Real User Monitoring Data Security
This page is about the security of data sent to Datadog. If you're looking for cloud and application security products and features, see the Security
Real User Monitoring (RUM) provides controls for implementing privacy requirements and ensuring organizations of any scale do not expose sensitive or personal information. Data is stored on Datadog-managed cloud instances and encrypted at rest. The default behaviors and configurable options described on this page are designed to protect end user privacy and prevent sensitive organizational information from being collected. Learn more about Privacy at Datadog.
RUM can be configured for compliance with many standards and regulatory frameworks, including, but not limited to:
By default, there are some privacy restrictions in place that protect user data to help comply with regulatory and standards frameworks.
Browser RUM requires first party cookies to be enabled on an end user’s browser to collect data. If required by the jurisdictions in which you operate, your pages should be configured so that the end user must accept cookies before RUM is initialized and begins collecting data.
Mobile RUM consent management
Mobile RUM tracking is only run upon user consent. If the end user accepts the RUM tracking, we track their activity and session experience. If the user declines the RUM tracking, we do not track their activity and session experience.
You have several options and tools when it comes to collecting and redacting data captured by RUM.
An event is a user interaction with specific elements of your site or app. Events can be automatically captured via the SDK or sent via custom actions. You can turn off automatic tracking of user interactions and page views to only capture the interaction of your choice. By default, RUM uses target content to generate action names from actions automatically collected by the SDK. You can explicitly override this behavior with any given name.
The data we track automatically contains primarily technical information, much of which doesn’t include personal identifying information. Data that is captured by RUM can be further redacted before it is sent and stored in Datadog through advanced configuration options for the following methods:
Transmit RUM events through a proxy server
You can transmit all RUM events through your own proxy server so that end user devices never directly communicate with Datadog.
User identity tracking
By default, there is no tracking of users’ identity. Each session has a unique
session.id tied to it, which anonymizes the data, but allows you to understand trends. You have the option of writing code to capture user data such as name and email address, then using that data to enrich and modify RUM sessions, but this is not required.
After you have configured the event capture, events are stored in Datadog. You can decide how long your captured events and properties stay in Datadog.
By default, data retention for production environments is:
- 30 days for sessions, views, actions, errors, and session recordings.
- 15 days for resources and long tasks.
Any of this retained data can be extended to a maximum of 90 days at no additional cost by opening a support ticket.
Role-based access control
Datadog provides role-based access control (RBAC) for managing who sees captured RUM data. Default settings for data access depend on the role a user gets added to. There are three types of Datadog roles available: Administrator, Standard, and Read Only roles. More granular RUM-specific permissions are defined in Datadog role permissions. For example, you can grant or revoke access to view Session Replays.
If you need to delete data stored by Datadog, for example, if potentially sensitive data has been leaked into RUM events, you can hard-delete data from within a given timeframe. With a hard delete, all data is deleted; it cannot be targeted to a specific application. If you need any data deleted, reach out to the Datadog support team.
Personal and sensitive data removal
You have some options available for removing Personally Identifiable Information (PII), and sensitive data, including IP addresses and geolocation. Some scenarios where PII could appear in RUM:
- Action names on buttons (for example, “View full credit card number”)
- Names shown in URLs
- Custom tracked events instrumented by the developers of the app
PII inadvertently included in unstructured data, such as an individual’s name in a text box, can only be removed through a data deletion requisition for a specified timeframe.
With respect to URLs, you have the option to track page views manually in order to remove any PII or use beforeSend to change the URL text.
You can also transmit all RUM events through your own (proxy) server so that end user devices never directly communicate with Datadog.
When setting up a RUM application, you can choose whether or not you want to include IP or geolocation data:
Once you disable collection of IP data, the change will be applied immediately. Any events collected prior to disabling will not have their IP data removed. It is performed on the backend, which means the Browser SDK will still be sending data, but IP addresses will be omitted by Datadog backend pipelines and dropped at processing time.
In addition to removing client IPs, you can also choose to disable the collection of geolocation (country, city, county), or GeoIP, from all future collected data. If you uncheck the Collect geolocation data box, the change will be applied immediately. Any events collected prior to disabling will not have their geolocation data removed. Data omission is done at the backend level, which means the Browser SDK will still be sending data, but geolocation data will be omitted by our backend pipelines and dropped at processing time.
Proactively search for sensitive data with Sensitive Data Scanner
Sensitive Data Scanner allows you to proactively search and scrub sensitive data upon ingestion by Datadog. RUM events are scanned on the stream before any data is stored within Datadog. The tool has the power to scrub, hash, or partially redact PII data before it is stored. It works by applying out-of-the-box or customer-developed pattern matching rules.
Session Replay-specific privacy options
See privacy options specific to Session Replay.
Additional helpful documentation, links, and articles: