Data privacy with New Relic

New Relic takes your data privacy seriously. Our principles-based approach aims to go beyond the legal requirements for consent. We understand your concerns when you entrust us with your data, and we always strive to embrace your expectations and preferences.

This document provides links to detailed information about the privacy and security measures we take to protect you and your customers' data privacy. Our monitoring tools are data-agnostic; they don't require sensitive materials, and many of them don't require any personal data.

You are responsible for ensuring that your systems are appropriately set up and configured so that they don't send inappropriate personal data or sensitive materials to New Relic monitoring tools. For additional information about policies, credentials, audits, and other resources, see our New Relic security website.

Sugerencia

New Relic includes the option of HIPAA-enabled accounts for customers meeting certain requirements. To learn more, see HIPAA readiness at New Relic.

Personal data transfer (Data Privacy Framework and SCC)

As of October 2023, the U.S. Department of Commerce has formally approved New Relic's certification under the EU-U.S. Data Privacy Framework, the Swiss-U.S. Data Privacy Framework, and the UK extension to the Data Privacy Framework.

The Data Privacy Framework replaces the Privacy Shield for data transfers to the U.S. The Privacy Shield was invalidated in the Schrems case. The Schrems case reaffirmed the validity of Standard Contractual Clauses (SCC) as an appropriate legal mechanism to transfer personal data outside of the European Union. Since then, New Relic has relied on the Standard Contractual Clauses as a mechanism to transfer personal data from the EU, Switzerland and the UK (the SCC were updated in 2021). You can find more information in EU-U.S. Data Privacy Framework (DPF) & International Data Transfers.

If you want to send personal data from the EU, Switzerland, and/or the UK, we offer an appropriate data processing addendum (DPA) that makes reference to the Data Privacy Framework and/or the SCC, as applicable. In the event that the Data Privacy Framework is invalidated, the SCC will automatically apply in order to ensure that there is a valid data transfer mechanism in place to govern the transfer of that data. For more information, consult our Data Processing Addendum FAQ, or download our pre-signed DPA.

We always strive to comply with all applicable laws as they take effect. This includes the European Union's General Data Protection Regulation (GDPR) and all relevant US State laws, such as the California Consumer Privacy Act (CCPA).

Our encryption at rest provides additional security while your data is at rest (FIPS 140-2 compliant). In addition, we are authorized for Moderate Impact SaaS Services (FedRAMP Authorized Moderate) for accounts that meet specific criteria.

For privacy-related details about New Relic's contractual and regulatory commitments for services, see:

For more information about annual audits, see Regulatory audits for New Relic services.

If you have further questions, please contact your account team, or privacy@newrelic.com. Please note that we are unable to provide assistance to our customers with privacy questions via any third party platforms, including, e.g., any data privacy or data privacy compliance platforms. The only method by which we can provide assistance is as set out above.

Privacy by design and by default

New Relic follows "privacy by design" principles as part of our overarching security program. For example, when New Relic agents capture a webpage or referrer URL, all query parameters are stripped by default.

Here are examples of how we incorporate privacy considerations into our data and security practices.

Account security

Our role-based account structure gives you direct control over who can access or change your account settings. For more information, see Users and roles.

Audit New Relic user activity

New Relic collects user activity data when a user queries for data or makes configuration changes within an organization. You can query these events to address security-related concerns around user activity within your New Relic organization. Surfacing user activity information empowers security-sensitive customers to understand how members of their org access data in the New Relic platform.

You can surface user activity information with these events:

Event name

Event description

NRAuditEvent

Records user activity when a user makes service configuration changes within your New Relic organization

NrdbQuery

Records user activity when a user queries data within the account

You can surface user activity data by going to one.newrelic.com > All Capabilities, then working with two capabilities: Metrics & Events and Query your data. In general, you can use:

  • Metrics & Events for looking at broad, general trends
  • Query your data for answering specific, scoped questions with NRQL queries

Security for products and services

We publish security bulletins with detailed information about vulnerabilities, remediation strategies, and applicable updates for affected software.

To receive notifications for future advisories, use either of these options:

The following summarizes how individual New Relic products and components ensure security, with links to additional details.