New Relic Now Learn about New Relic’s most transformative platform update yet with 15 product launches.
Save your seat.
No momento, esta página está disponível apenas em inglês.

At New Relic we take the privacy and security of our customers’ data seriously. This FAQ guide is designed to assist you when reviewing our Data Processing Addendum (“DPA”), which New Relic makes available to its customers.

For information on New Relic’s security practices, please see our Security Site.

1. What is a DPA and does New Relic’s DPA apply to me?

  • A Data Processing Addendum (“DPA”) is a legally binding document entered into by a controller and a processor and regulates the particularities of data processing. Data Protection Laws require that controllers, processors and sub-processors must enter into written contracts, or DPAs, in order to share personal data.
  • If your company is, for example, subject to the General Data Protection Regulation (GDPR) and/or other Data Protection Laws, and you are transmitting personal data to the New Relic services for processing, then the New Relic DPA will automatically apply to the transmission of personal data.  

2. Do I need to sign New Relic’s DPA?

No. Customers do not need to sign the New Relic DPA. Not all New Relic features will involve the transmission of personal data by default. Some features will, though, and this is why we have made it easy for you to select these features comfortably in the knowledge that any personal data you transmit to the New Relic services is protected by virtue of automatically having the New Relic DPA apply. 

3. Who is the controller and who is the processor?

The customer acts as the controller with respect to any personal data contained within the Customer Data which is submitted to the New Relic service for processing. New Relic acts as the processor. When acting as a processor on behalf of customers, New Relic follows the instructions of the customer—a customer sends personal data through the service and New Relic processes what is sent. New Relic does not exercise professional judgement, or make independent decisions about the data that it receives from customers. 

4. Why can my company not use its own DPA?

The New Relic DPA is tailored to reflect New Relic’s service offering and its multi-tenant environment. It sets out the specialized processes and procedures in relation to New Relic’s obligations as a processor under Data Protection Laws. The New Relic DPA addresses requirements such as the scope and confidentiality of data processing, the security measures in place to ensure the security of customer data, the data breach notification process, and our audit and sub-processing activities. These all correlate to the way in which New Relic’s unique services and its multi-tenant infrastructure operate. 

5. What about the main agreement between the parties?

The New Relic DPA is an addendum to the main agreement between New Relic and our customer and forms part of that agreement. The online DPA will not apply to Customers who already have a separate data processing addendum with New Relic for use of the New Relic services.

6. How does New Relic meet its obligations as a Processor?

New Relic has both a dedicated security and privacy team within our organisation who are passionate about delivering and maintaining a world class security/privacy program to ensure we meet our data protection and privacy obligations towards our customers. 

  • We will keep your data confidential: All of New Relic’s staff who have access to our customers’ data are committed to confidentiality as part of their terms of employment with New Relic.
  • We keep your data safe and secure: At New Relic, the security of your data is of the utmost importance to us. Our information security team continues to ensure that we are in line with industry standards and best practices for all data processing.
  • We have implemented robust technical and organisational measures to assist our customers in meeting their compliance needs: At New Relic we know that our customers are subject to their own compliance obligations under Data Protection Laws with regard to the fulfilment of data subject requests and data protection impact assessments. As your processor, we are happy to assist so that you meet these obligations and we have devised our own internal technical and organisational policies and processes to enable us to do this efficiently and effectively.
  • We will only use approved sub-processors: All of our sub-processors undergo rigorous security and privacy assessment from our security and privacy team, and we will always provide you with advance notification when we want to add a new sub-processor. You can be assured that we conduct thorough due diligence prior to onboarding and that we ensure we have the appropriate contractual provisions in place. At all times New Relic remains liable for the acts of our sub-processors.
  • We will assist you in the event of a data breach: If a data breach occurs at New Relic and your data is affected, we will notify you in time for you to meet your data breach notification to the supervisory authority, and we will provide you with details of the breach in order for you to assess the impact it may have upon your organisation. 
  • We will provide you with the information you require so that you can satisfy yourself that you are choosing a secure service provider: So that we may meet our obligations to you, we are happy to provide answers to information security and audit questionnaires that will confirm New Relic’s compliance with its obligations as a processor.

7. I am based in Europe. Does the New Relic DPA allow me to transfer personal data to the United States, or other non EU jurisdictions, in compliance with data transfer requirements? 

Yes. New Relic is certified under the Data Privacy Framework (DPF) for transfers to the United States. The Data Privacy Framework (including the EU- U.S. Data Privacy Framework, the Swiss-U.S. Privacy Framework and the UK Extension to the DPF) has been formally approved by the United States Department of Commerce. This means that personal data from the European Union (EU), Switzerland and the United Kingdom (UK) can be transferred from those locations by New Relic customers to New Relic in the United States (U.S.). 

The New Relic DPA incorporates the EU-U.S. Data Privacy Framework, the Swiss-U.S. Data Privacy Framework, and the UK extension to the DPF, and so they will all apply automatically for data transfers to the U.S. for all our customers without the need to enter into an additional transfer mechanism. We have also included the 2021 SCCs as the fall back transfer mechanism in the event that the DPF is invalidated or otherwise no longer applies. The DPF replaces the Privacy Shield and, like Privacy Shield, personal data can be transferred to companies in the U.S. that are certified under the DPF without the need to enter into additional data transfer mechanisms such as the Standard Contractual Clauses or Binding Corporate Rules (BCRs). You can read more about New Relic’s certification here.

For transfers to other non-EU jurisdictions, the New Relic DPA incorporates: (i) the Standard Contractual Clauses (2021 SCCs) pursuant to the European Commission's Implementing Decision 2021/914 of 4 June 2021 for transfers from the European Economic Area (EEA) and Switzerland and, (ii) the UK Addendum to the Standard Contractual Clauses for transfers from the UK (UK SSCs). 

There are four different modules contained within the 2021 SCCs so they can be tailored specifically to reflect the type of transfer being made; for example, where it involves a transfer of personal data from a processor to a (sub)processor. 

Regarding the 2021 SCCs, which Module is applicable?

New Relic may process personal data transferred by a New Relic customer, for which New Relic may be acting as a processor (where the customer is a controller of that data) or a sub-processor (where the customer is a processor of that data). Therefore, the New Relic DPA contains both Module 2 (controller to processor transfers) and Module 3 (processor to processor transfers) of the 2021 SCCs.

The United Kingdom and Brexit: Do the SCCs and the GDPR still apply to the UK?

The GDPR has been retained in domestic law in the United Kingdom (the “UK GDPR”) and will sit alongside the UK Data Protection Act 2018 (as amended). The transfer of personal data from the UK to the EEA and to any countries that have received a finding of adequacy by the European Commission is permissible. The UK government has confirmed that it recognizes the 2021 SCCs to facilitate the transfer of personal data from the United Kingdom to countries outside the United Kingdom and to which no “adequacy decision” has been granted if used in conjunction with a UK addendum to the SCCs, for example, the “UK SCCs.” The UK addendum was drafted by the Information Commissioner’s Office (ICO) so that the 2021 SCCs can be used in the context of data transfers from the United Kingdom.

8. What is contained within the Schedules to the New Relic DPA?

  • Schedule 1 sets out the details of the processing undertaken by New Relic, including the types of data and data subjects.
     
  • Schedule 2 contains a link to the New Relic security documentation. 
     
  • Schedule 3 contains information on international data transfers

9. I would like to ask some questions that are not answered in this guide.

For any additional information you require, you may contact your Account Executive who will be happy to assist you.

 

  

The information contained in this document does not provide legal advice. We recommend that you consult with your own legal counsel in order to obtain advice specific to your own unique situation, and how you intend to use the New Relic services. Remember, the DPA will only apply if you transmit personal data to the New Relic services for processing.