Last Updated February 13, 2019
This New Relic Services Privacy Notice (“Services Privacy Notice”) covers our collection, use, and disclosure of the Performance Data (as defined below) and Systems Operations Data (as defined below) by the New Relic product services (together the “Services”), such as through New Relic APM, New Relic Browser, New Relic Mobile, New Relic Synthetics, New Relic Infrastructure, and New Relic Insights, but also including any other services maintained by New Relic for use by our users, such as support services. For purposes of this Services Privacy Notice, “Personal Data” means any information relating to an identified or identifiable individual, including, for example, name, phone number, postal code, Device ID, User ID, IP address and email address.
This Services Privacy Notice does not cover:
Personal Data processed pursuant to the General Privacy Notice, such as Personal Data collected through: our websites, such as www.newrelic.com, discuss.newrelic.com, learn.newrelic.com, and any other New Relic website (together the “Sites”); product feedback or surveys; the sales and provisioning process; and in connection with New Relic events, sales and marketing activities.
Links to any other website or location are for convenience only and do not imply New Relic’s our endorsement of such other website or location or its contents.
We recommend that customers and users read the entire Services Privacy Notice. If a customer or user has any questions about this Services Privacy Notice please contact us using the information in the Communications and Notifications to Customers and Users section below.
1. Who We Are
Throughout this Services Privacy Notice ‘we’, ‘us’, ‘our’ and ‘ours’ refer to New Relic.
New Relic, Inc. is a Delaware corporation headquartered at 188 Spear Street, Suite 1200, San Francisco, CA 94105. New Relic, Inc. has offices, subsidiaries and affiliate companies (“New Relic Group”) all around the world (New Relic, Inc. and the New Relic Group are together referred to as “New Relic”, unless specifically stated otherwise). Throughout this Services Privacy Notice ‘we’, ‘us’, ‘our’ and ‘ours’ refer to New Relic.
For more information about New Relic, please see the “About Us” section of our Site.
2. Performance Data
a. Types of Performance Data We Receive. The Services receive Performance Data when: (i) our software (e.g. agents, SDKs, etc.) is deployed in our customers' applications, websites, and infrastructure, or (ii) when collected by a synthetic monitors or cloud integration, or (iii) when sent to our data collection systems (e.g. API) for processing. “Performance Data” means (a) data about the performance of an application or website, (b) system data (such as version data, names of plug-ins, etc.) about the environment in which an application is operating, (c) data about transactions in an application, stack traces and source code snippets for certain classes of errors, (d) other similar data related to an application, (e) data about the infrastructure supporting an application, (f) endpoint data from synthetics monitors, or (g) data that our customers elect to send New Relic via the data collection system.
Performance Data is subject to the restrictions set forth in the underlying agreement between the parties. Any Personal Data written to file in a New Relic account is configured by the user of the software (agents, APIs, SDKs, queries, etc.) that New Relic makes available in connection with the Services, or as a result of the customer’s end system configurations.
b. Use of Performance Data. To the extent Performance Data includes Personal Data, New Relic will act as a data processor on behalf of its customer, the data controller. New Relic may process Performance Data as necessary to perform the Services, including for testing and applying new product and system versions, patches, updates, and upgrades, and resolving bugs and other issues reported to New Relic.
New Relic will only process Performance Data for the purposes of providing the Services and in accordance with the customer's lawful documented instructions, including those in the agreement to provide the Services and customer’s configuration of the Services, and as provided in the underlying agreement between the parties. New Relic may also aggregate or de-identify Performance Data across multiple accounts and use this data to improve or enhance engagement of our Services or to create and publish (subject to the confidentiality restrictions in the underlying agreement) industry benchmarks or comparative application performance metrics.
c. Disclosure of Performance Data. To the extent New Relic provide third party sub-processors with access to Performance Data in order to assist in the provision of the Services, such sub-processors shall be subject to the same data protection and security obligations as New Relic under the terms of the customer’s order for Services, as applicable. Provided that a customer signs up for notifications at https://newrelic.com/NR-legal-signup-datasubprocessors, New Relic shall provide notice of any new sub-processors. After being notified, customer will have ten (10) business days to notify New Relic in writing of any reasonable objection it has to the new sub-processor(s). Failure to notify New Relic within this time frame will be deemed approval of the new sub-processor(s).
If another company acquires our company or our assets, that company will gain custody of the Performance Data collected by it and us and will assume the rights and obligations regarding the Performance Data as described in this Privacy Notice.
d. Data Subject Rights. If Personal Data pertaining to you as an individual has been submitted to the Services as part of Performance Data by or on behalf of a customer and you wish to exercise any data protection rights you may have in respect of that data under applicable law, including (as applicable) the right to access, port, correct, amend, or delete such data, please inquire with the relevant customer directly.
If a customer of New Relic needs assistance in responding to a data subject request relating to Personal Data contained in customer's Performance Data, please see our documentation on how to submit a request for assistance to New Relic.
e. Security and Confidentiality. New Relic has implemented and will maintain appropriate technical and organizational measures designed to prevent accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Performance Data. These measures, which are generally aligned with NIST 800-53 standard, govern all areas of security applicable to the Services, including physical access, system access, data access, transmission, input, security, oversight, and enforcement.
New Relic employees are required to maintain the confidentiality of Performance Data, employee’s obligations include written confidentiality agreements, regular training on information security and privacy, and compliance with New Relic policies concerning protection of confidential information.
Additional details regarding the specific security measures that apply to the Services are available for review here.
f. International Data Transfers. If Performance Data containing Personal Data of an individual is transferred to New Relic, the Personal Data may be transferred to, and processed in, countries other than the country in which the individual resides. These countries may have data protection laws that are different than the laws of the individual’s country of residence.
Specifically, New Relic’s data regions are located in the United States and the European Union, as further described in the documentation. Personal Data held in a customer’s account in the Services environment will be stored in the data region selected by customer during account provisioning. All other information, including account information (such as license subscription information, billing, and internal monitoring) is hosted in the U.S. region and replicated in the EU region, and is subject to the General Privacy Notice.
New Relic may process Performance Data in the United States and other jurisdictions where the New Relic Group is located, including as may be necessary to maintain, secure, or perform the services, to provide technical support, or as necessary to comply with law or a binding order of a government body.
New Relic has taken appropriate safeguards to require that Personal Data within Performance Data will remain protected in accordance with this Services Privacy Notice. These include implementing an adequate method of transfer, such as the European Commission’s Standard Contractual Clauses or Privacy Shield, for transfers of Personal Data with its sub-processors or partners, further details of which can be provided upon request. We also participate and comply with the EU-US and Swiss-US Privacy Shield Frameworks. Please click here to read our Privacy Shield Notice.
3. Systems Operations Data
a. Responsibility and Purposes for Processing Systems Operations Data. New Relic is data controller with regards to processing Personal Data that may be contained in Systems Operations Data in accordance with this Section and Section 4 (Communications and Notifications to Customer and Users) of this Services Privacy Notice.
Systems Operations Data may include log files, event files, and other trace and diagnostic files, as well as statistical, aggregate and Personal Data (such as user name, user ID, etc.) that relates to the use and operation of our Services, and the systems and networks these Services run on.
We may receive, collect or generate Systems Operations Data for purposes, such as the following:
i. to help keep our Services secure, including for security monitoring, identity management, and to investigate and prevent potential fraud and illegal activities involving our Services, systems and networks;
ii. to administer our Service, including backup disaster recovery plans and policies;
iv. for research and development purposes, including to analyze, develop, improve and optimize our Services;
v. to increase engagement and adoption of our Services (e.g. by providing in Service training and suggestions);
vi. to tailor how we present the Services to users; and
vii. to comply with applicable laws and regulations and to operate our business, including to comply with legally mandated reporting, disclosure or other legal requests; for mergers and acquisitions; finance and accounting; legal and business consulting; and in context of dispute resolution.
For Personal Data contained in Systems Operations Data collected in the EEA, our legal basis of processing such information is our legitimate interest in performing, improving, maintaining, and securing our Services and operating our business in an efficient and appropriate manner. Personal Data may also be processed to comply with legal obligations.
The data controller of Personal Data for all countries that New Relic does business is New Relic, Inc., unless customer has contracted directly with New Relic, K.K. in Japan, in which case New Relic, K.K. is the data controller.
b. Sharing Systems Operations Data. We may disclose Systems Operations Data to the following categories of recipients:
i. to our group companies, third-party services providers and partners who provide data processing services to us (for example, to support the delivery of, provide functionality on, help to enhance the security of our Services, to provide technical support, or to provide specific services, such as hosting applications, communicating via live chat software or payment processing for purchases), or who otherwise process Personal Data for purposes described in this Services Privacy Notice or notified when we collect the Personal Data;
ii. to any competent law enforcement body, regulatory, government agency, court or other third party where we believe disclosure is necessary (i) as a matter of applicable law or regulation, (ii) to exercise, establish or defend our legal rights, or (iii) to protect vital interests of any other person;
iii. to an actual or potential buyer (and its agents and advisers) in connection with any actual or proposed purchase, merger or acquisition of any part of our business, provided that we inform the buyer it must use such Personal Data only for the purposes disclosed in this Services Privacy Notice;
iv. to any other person with appropriate consent to the disclosure.
c. Profiling. In order to increase engagement and adoption of our Services and present relevant product training and suggestions we analyze some of the Systems Operations Data that we collect about our customers to determine what offers are most likely to be of interest to different categories of users in different circumstances and at different times. We call this the creation of “segments”. From time to time, we will assess the Systems Operations Data that we hold about our users in order to assign them to a particular segment. For example, if a user is based in the EEA we can use such user’s information to communicate with the user about features or functionalities within the Services that we consider are relevant to such user.
d. Retention of Personal Data within Systems Operations Data. We retain Personal Data that we collect within Systems Operations Data where we have an ongoing legitimate business need to do so (for example, to provide a user with a service that was requested or to comply with applicable legal, tax or accounting requirements).
