At New Relic we take the privacy and security of our customers’ data seriously. This FAQ guide is designed to assist you when completing our Data Processing Addendum (“DPA”) which New Relic makes available to its customers. This document can be found here.
Please note that as of January 1 2021, the DPA has been updated to take into account the United Kingdom’s withdrawal from the European Union.
The GDPR will be retained in domestic law in the United Kingdom- the ‘UK GDPR’ and will sit alongside the UK Data Protection Act 2018 (as amended).
The UK government has confirmed that it intends to recognize the existing EU Commission approved Standard Contractual Clauses to facilitate the transfer of personal data from the United Kingdom to countries outside the United Kingdom and to which no ‘adequacy decision’ has been granted.
For more information on how New Relic processes personal data, please see our General Data Privacy Notice.
For more information on GDPR and New Relic, please see our GDPR FAQ.
For more information on New Relic’s security practices, please see our Security Handbook.
1. What is a DPA and do I need to sign New Relic’s DPA?
- A Data Processing Addendum (“DPA”) is a legally binding document entered into by a controller and a processor and regulates the particularities of data processing. Article 28(3) of the General Data Protection Regulation (“GDPR”) requires that controllers, processors and sub processors must enter into written contracts or DPAs in order to share personal data.
- If your company is subject to the GDPR and/or the UK GDPR and you are transmitting personal data to the New Relic services for processing, then you should sign New Relic’s DPA and then follow the instructions set out at Section 6 below.
2. Who is the controller and who is the processor?
The customer acts as the controller with respect to personal data they submit via the New Relic agent to the New Relic service for processing. New Relic acts as the processor. When acting as a data processor on behalf of customers, New Relic follows the instructions of the customer - a customer sends personal data through the service and New Relic processes what is sent. New Relic do not exercise professional judgement or make independent decisions about the data that it receives from customers.
3. Why can my company not use its own DPA?
The New Relic DPA is tailored to reflect New Relic’s service offering and its multi-tenant environment. It sets out the specialized processes and procedures in relation to New Relic’s obligations as a data processor under GDPR. The New Relic DPA addresses the relevant GDPR requirements related to the scope and confidentiality of data processing, the security measures in place to ensure the security of customer data, the data breach notification process, and our audit and subprocessing activities. These all correlate to the way in which New Relic’s unique services and its multi-tenant infrastructure operate. New Relic’s DPA outlines our commitment to our obligations under the GDPR Article 28(3) processor terms sequentially and refers to the specific GDPR provision that each section of the DPA covers.
4. What about the main agreement between the parties?
- The New Relic DPA is an addendum to the main agreement between New Relic and our customer and forms part of that agreement.
- Customers who signed a previous version of the New Relic DPA, or who previously entered into an agreement without signing a DPA, can sign our current DPA at any time.
5. How does New Relic meet its obligations under GDPR?
New Relic has both a dedicated security and privacy team within our organisation who are passionate about delivering and maintaining a world class security/privacy program to ensure we are GDPR compliant.
- We will keep your data confidential: All of New Relic’s staff who have access to our customer’s data are committed to confidentiality as part of their terms of employment with New Relic.
- We keep your data safe and secure: At New Relic, the security of your data is of the utmost importance to us. Our information security team continues to ensure that we are in line with industry standards and best practices for all data processing.
- We have implemented robust technical and organisational measures to assist our customers in meeting their compliance needs: At New Relic we know that our customers are subject to compliance obligations under GDPR with regard to the fulfillment of data subject requests and data protection impact assessments. As your data processor, we are happy to assist so that you meet these obligations and we have devised our own internal technical and organisational policies and processes to enable us to do this efficiently and effectively.
- We will only use approved sub-processors: All of our sub-processors undergo rigorous security and privacy assessment from our security and privacy team and we will always provide you with advance notification when we want to add a new sub-processor. You can be assured that we conduct thorough due diligence prior to onboarding and that we ensure we have the appropriate contractual provisions in place. At all times New Relic remains liable for the acts of our sub-processors.
- We will assist you in the event of a data breach: If a data breach occurs at New Relic and your data is affected, we will notify you in time for you to meet your data breach notification to the supervisory authority and we will provide you with details of the breach in order for you to assess the impact it may have upon your organisation.
- We will provide you with the information you require so that you can satisfy yourself that you are choosing a GDPR compliant service provider: So that we may meet our obligations to you, we are happy to provide answers to information security and audit questionnaires that will confirm New Relic’s compliance with its obligations as a data processor.
6. How can I execute the New Relic DPA?
The New Relic online DPA is pre-signed by New Relic. Where a customer is signing New Relic’s online DPA, the customer may download the DPA from our website here and then sign and return the DPA to email@example.com. Please note that this process only applies to situations where the DPA is being signed in isolation. Where a customer signs the DPA as part of their agreement with New Relic, it will not need to follow this process or return it to firstname.lastname@example.org .
7. What is contained within the exhibits to the New Relic DPA?
- Exhibit 1 sets out the details of the processing undertaken by New Relic, including the types of data and data subjects.
- Exhibit 2 contains a link to the New Relic security documentation.
8. I would like to ask some questions that are not answered in this guide
For any additional information you require, you may contact your Account Executive who will be happy to assist you.
This information contained in this document does not provide legal advice. We recommend that you consult with your own legal counsel in order to obtain advice specific to your own unique situation and how you intend to use the New Relic services- remember a DPA is only necessary if you intend to send personal data for processing.