New Relic takes your data privacy seriously. Our principles-based approach aims to go beyond the legal requirements for consent. We understand your concerns when you entrust us with your data, and we always strive to embrace your expectations and preferences.
This document provides links to detailed information about the privacy and security measures we take to protect you and your customers' data privacy. Our monitoring tools are data-agnostic; they don't require sensitive materials, and many of them don't require any personal data.
You are responsible for ensuring that your systems are appropriately set up and configured so that they don't send inappropriate personal data or sensitive materials to New Relic monitoring tools. For additional information about policies, credentials, audits, and other resources, see our New Relic security website.
New Relic includes the option of HIPAA-enabled accounts for customers meeting certain requirements. To learn more, see HIPAA readiness at New Relic.
If you want to send personal data from the EU, we offer an appropriate data processing agreement (DPA) with SCC to govern the transfer of that data in accordance with the Schrems decision. For more information, consult our Data Processing Addendum FAQ, or download our pre-signed DPA (PDF|697 KB).
Compliance with legal requirements
We always strive to comply with all applicable laws as they take effect. This includes the European Union's General Data Protection Regulation (GDPR) and all relevant US State laws, such as the California Consumer Privacy Act (CCPA).
New Relic follows "privacy by design" principles as part of our overarching security program. For example, when New Relic agents capture a webpage or referrer URL, all query parameters are stripped by default.
Here are examples of how we incorporate privacy considerations into our data and security practices.
New Relic strives to comply with all applicable laws as they take effect. This includes the European Union's GDPR and ePrivacy Directive and all applicable privacy laws, such as the California Consumer Privacy Act (CCPA) in the US. For more information about our process when responding to requests to access or delete personal data, see New Relic personal data requests.
You can query events and attributes, as well as create charts and alert conditions about this data. For a complete list of all events and attributes tracked by New Relic agents, see our data dictionary.
Dropping data gives you control over the data that you send to New Relic, including any personal data that you configured to be collected. By dropping specific events or attributes from events, you determine what data New Relic ultimately stores so that you can query, alert on, and analyze it. For more information, see Drop data using NerdGraph.
When our agents refer to data obfuscation, the agent actually removes the data before sending it to New Relic. The data cannot be recovered. For example, with APM queries, the Record SQL? value defaults to obfuscated. This strips the string literals and numeric sequences and then replaces them with the ? character.
You can mask sensitive information in HTTP or HTTPS requests. For example, queries about distributed traces and transaction traces are obfuscated by default, in which case they cannot be recovered. For more information, see the documentation for specific New Relic services, including:
New Relic maintains a number of internal policies and procedures to guide employees in privacy-related subjects such as data classification and handling, data retention, handling of personal data, fulfilling personal data requests, incident response, etc. All employees must complete the security and privacy training upon hiring and renew this training annually.
Our role-based account structure gives you direct control over who can access or change your account settings. For more information, see Users and roles.
The New Relics platform gives you a single source of truth for all your operational data, empowering you to ask and answer any question in milliseconds. This platform stores different types of data for different periods of time. The Data retention page in our UI provides information on how long your data will be stored in the New Relic database (NRDB). For more information, see Manage data retention.
By default, we communicate with you for a variety of purposes related to your status as New Relic subscribers. This includes product engagement, support, alert notifications, updates, billings, etc.
Individual users can unsubscribe from certain communications. General email preferences are managed through the account user interface. For more information, see Account email settings.
The following summarizes how individual New Relic products and components ensure security, with links to additional details.
By default, our alerting services do not record any personal data. In addition, they automatically set default permissions for individual account users and access levels within account structures. For more information, see our documentation about applied intelligence, as well as our rules and limits for alerts.
APIs simply are interfaces for data exchange automation. APIs have no knowledge of the content being transferred.
We require authorized users to provide their API keys to monitor subscription usage, manage account user permissions, query data, and perform other automated tasks. For more information, see Introduction to New Relic APIs.
APM agents monitor your applications' performance. By default, APM agents do not record any personal data. For more information, see our APM security documentation.
Our browser monitoring agent allows you to monitor the performance of their websites. For more information, see:
The New Relic Diagnostics service inspects relevant system information and any other necessary information (such as logs and config files) to perform diagnostic checks that assess configuration and operability. By default, this data is not transmitted to New Relic.
The Infrastructure agent allows you to monitor the performance of components in your ecosystem, such as servers, platforms, operating systems, databases, etc. Infrastructure may record the userID and username of users connecting to Infrastructure resources. For more information, see the security documentation for infrastructure monitoring.
Our integrations services allow you to retrieve and load data into the New Relic database from a variety of sources, including:
On-host integrations in containerized environments, such as Kubernetes
On-host integrations built by New Relic
On-host integrations built by the open-source community
On-host integrations built by you
Depending on the integration, different types of data may be recorded so that you can monitor the integrations in New Relic.
The integration services are data agnostic. They will have no knowledge of whether the imported data contains any personal information. For more information, see the documentation for the specific integration, including:
Due to the nature of our logs management service, you have direct control over what data is reported to New Relic. To ensure data privacy and to limit the types of information New Relic receives, no customer data is captured except what you supply in your API calls or log forwarder configuration. All data for the logs service is then reported to New Relic over HTTPS.
The logs service automatically masks number patterns that appear to be for items such as credit cards or Social Security numbers. You can also manage obfuscation rules and expressions to hash or mask your log data. For more information, see our obfuscation and Logs security documentation.
By default, our mobile monitoring service collects two pieces of personal data:
The IP address is used to derive high-level geographical data, and then is discarded.
A device ID is generated by New Relic and is used for billing purposes.
Auto-telemetry with Pixie is New Relic's integration of Community Cloud for Pixie, a managed version of Pixie open source software. The data that Pixie collects is stored entirely within your Kubernetes cluster. This data does not persist outside of your environment, and it will never be stored by Community Cloud for Pixie. This means that your sensitive data remains within your environment and control. For example, you can:
If you configure the synthetic service to monitor areas of websites that are located behind a login page, take care to create a non-personal login dedicated to this purpose. This will reduce the risk of unintended personal data exposure. For example, to securely store sensitive information, such as passwords, API keys, and user names, you can use secured credentials for scripted browsers and API tests.
The synthetic monitoring service also supports a variety of authentication mechanisms. Depending on the type of monitor you choose, this includes Basic, Digest, NTLM, and NTLMv2.