Last updated June 15, 2023.
This is supplement to our security policy and serves as a guide to New Relic’s description of its Services, functionalities, and features.
Tip
We may update the URLs in this document without notice.
Security Program
New Relic follows "privacy by design" principles as described here: https://docs.newrelic.com/docs/security/security-privacy/data-privacy/data-privacy-new-relic/.
Security Domains
New Relic’s policies and procedures cover industry-recognized security domains such as Endpoint Protection; Portable Media Security; Mobile Device Security; Wireless Security; Configuration Management; Vulnerability Management; Network Protection; Transmission Protection; Password Management; Access Control, Audit Logging & Monitoring; Education, Training, and Awareness; Third Party Assurance; Incident Management; Business Continuity and Disaster Recovery; Risk Management; Data Protection & Privacy; and Service Management Systems.
Security Certifications
New Relic audits its Services against industry standards as described at https://docs.newrelic.com/docs/security/security-privacy/compliance/regulatory-audits-new-relic-services/.
Data Control, Facilities, and Encryption
New Relic provides its customers controls of their data as follows:
- New Relic's customers can use any number of methods to send data to New Relic's APIs, such as (1) using New Relic's software, (2) using vendor-neutral software that is managed and maintained by a third-party (e.g., OpenTelemetry instrumentation provided by opentelemetry.io, or (3) from third-party systems that customers manage and/or control.
- New Relic's customers can use New Relic's Services such as NerdGraph to filter out and drop data. See Drop data using nerdgraph.
- New Relic's customers can adjust their data retention periods as appropriate for their needs. See Adjust retention.
- New Relic's capabilities obfuscate numbers that match known patterns, such as bank card and social security numbers as described in our log management security documentation. Customers that meet certain requirements can obfuscate their data as described here.
- New Relic honors requests to delete personal data in accordance with applicable privacy laws. Please see https://docs.newrelic.com/docs/security/security-privacy/data-privacy/data-privacy-new-relic/.
- Customers may use New Relic's APIs to query data, such as NerdGraph described here, and New Relic Services to export the data to other cloud providers. Customers that meet certain requirements can export their data as described here and here.
- Customers can configure their log forwarder; see this before sending infrastructure logs to New Relic.
- For New Relic Customers in New Relic's AWS US, FedRAMP and HIPAA-enabled environments, Customer Data is replicated via Amazon Simple Storage Service (S3). For Customers in New Relic's Azure US environment, Customer Data is replicated via Azure storage to the off-site backup system via Amazon Simple Storage Service (S3).
Category of Customer | |||||
---|---|---|---|---|---|
Description |
| ||||
Data is stored in Amazon Web Services (“AWS”). |
| ||||
*Data is stored in Azure. |
| ||||
Data is stored in IBM | |||||
Data for New Relic incident intelligence is stored in Google Cloud | |||||
New Relic regularly tests, assess, and evaluates its measures to ensure the security of processing using industry-recognized standards and uses independent third-party auditors as provided below: | |||||
Annual SOC 2 Type 2 | |||||
Annual FedRAMP assessment by an independent third-party pursuant to NIST 800-53 rev 4 Moderate authorization. | |||||
Annual HITRUST-validated assessment by an independent third-party *Pursuing CY2021 Q4 | |||||
ISO 27001 | |||||
TISAX |
- The Services that operate on Amazon Web Services (“AWS”) are protected by the security and environmental controls of AWS. Detailed information about AWS security is available at https://aws.amazon.com/security/ and http://aws.amazon.com/security/sharing-the-security-responsibility/. Data encryption at rest utilizes FIPS 140-2 compliant encryption methodology. For AWS SOC Reports, please see https://aws.amazon.com/compliance/soc-faqs/.
- The Services that operate on Google Cloud Platform ("GCP") are protected by the security and environmental controls of GCP. Detailed information about GCP security is available at https://cloud.google.com/docs/tutorials#security. For GCP reports, please see https://cloud.google.com/security/compliance/.
- *The Services in the following data centers are being migrated and will be deprecated by July 2024:
- IBM
- Deft
- Zayo
- QTS
Law Enforcement Request Report
New Relic has not to date received any request for customer data from a law enforcement or other government agency (including under any national security process), and has not made any corresponding disclosures.