy seriously. Our principles-based approach aims to go beyond the legal requirements for consent. We understand your concerns when you entrust us with your data, and we always strive to embrace your expectations and preferences.

This document provides links to detailed information about the privacy and security measures we take to protect you and your customers' data privacy. Our monitoring tools are data-agnostic; they don't require sensitive materials, and many of them don't require any personal data.

You are responsible for ensuring that your systems are appropriately set up and configured so that they don't send inappropriate personal data or sensitive materials to New Relic monitoring tools. For additional information about policies, credentials, audits, and other resources, see our New Relic security website.

Personal data transfer (Privacy Shield and SCC)

The Schrems case ruling invalidates Privacy Shield. However, it explicitly reaffirms the validity of Standard Contractual Clauses (SCC) as an appropriate legal mechanism to transfer personal data outside of the European Union. You can find more information in How the Demise of Privacy Shield Affects Your New Relic Account.

If you want to send personal data from the EU, we offer an appropriate data processing agreement (DPA) with SCC to govern the transfer of that data in accordance with the Schrems decision. For more information, consult our Data Processing Addendum FAQ, or download our pre-signed DPA (PDF|697 KB).

We always strive to comply with all applicable laws as they take effect. This includes the European Union's General Data Protection Regulation (GDPR) and all relevant US State laws, such as the California Consumer Privacy Act (CCPA).

Our disk-based encryption provides additional security while your data is at rest (FIPS 140-2 compliant). In addition, we are authorized for Moderate Impact SaaS Services (FedRAMP Authorized Moderate) for accounts that meet specific criteria.

For privacy-related details about New Relic's contractual and regulatory commitments for services, see:

For more information about annual audits, see Regulatory audits for New Relic services.

Privacy by design and by default

New Relic follows "privacy by design" principles as part of our overarching security program. For example, when New Relic agents capture a webpage or referrer URL, all query parameters are stripped by default.

Here are examples of how we incorporate privacy considerations into our data and security practices.

Personal data requests (GDPR, CCPA, etc.)

New Relic strives to comply with all applicable laws as they take effect. This includes the European Union's GDPR and ePrivacy Directive and all applicable privacy laws, such as the California Consumer Privacy Act (CCPA) in the US. For more information about our process when responding to requests to access or delete personal data, see New Relic personal data requests.

Events and attributes

You can query events and attributes, as well as create charts and alert conditions about this data. For a complete list of all events and attributes tracked by New Relic agents, see our data dictionary.

Events and attributes example:

If you use the Infrastructure ProcessSample event's commandLine attribute, by default we strip options and arguments from the full command line to prevent accidental leakage of sensitive information.

Dropping data at ingest

Dropping data gives you control over the data that you send to New Relic, including any personal data that you configured to be collected. By dropping specific events or attributes from events, you determine what data New Relic ultimately stores so that you can query, alert on, and analyze it. For more information, see Drop data using NerdGraph.

When our agents refer to data obfuscation, the agent actually removes the data before sending it to New Relic. The data cannot be recovered. For example, with APM queries, the Record SQL? value defaults to obfuscated. This strips the string literals and numeric sequences and then replaces them with the ? character.

You can mask sensitive information in HTTP or HTTPS requests. For example, queries about distributed traces and transaction traces are obfuscated by default, in which case they cannot be recovered. For more information, see the documentation for specific New Relic services, including:

Technical security controls

We use a comprehensive set of technical controls to support general security needs as well as security for data we receive. For more information, see our documentation about data security, data encryption, and high security mode for APM agents.

Organizational security controls

New Relic maintains a number of internal policies and procedures to guide employees in privacy-related subjects such as data classification and handling, data retention, handling of personal data, fulfilling personal data requests, incident response, etc. All employees must complete the security and privacy training upon hiring and renew this training annually.

Account security

Our role-based account structure gives you direct control over who can access or change your account settings. For more information, see Users and roles.

Retention of your data

Our Telemetry Data Platform is the single source of truth for all your operational data, empowering you to ask and answer any question in milliseconds. This platform stores different types of data for different periods of time. The Data retention page in our UI provides information on how long your data will be stored in the New Relic database (NRDB). For more information, see Manage data retention.

New Relic account emails

By default, we communicate with you for a variety of purposes related to your status as New Relic subscribers. This includes product engagement, support, alert notifications, updates, billings, etc.

  • Individual users can unsubscribe from certain communications. General email preferences are managed through the account user interface. For more information, see Account email settings.
  • Alert notification emails are managed through the alerting UI.
Account changes (NrAuditEvent)

To view changes made to your account's users or to record configuration changes, query NrAuditEvent events. To be notified about account changes, create NRQL alert conditions. For more information about available NrAuditEvent attributes, see our data dictionary.

