Skip to main content

Netdata Agent Security and Privacy Design

tip

Executive Summary

  • Netdata Agent is designed with a security-first approach to protect system data.
  • Raw data never leaves the system where Netdata is installed.
  • Only processed metrics and minimal metadata are stored, streamed, or archived.
  • Communications are secured with TLS, authentication uses API keys and cryptographic validation, and Agent architecture enforces isolation and resilience.
  • Netdata Agent follows best practices supporting PCI DSS, HIPAA, GDPR, and CCPA compliance, and is continuously audited and improved for security.

Introduction

Netdata Agent uses a security-first design.
It protects data by exposing only chart metadata and metric values, never raw system or application data.

This design allows Netdata to operate in high-security environments, including PCI Level 1 compliance.

When plugins collect data from databases or logs, only processed metrics are:

  • Stored in Netdata databases
  • Sent to upstream Netdata servers
  • Archived to external time-series databases

Raw data remains local and is never transmitted.


User Data Protection

Netdata Agent safeguards your data at every stage.

AspectProtection Mechanism
Raw DataStays on your system
PluginsHard-coded for collection only, reject external commands
Functions FeaturePredefined plugin functions, UI only calls these
PrivilegesMost plugins run without escalated privileges; the main process does not require them

Plugins needing escalated privileges are isolated:

  • Perform only predefined collection tasks
  • Keep raw data inside the local process
  • Never save, transfer, or expose raw data to the Netdata daemon
tip

Netdata's decentralized design keeps all data local.
You are responsible for backing up and managing your system data.


Communication and Data Encryption

Netdata secures all internal and external communications:

CommunicationProtection
Plugins to DaemonEphemeral in-memory pipes, isolated from other processes
Streaming MetricsRequires API keys, optional TLS encryption
Web APISupports TLS if configured
Cloud ConnectionMQTT over WebSockets over TLS with public/private key authorization

Public and private keys are exchanged securely during Cloud provisioning.

Netdata Agent Security Flow


Authentication

Netdata supports multiple authentication methods depending on the connection type:

ConnectionAuthentication Method
Direct Agent AccessTypically unauthenticated, relies on LAN isolation or firewall policies
Streaming Between AgentsRequires API key authentication, optional TLS
Agent-to-CloudPublic/private key cryptography with mandatory TLS
tip

For additional access control, place Netdata Agents behind an authenticating web proxy.


Security Vulnerability Response

Netdata follows a structured vulnerability response process:

  • Acknowledges reports within three business days
  • Initiates a Security Release Process for verified issues
  • Releases patches promptly
  • Handles vulnerability information confidentially
  • Keeps reporters updated throughout the process

Protection Against Common Security Threats

Netdata Agent is resilient against major security threats:

ThreatDefense Mechanism
DDoS AttacksFixed thread counts, automatic memory management, resource prioritization
SQL InjectionsNo UI data passed back to database-accessing plugins
System Resource StarvationNice priority protects production apps, early termination in OS-OOM events

Additional protections include:

  • Running as an unprivileged user by default
  • Isolating escalated privileges to specific collectors
  • Proactive CPU and memory management

User-Customizable Security Settings

You can tailor the Agent's security settings:

SettingOptions Available
TLS EncryptionConfigurable for web API and streaming
Access Control Lists (ACLs)Limit endpoint access by IP address
CPU/Memory PriorityAdjust scheduling priority and memory thresholds
tip

Use Netdata configuration files to apply custom security settings.


Do you have any feedback for this page? If so, you can open a new issue on our netdata/learn repository.