docs/security-and-privacy-design/README.md
:::tip
Executive Summary
:::
This page explains how Netdata designs and operates secure, privacy-respecting services across the Netdata Agent and Netdata Cloud.
Netdata builds security into every layer. You retain control over your observability data while benefiting from powerful real-time monitoring and insights.
Netdata separates your system information into two categories:
| Type | Description | Where It Lives |
|---|---|---|
| Observability Data | Metrics and logs | Stored locally, fully under your control |
| Observability Metadata | Hostnames, metric names, alerts | Routed securely to Netdata Cloud for dashboards and notifications |
This ensures that your critical system insights remain private, and only minimal metadata flows to the cloud.
Here is how your data flows through Netdata:
flowchart TD
A("Your System") -->|"Collect metrics and logs"| B("Netdata Agent")
B --> C("Observability Data
Stored locally")
B --> D("Observability Metadata
securely routed to Cloud")
D --> E("Cloud dashboards, routing
& notifications")
%% Style definitions
classDef alert fill:#ffeb3b,stroke:#000000,stroke-width:3px,color:#000000,font-size:14px
classDef neutral fill:#f9f9f9,stroke:#000000,stroke-width:3px,color:#000000,font-size:14px
classDef complete fill:#4caf50,stroke:#000000,stroke-width:3px,color:#000000,font-size:14px
classDef database fill:#2196F3,stroke:#000000,stroke-width:3px,color:#000000,font-size:14px
%% Apply styles
class A alert
class B neutral
class C complete
class D,E database
:::tip
Observability data (metrics and logs) never leaves your system. Only essential metadata flows securely to Netdata Cloud.
:::
Netdata follows OSSF best practices, including:
Netdata Agents undergo regular external security audits.
All reports are prioritized for quick investigation and resolution.
Netdata Cloud operates in isolated environments with Infrastructure as Code (IaC). No manual production access exists, and monitoring is fully automated.
Netdata handles vulnerabilities with a clear process:
:::tip
Stay updated by subscribing to Netdata’s GitHub releases.
:::
Netdata complies with major data privacy laws, including GDPR and CCPA.
Netdata conducts internal audits to ensure compliance and offers Data Processing Agreements (DPAs) upon request.
:::tip
Contact Netdata Support to request a DPA.
:::
| Type | Handling |
|---|---|
| Observability Data | Remains on your infrastructure |
| Observability Metadata | Securely transferred and stored in US-based data centers (Google Cloud, AWS) |
Data is tunneled securely in real-time without being stored on Netdata Cloud servers.
Data processing complies with GDPR and CCPA requirements.
You can manage your privacy rights easily:
| Right | How to Access |
|---|---|
| Access, correct, or delete your data | Use the Netdata Cloud UI |
| Fully delete your account and all data | Log in to app.netdata.cloud, go to Profile, and delete your account |
:::tip
Deleting your account removes all associated personal data, including email and activity records.
:::
Netdata continuously updates its policies and technical controls to stay aligned with evolving regulations.
Netdata collects anonymous installation and telemetry statistics to improve its services.
| Collected | Used For |
|---|---|
| Installation info (plugins, operating systems, feature usage) | Guide product development and prioritize improvements |
| Telemetry events (errors, performance metrics) | Identify issues and enhance stability |
You can disable anonymous telemetry:
:::tip
See installation documentation for detailed opt-out steps.
:::
Netdata does not sell or share anonymous statistics with any third parties.
Netdata enforces layered security controls:
| Area | Control |
|---|---|
| Infrastructure Management | Infrastructure as Code (Terraform) |
| Authentication | GitHub SSO, Google SSO, email validation |
| Data Handling | TLS encryption, session tracking |
| Access Control | Role-based access, multi-factor authentication |
| Threat Defense | DDoS protection, vulnerability scanning |
| Developer Process | Static analyzers, mandatory senior code reviews |
| Production Isolation | No direct access to production environments |
:::tip
Need additional security configurations? Contact Netdata Support.
:::
:::tip
View Netdata's security certifications, compliance reports, and audit documentation at our Trust Center.
:::
Netdata applies practices that align with PCI DSS security principles:
However, Netdata is not officially PCI DSS certified.
Entities needing full PCI DSS compliance must perform additional assessments.
:::tip
Consult a PCI DSS compliance expert if you use Netdata as part of your PCI environment.
:::
Netdata aligns with HIPAA security practices:
Netdata provides Business Associate Agreements (BAAs) for healthcare organizations but is not HIPAA-certified.
:::tip
Request a BAA through Netdata Support if required.
:::
Netdata achieved SOC2 Type 2 compliance for these Service Criteria:
| Principle | Practices |
|---|---|
| Security | TLS encryption, strict access controls |
| Availability | Resilient systems, continuous monitoring |
| Confidentiality | Metadata isolation, role-based access |
Netdata gives you a secure and transparent way to monitor your systems.
With clear separation of observability data and metadata, strong encryption, secure authentication, and compliance with international standards, you retain full ownership and control of your system insights.
:::tip
You are always in control of your data with Netdata.
:::
Netdata’s commitment to security, privacy, and transparency ensures that your monitoring environment stays protected and trusted at every step.