Account usage (NrDailyUsage)

To view daily usage of New Relic for your selected account for billing purposes, query NrDailyUsage events. For more information about available NrDailyUsageattributes, see our data dictionary.

Security for products and services

We publish security bulletins with detailed information about vulnerabilities, remediation strategies, and applicable updates for affected software.

To receive notifications for future advisories, use either of these options:

The following summarizes how individual New Relic products and components ensure security, with links to additional details.

Alerts and Applied Intelligence

By default, our alerting services do not record any personal data. In addition, they automatically set default permissions for individual account users and access levels within account structures. For more information, see our documentation about Applied Intelligence, as well as our rules and limits for alerts.

APIs

APIs simply are interfaces for data exchange automation. APIs have no knowledge of the content being transferred.

We require authorized users to provide their API keys to monitor subscription usage, manage account user permissions, query data, and perform other automated tasks. For more information, see Introduction to New Relic APIs.

APM

APM agents monitor your applications' performance. By default, APM agents do not record any personal data. For more information, see our APM security documentation.

Browser monitoring

Our browser monitoring agent allows you to monitor the performance of their websites. For more information, see:

Diagnostics

The New Relic Diagnostics service inspects relevant system information and any other necessary information (such as logs and config files) to perform diagnostic checks that assess configuration and operability. By default, this data is not transmitted to New Relic.

You do have the option to upload this information to a support ticket over HTTPS. For more information, see the Diagnostics security documentation.

Infrastructure monitoring

The Infrastructure agent allows you to monitor the performance of components in your ecosystem, such as servers, platforms, operating systems, databases, etc. Infrastructure may record the userID and username of users connecting to Infrastructure resources. For more information, see the security documentation for infrastructure monitoring.

Insights

The Insights service reports on data recorded by other New Relic products and services. It doesn’t record data on its own. For more information, see the Insights documentation about default data from other products and services.

Integrations and serverless monitoring

Our integrations services allow you to retrieve and load data into the New Relic database from a variety of sources, including:

  • Cloud-based integrations
  • On-host integrations in containerized environments, such as Kubernetes
  • On-host integrations built by New Relic
  • On-host integrations built by the open-source community
  • On-host integrations built by you

Depending on the integration, different types of data may be recorded so that you can monitor the integrations in New Relic.

The integration services are data agnostic. They will have no knowledge of whether the imported data contains any personal information. For more information, see the documentation for the specific integration, including:

Logs management

Due to the nature of our Logs management service, you have direct control over what data is reported to New Relic. To ensure data privacy and to limit the types of information New Relic receives, no customer data is captured except what you supply in your API calls or log forwarder configuration. All data for the Logs service is then reported to New Relic over HTTPS.

The Logs service does mask number patterns that appear to be for items such as credit cards or Social Security numbers. For more information, see the Logs security documentation.

Mobile monitoring

By default, our mobile monitoring service collects two pieces of personal data:

  • The IP address is used to derive high-level geographical data, and then is discarded.
  • A device ID is generated by New Relic and is used for billing purposes.

For more information, see our security documentation for mobile monitoring.

New Relic One

New Relic One is a connected, unified UI that gathers all the data you already monitor with New Relic in one place. It is not a product, but rather, it's a way to interact with all your New Relic data more easily. For more information, see the introduction and security documentation for New Relic One.

Plugins

The plugins service allows you to publish publicly accessible plugins within (Plugin Central. Anyone who has a New Relic account can install and use these plugins through their New Relic user interface.

For some plugins, New Relic, Inc. is the publisher, and will be clearly identified as the publisher in Plugin Central. For plugins in Plugin Central that are not created by New Relic, the plugin publisher must follow specific guidelines. For more information, see the Plugins security documentation.

Synthetic monitoring

The synthetic monitoring service uses monitors distributed throughout data centers around the world. It captures what is essentially performance data of simulated traffic. By default, it does not capture any personal data. For more information, see the data privacy and security documentation for synthetic monitoring.

If you configure the synthetic service to monitor areas of websites that are located behind a login page, take care to create a non-personal login dedicated to this purpose. This will reduce the risk of unintended personal data exposure. For example, to securely store sensitive information, such as passwords, API keys, and user names, you can use secured credentials for scripted browsers and API tests.

The synthetic monitoring service also supports a variety of authentication mechanisms. Depending on the type of monitor you choose, this includes Basic, Digest, NTLM, and NTLMv2.

You can also control which of your users can access your monitors and private locations. For more information, see our documentation about user role-based permissions.

For more help

If you need more help, check out these support and learning resources: