This doc describes New Relic's security policies and procedures. To get a general overview of our approach to security, or get in touch with our Security Team, see newrelic.com/security.
Updated 26 October 2022.
The below Security Policy applies only to customers with an existing New Relic agreement in place that explicitly references this Security Policy applying to the Service purchased in an Order. Capitalized terms not defined below shall take on the meaning set forth in such New Relic agreement.
New Relic Security Policy
This Policy describes New Relic's security program and the technical and organizational security controls to protect New Relic's systems as shown in New Relic's third-party audits and certifications. New Relic may update this Policy from time to time, and such updates will not materially reduce the overall protections set forth in this Policy. The then-current terms of this Policy are available at https://docs.newrelic.com/docs/licenses/license-information/referenced-policies/security-policy/.
2. Security Overview
2.1. New Relic maintains a comprehensive Information Protection Program to manage information security within New Relic that includes administrative, technical, and physical safeguards designed to protect the confidentiality, integrity, and availability of Customer Data and that is appropriate to the nature, size, and complexity of New Relic's business operations. New Relic's Information Protection Program includes:
2.1.1. executive review, support and accountability for all security related policies and practices;
2.1.2. formal written policies and procedures that are designed to protect against the loss, theft, or other unauthorized access or alteration of Customer Data, meet or exceed applicable industry standards, outlines a definition of information security and its overall objectives, include defined information security roles and responsibilities, a framework for setting control objectives and controls, a formal and effective risk mitigation program and a service provider security management program;
2.1.3. periodic risk assessments, including internal audits and/or independent 3rd party audits, to measure the effectiveness and appropriateness of controls for all systems processing Customer Data;
2.1.4. in-depth review of security incidents, including effective determination of root cause and corrective action; formal, industry-recognized controls frameworks based on an external audit standard;
2.1.5. employee screening and access management; and
2.1.6. comprehensive security testing, vulnerability identification, and mitigation methodology that consists of a variety of independent approaches that, when combined, are designed to maximize coverage for a diverse set of attack vectors.
2.2. New Relic's Chief Information Security Officer (CISO) leads New Relic's Information Security Program and develops, reviews, and approves, with appropriate stakeholders, New Relic's security policies and procedures. New Relic has appointed data protection officer(s) as described in New Relic's Privacy Notices who are consulted as necessary under applicable laws.
2.3. Information security objectives, approach, scope, importance, goals, and principles for the organization's security program are formally identified, communicated throughout the organization to users in a form that is relevant, accessible, and understandable to the intended reader; and supported by a controls framework that considers legislative, regulatory, contractual requirements, and other policy-related requirements.
2.4. New Relic will maintain written policies and procedures to review, test, and approve (as appropriate) changes affecting New Relic infrastructure and systems that process Customer Data including, but not limited to, peer reviews prior to introducing new code into production. New Relic will establish acceptance criteria for new information systems, upgrades, and new versions and will carry out suitable tests of the system(s) during development and prior to acceptance. Any changes or updates will not materially decrease the security of the systems.
3.1. New Relic regularly tests, assesses, and evaluates its security measures for protecting Customer Data using industry-recognized standards and uses independent third-party auditors to verify such controls.
3.2. New Relic agrees to provide Customer, upon request, with applicable certifications or reports about New Relic systems. All information exchanged in connection with the audit activities described in this section is deemed to be the Confidential Information of New Relic.
3.3. Additional information about New Relic's security certifications are available on New Relic's Security Guide.
4. Data Control and Encryption
4.1. The Service and related features are designed to provide Customer with control over Customer's data sources and Customer's environments that are monitored and sending data to New Relic.
4.2. New Relic will have established methods to: (i) enable Customer to use encryption on Customer Data in transit from Customer's environment to New Relic, and (ii) securely hash passwords in storage following industry standard practices (e.g. scrypt) as described in the Documentation. Server certificate-based authentication is used as part of the TLS encryption with a trusted certificate authority.
4.3. New Relic receives and processes data in accordance with the Agreement and the Services as described in the Documentation. New Relic permits customers to delete personal data in accordance with applicable privacy laws as further described in the Documentation. In the event of error in personal data sent in Customer Data Customers may request personal data deletion and re-send data that is accurate.
4.4. Additional information for Customer data control and encryption, including encryption of data at rest, is available on New Relic's Security Guide.
5.1. All physical locations that process Customer Data are co-locations and third party data centers. All physical locations have security measures in place that are designed to prevent unauthorized physical access to data processing facilities and unlawful access, modification, or destruction of Customer Data.
5.2. New Relic will seek assurances (e.g., in the form of an independent 3rd party audit report such as the SOC 2 Type 2, ISO 27001, and vendor security evaluations) from its data processing facilities vendors that store or process Customer Data:
5.2.1. secure its data process facilities in an access-controlled location and have protections in place to prevent unauthorized access, damage, and interference;
5.2.2 employ physical security appropriate to the classification of the assets and information being managed which may include card key access, security cameras, and solid wall construction for all exterior walls;
5.2.3 limit and screen all entrants, which may include measures such as on-site security guard, badge reader, electronic lock, or a monitored closed caption television (CCTV); and
5.2.4 maintain relevant access logs.
5.3. Additional information about New Relic's third party data centers are available on New Relic's Security Guide.
6. Employee Access, Screening and Controls.
New Relic will have and maintain policies and practices that include, at a minimum, the following controls and safeguards applied to New Relic employees and contractors who may access Customer Data:
6.1. For U.S. New Relic employees and subject to applicable law, a criminal background screening of each of its new employees to whom it gives access to Customer Data at the federal, state, and county levels. For non-U.S. New Relic employees, New Relic will use commercially reasonable efforts to meet the same criteria as established for U.S.-based New Relic employees, subject to general business practices in the respective country and in compliance with applicable local law requirements;
6.2. All New Relic employees with access to Customer Data will undergo adequate training, such as annual security awareness training, in the care, protection and handling of Customer Data, and will align with the privacy and security measures set out in this Addendum by following the guidance provided in their welcome package, which includes New Relic's security policies and a security acknowledgement;
6.3. A disciplinary policy and process, to be used when New Relic employees violate New Relic security or privacy policies or access Customer Data without prior authorization;
6.4. Administrative or remote access to New Relic systems that process Customer Data will align with industry standard practices, including multi-factor authentication;
6.5. Restricted access to New Relic proprietary source code to prevent unauthorized access;
6.6. Controls designed to ensure that only those New Relic employees with an actual need-to-know will have access to New Relic systems including, but not limited to, the use of a formal access management process for the request, review, approval, and provisioning;
6.7. Controls designed to ensure that New Relic employees are granted access to New Relic systems based on least-privilege principles; and
6.8. Revoke access to New Relic employees no longer requiring access.
7. Security Incident and Data Breach Response
7.1. New Relic will take appropriate physical, technical, and administrative security measures that are commercially reasonable and consistent with industry standards to prevent a Data Breach, and as required by any applicable law or regulation. “Data Breach” means the theft, loss, or unauthorized access of Customer Data. Without limiting the foregoing, New Relic will implement security measures at least as stringent as those set out in this Addendum. New Relic will designate a senior representative to provide incident briefings, as needed in case of a Data Breach, and to respond to reasonable requests by Customer pertaining to privacy and data security issues within a commercially reasonable time frame.
7.2. New Relic will:
7.2.1. Notify Customer without undue delay if New Relic becomes aware of a Data Breach;
7.2.2. Maintain a security incident response plan, including procedures and means to respond in a manner consistent with industry standards;
7.2.3. Reasonably cooperate with Customer to investigate and remediate a Data Breach and mitigate any further risk to the Customer Data, or risk to data subjects and/or Customer's reputation or brand;
7.2.4. Provide reasonable assistance to Customer at New Relic's sole cost and expense; and
7.2.5. Make commercially reasonable efforts to preserve evidence and reasonably cooperate with Customer and legal authorities (as applicable and legally permissible) during an investigation of a Data Breach.
8. Network and Systems Security
8.1. All extranet connectivity by New Relic personnel to systems processing Customer Data will be through secure remote connections.
8.2. Network segments connected to the Internet will be protected by secure access control mechanisms, such as a firewall configured to secure all devices behind it and properly addresses security concerns according to industry standard practices.
8.3. New Relic will have industry standard measures in place to actively monitor its systems and help detect a potential hostile attack, such as Network Intrusion Detection (NID) or Host Intrusion Detection (HID)/Prevention.
8.4. Applications, ports, services, and similar access points installed on a computer or network facility, which are not specifically required for business functionality, will be disabled or removed.
8.5. New Relic maintains configuration standards for authorized operating systems and software for systems that support processing of Customer Data. New Relic will establish and follow server configuration guidelines and processes for preventing unauthorized access to Customer Data. New Relic maintains secure images or templates for systems based on the organization's approved configuration standards.
8.6. Development, test, and operational environments will be logically separated to reduce the risks of unauthorized access or changes to the operational system.
8.7. New Relic network architecture will be designed to limit site access and restrict the availability of information systems that are considered to be vulnerable to attack.
8.8. New Relic provides appropriate TLS certificates when users access and view Customer Data in the Service. New Relic's software for sending Customer Data to New Relic will encrypt Customer Data in transit by default.
