Security for New Relic Synthetics

New Relic Synthetics uses monitors distributed throughout data centers around the world. By design, it captures what is essentially performance data for simulated traffic. By default, it does not capture or handle any personal data. All data handled by Synthetics is expected to be non-personal.

This document provides additional details about what we do to ensure data privacy and security with Synthetics, plus additional options you can use. For more information about New Relic's security measures, see our security and privacy documentation, or visit the New Relic security website.

What we do

Here's a summary of the data privacy and security measures that Synthetics automatically provides for you.

Data privacy and security Comments
No personal data

By definition, all data collected through Synthetics monitoring is test data created for the purpose of monitoring. None of this data includes personal data from any individual.

TLS

TLS encryption is required for all domains. This applies to public locations and private locations.

Authentication

Synthetics monitoring supports a variety of authentication mechanisms, including Basic, Digest, NTLM, and NTLMv2. Available options depend on the type of monitor you choose.

Data collection

The data transferred to the Synthetics endpoint includes:

  • Monitor run results, including full request and response headers of all requests, a complete HAR file of the session, and any screenshots captured (on failure or manually)
  • Polling for available jobs in the private location's queue
  • Private minion "heartbeat" every 30 seconds

The SyntheticsPrivateMinion event contains basic minion status, including job success and failure counts, queue size, minion version, etc.

Data received

Data received from the Synthetics endpoint contains the scheduled check's details. This includes the information necessary to complete the check for the minion:

  • Target URL
  • Validation text
  • Full script (for Synthetics scripted browser monitors)
Data storage location

Data collected by Synthetics is stored in the region selected by each customer for their account (US or EU).

Monitor configuration details (including frequency, check locations, target URL, and the full script for any scripted browser or API test monitors) are stored on our end. We also store all monitor check results for each monitor type.

Data storage by monitor type

For ping monitors, data storage includes the HAR file, which includes all requests and responses made during the check.

For simple browsers, scripted browsers, and API tests, data storage includes the following:

  • The HAR file includes full request and response headers for all requests made during the check.
  • Any screenshots taken during the check are automatically included for simple and scripted browser monitors only on failure. However, you can manually configure this with scripting.
  • The browser log (JS console) is automatically included for simple and scripted browsers.
  • Any script output is included for scripted browsers and API test monitors.
Response bodies

New Relic never stores response bodies from requests originated by Synthetics, unless you have manually configured a monitor script to do so.

IP addresses

Synthetics public minions are expected to be activated using non-personal credentials. Their IP addresses are not defined as personal data under data protection and privacy laws.

What you can do

For additional levels of security and data privacy when using Synthetics, consider using these options.

Additional measures Comments
User access

To control which of your users can access your monitors and private locations, set up role-based Synthetics permissions and user groups. In addition, to track and be notified about changes, use audit logs and alert notifications.

Passwords, API keys, user names, etc.

To securely store sensitive information, use secured credentials for scripted browsers and API tests. The credentials are securely stored using AES-GCM 256-bit encryption at rest with keys managed by Amazon AWS Key Management Service (KMS).

Sites behind firewalls

To control what sites you want to monitor behind your firewall, you can:

  • Add the Synthetics public minion IP addresses to your allow list or deny list.
  • Use private locations to monitor sites or endpoints. This can provide an extra layer of security when monitoring your internally hosted sites and services.
Webpages behind login pages

If you configure Synthetics to monitor a website's areas that are located behind a login page, be sure to create a non-personal login specifically for this purpose. This unique login will reduce the risk of unintended personal data exposure.

Proxy configuration

Aside from the target URLs monitored by Synthetics, private minions will regularly send data to and receive from the Synthetics endpoint. To configure a proxy for all traffic to and from this endpoint, set the MINION_API_PROXY environment variable on the minion host.

Private minions security

To ensure that only the scripts you intend to run are allowed to run on private minions, use verified script execution.

For more help

Recommendations for learning more: