Last updated September 17, 2021.
This is supplement to our security policy and serves as a guide to New Relic’s description of its Services, functionalities, and features.
We may update the URLs in this document without notice.
New Relic follows "privacy by design" principles as described here: https://docs.newrelic.com/docs/security/security-privacy/data-privacy/data-privacy-new-relic/.
New Relic’s policies and procedures cover industry-recognized security domains such as Endpoint Protection; Portable Media Security; Mobile Device Security; Wireless Security; Configuration Management; Vulnerability Management; Network Protection; Transmission Protection; Password Management; Access Control, Audit Logging & Monitoring; Education, Training, and Awareness; Third Party Assurance; Incident Management; Business Continuity and Disaster Recover; Risk Management; Data Protection & Privacy; and Service Management Systems.
New Relic audits its Services against industry standards as described at https://docs.newrelic.com/docs/security/security-privacy/compliance/regulatory-audits-new-relic-services/.
Data Control, Facilities, and Encryption
- New Relic's customers can send data to New Relic's APIs by (1) using New Relic's software, (2) using vendor-neutral software that is managed and maintained by a third-party such as via OpenTelemetry instrumentation provided by opentelemetry.io, or (3) from third-party systems that customer's manage and/or control.
- New Relic's customers can use New Relic's Services such as NerdGraph to filter out and drop data. See https://docs.newrelic.com/docs/telemetry-data-platform/manage-data/drop-data-using-nerdgraph/.
- New Relic's customers can adjust their data retention periods as appropriate for their needs. See https://docs.newrelic.com/docs/telemetry-data-platform/manage-data/manage-data-retention/#adjust-retention.
- New Relic's log management capabilities obfuscate numbers that match known patterns, such as bank card and social security numbers as described in our log management security documentation.
- New Relic honors requests to delete personal data in accordance with applicable privacy laws. Please see https://docs.newrelic.com/docs/security/security-privacy/data-privacy/data-privacy-new-relic/.
- Customers may use New Relic's APIs to query data, such as NerdGraph described here, and New Relic Services to export the data to other cloud providers.
- Customers can configure its log forwarder [https://docs.newrelic.com/docs/logs/enable-log-management-new-relic/enable-log-monitoring-new-relic/forward-your-logs-using-infrastructure-agent/] before sending infrastructure logs to New Relic.
- For New Relic Customers in New Relic US, FedRAMP and HIPAA-enabled environments, Customer Data is replicated to the off-site backup system via Amazon Simple Storage Service (S3).
Category of Customer
Data is stored in Amazon Web Services (“AWS”).
Data is stored in IBM
Data for New Relic incident intelligence is stored in Google Cloud
New Relic regularly tests, assess, and evaluates its measures to ensure the security of processing using industry-recognized standards and uses independent third-party auditors as provided below:
Annual SOC 2 Type 2
Annual FedRAMP assessment by an independent third-party pursuant to NIST 800-53 rev 4 Moderate authorization.
Annual HITRUST-validated assessment by an independent third-party *Pursuing CY2021 Q4
- The Services that operate on Amazon Web Services (“AWS”) are protected by the security and environmental controls of AWS. Detailed information about AWS security is available at https://aws.amazon.com/security/ and http://aws.amazon.com/security/sharing-the-security-responsibility/. Data encryption at rest utilizes FIPS 140-2 compliant encryption methodology. For AWS SOC Reports, please see https://aws.amazon.com/compliance/soc-faqs/.
- The Services that operate on Google Cloud Platform ("GCP") are protected by the security and environmental controls of GCP. Detailed information about GCP security is available at https://cloud.google.com/docs/tutorials#security. For GCP reports, please see https://cloud.google.com/security/compliance/.
Law Enforcement Request Report
New Relic has not to date received any request for customer data from a law enforcement or other government agency (including under any national security process), and has not made any corresponding disclosures.