9. Authentication and Access Management
If you subscribe to the requisite New Relic Service, New Relic will provide industry standard authentication and access controls to protect Customer Data, including industry standard authentication methods utilized to help prevent unauthorized access to the Service. New Relic's access control methods will clearly state the rules and rights for each user or group of users including applications and information sharing and will include a process for granting and removing access to all information systems processing Customer Data. A record of all privileges allocated will be maintained pursuant to the requirements herein.
9.1. In the event the New Relic is required by law, regulation, or legal process to disclose any Customer Data, New Relic shall (a) give Customer, to the extent possible, reasonable advance notice prior to disclosure so Customer may contest the disclosure or seek a protective order, and (b) reasonably limit the disclosure to the minimum amount that is legally required to be disclosed.
10. Vulnerability Management
New Relic will have and maintain the following vulnerability management processes for all devices used to connect to the New Relic network and Services.
10.1. New Relic will align to industry standard practices for build out, minimization of services and secure configuration, in accordance with, industry-recognized minimum security baselines for the New Relic platform and subcontractor systems connected to the New Relic platform in relation to the provision of the Services.
10.2. New Relic will employ industry-recognized standards and tools to conduct frequent infrastructure vulnerability scanning to test New Relic's network and infrastructure and application penetration testing to test the New Relic Services. New Relic applies “Medium”, “High” and “Critical” security patches for all components in production and development environments as soon as commercially possible in accordance with its vulnerability management protocol, and consistent with industry standard practices and standards;
10.3. New Relic will have processes in place designed to ensure adherence to industry standard security development practices for development and testing for all code, APIs, and applications deployed and implemented in support of the Service;
10.4. New Relic will have and maintain solutions to identify and prevent malicious attackers or code from accessing or compromising Customer Data or systems that process Customer Data. These include, but are not limited to, software that identifies and removes malware and detects attempted intrusions. New Relic will have a security event and incident monitoring system and supporting processes to notify appropriate personnel in response to threats.
11. System Access and Logging
11.1. Access to New Relic's systems will not be granted to employees of New Relic unless they have been uniquely identified and have sufficient credentials.
11.2. Access to New Relic's systems will be logged and retained for no less than 6 months to assist in investigations and access control monitoring, including, but not limited to, end user access and activities, and information security events.
11.3. New Relic agrees to provide Customer the capability to access log records relating to Customer Accounts and the New Relic systems that process Customer Data in the event of a Data Breach or if required in connection with a law enforcement request.
12. Disaster Recovery and Data Backup
12.1. New Relic will have plans designed to respond to loss of services, which are tested and reviewed at least annually. This plan will include documented policies and procedures to restore service in the event of a service failure.
12.2. New Relic will establish and follow backup and restore procedures for Customer Data.
12.3. New Relic business continuity plan identifies critical systems. Annual disaster recovery tests are performed to check and restore customer data in the event of an incident.
12.4. New Relic will provide Customer with redacted copies of its plan(s) and evidence of tests/reviews upon request, but not more frequently than once annually, and subject to confidentiality requirements.
12.5. Additional information for Customer Data control and encryption are available on New Relic's Security Guide.
13. Copies and Removal
13.1. In addition to any obligations of New Relic in the Agreement, upon expiration or termination of the Agreement for any reason: (a) New Relic will, and will cause its personnel, to cease all access and use of any Customer Data, and (b) New Relic will delete all copies of Customer Data within ninety (90) days.
13.2. New Relic will maintain a process of ensuring secure destruction and deletion of all Customer Data, when reasonably requested by Customer or as otherwise provided in the Agreement. The process will include industry standard processes so that: (i) Customer Data cannot be practicably read or reconstructed, and (ii) the systems that store Customer Data are securely erased and/or decommissioned disks are destroyed.
14. Third Party Vendor Management
New Relic may use third party vendors to provide the Services. New Relic performs a security risk-based assessment of prospective vendors before working with them to validate they meet New Relic's security and business continuity standards, including the type of access and classification of data being accessed (if any), controls necessary to protect data, and legal/regulatory requirements. New Relic enters into written agreements with its vendors that process Customer Data which include confidentiality, privacy, and security obligations that provide an appropriate level of protection for Customer Data that these vendors may process for New Relic to maintain the security posture in this Policy, including following industry security standards.
15. Disclosure by Law
In the event the New Relic is required by law, regulation, or legal process to disclose any Customer Data, New Relic will (a) give Customer, to the extent possible, reasonable advance notice prior to disclosure so Customer may contest the disclosure or seek a protective order, and (b) reasonably limit the disclosure to the minimum amount that is legally required to be disclosed. New Relic publishes its law enforcement requests report on New Relic's Security Guide.
As New Relic releases new products, services, functionality, and features, New Relic may update this Policy to account for such products, services, functionality, and features.
For additional information, see our Security Guide.
RSS - Atom
Subscribe to the RSS feed.