When we have no ongoing legitimate business need to process such Personal Data, we will either delete or anonymise it or, if this is not possible (for example, because the Personal Data has been stored in backup archives), then we will securely store such Personal Data and isolate it from any further processing until deletion is possible.
For questions about the retention of such Personal Data, please contact us using the information in the Communications and Notifications to Customers and Users section below.
e. User Choices. To the extent provided under applicable laws, users may request to access, correct, update or delete Personal Data contained within Systems Operations Data in certain cases, or otherwise exercise their choices with regards to such Personal Data by filling out a Personal Data Request form and submitting it to PersonalDataRequests@NewRelic.com or by contacting us using the details provided in the Communications and Notifications to Customers and Users section below. GDPR grants European Union residents the right to complain to a data protection authority about our collection and use of their Personal Data. For more information, please contact your local data protection authority. Should any individual choose not to share their Personal Data with us, we may not be able to provide such individual with certain requested Services and we may not be able to continue to provide such individual with or renew existing Services.
f. Security. New Relic is committed to protecting the security of Personal Data. We use appropriate technical and organisational measures to protect Personal Data from unauthorized access, use, or disclosure. Despite these measures, New Relic cannot fully eliminate security risks associated with Personal Data and mistakes and security breaches may happen. If there are any questions about security on our Site or Services, please contact us using the details provided under Section 4(c) Global Data Protection Officer.
g. International Data Transfers. Personal Data of an individual, collected within Systems Operations Data, may be transferred to, and processed in, countries other than the country in which the individual resides. These countries may have data protection laws that are different from the laws of the individual’s country of residence.
Specifically, if an individual is located in the EEA, such individual should note that their Personal Data will be accessed by staff or suppliers, transferred, and/or stored outside the EEA, including the US and other countries which have different data protection laws than in the EEA.
However, we have taken appropriate safeguards to require that Personal Data will remain protected in accordance with this Services Privacy Notice. These include implementing an adequate method of transfer, such as the European Commission’s Standard Contractual Clauses or Privacy Shield, for transfers of Personal Data with our third party service providers and partners, further details of which can be provided upon request. We also participate and comply with the EU-US and Swiss-US Privacy Shield Frameworks. Please click here to read our Privacy Shield Notice.
4. Communications and Notifications to Customers and Users.
a. Legal Requirements. New Relic may be required to access Performance Data and Personal Data contained in Systems Operations Data as required by law, such as to comply with a subpoena or other legal process, when we believe in good faith that disclosure is necessary to protect or defend our rights or property of New Relic or users of the Services, protect the safety of others, to investigate fraud, or respond to government requests, including public and government authorities outside a user’s country of residence, for national security and/or law enforcement purposes.
b. Changes to this Services Privacy Notice. This Services Privacy Notice is subject to occasional revision, and if we make any substantial changes in the way we use Personal Data, we will take appropriate measures to inform our customers, consistent with the significance of the changes we make. We will obtain consent to any material Services Privacy Notice changes if and where this is required by applicable data protection laws.
The date of the most recent update to this Services Privacy Notice can be found by checking the “last updated” date displayed at the top of this Services Privacy Notice.
c. Global Data Protection Officer. New Relic has appointed an internal as well as an external Data Protection Officer. For questions about how information is gathered, stored, shared, used, or to exercise any data subject rights, please contact our Data Protection Officers as follows.
Email inquiries may be addressed to: Privacy@newrelic.com.
Requests that do not include confidential or sensitive content can also be sent by email to our external DPO at: email@example.com.
Written inquiries may be addressed to:
Attn: Legal Data Subject Request
New Relic, Inc.
188 Spear Street
San Francisco, CA 94105
Robert Niedermeier (External Data Protection Officer)
D-85579 Neubiberg / München
For any complaints regarding our compliance with our privacy and security practices, please contact New Relic first. New Relic will investigate and attempt to resolve any complaints and disputes regarding our privacy practices.
*Updated on October 2, 2019 to fix formatting and section references only. No changes to content of Services Privacy Notice.