How Raygun’s security measures keep your customer’s data safe

| 6 min. (1203 words)

At Raygun, we’re serious about protecting your privacy and safeguarding sensitive data. While our tools give you the unique ability to drill down into individual user sessions, we’re aware that you may not want sensitive customer information being collected by Raygun.

This article is a developer’s guide to using Raygun’s security measures: how to prevent collecting any user data through Raygun Crash Reporting and Real User Monitoring, and how to keep your own data secure.

We’ll go over:

  • How to exclude sensitive data from Raygun in both Crash Reporting and Real User Monitoring using JavaScript
  • How Raygun handles privacy (including government compliance) so you have maximum control over how much information is collected

Raygun is fully HIPAA and GDPR compliant. Behind the scenes, we work hard to ensure that we reduce the PII footprint we have. Customers can still opt-in to sending PII data, but backend systems have all been hardened to reduce the reliance on that data.

On top of this, we also added some helper filters. This allows you do things like opt out of IP address storage, as we know our customers have different needs. You can also nominate a Data Protection Officer and European Union Representative.

Prevent sensitive data from being sent to Raygun Crash Reporting

Here’s how to remove sensitive data with the raygun4js provider.

We’ll use JavaScript as an example as it’s one of our most popular requests. If you’re using another language or framework, please follow the links to our documentation on how to remove sensitive data:

Custom Data

If you’re sending custom data, you can easily filter out sensitive information by providing an array of key names to exclude from the JSON error payload.

Here is the custom data I’m going to send:

rg4js('withCustomData', {
    "FilterSomeOut": {
      "SuperSecret": "the meaning of life",
      "IsHappy": true,
      "UUID": "87654321-3333-1234-7777-121212121212",
      "CreditCardNumber": "6011300958782011"
    },
    "FilterALLOut": {
      "FullName": "Harambe",
      "Password": "orange"
    }
});

In your document, under the other Raygun configuration code already there (like your Raygun API key), add the filterSensitiveData call and the array of key names to exclude:

rg4js('filterSensitiveData', ['SuperSecret', 'FilterALLOut']);

When an error comes through to Raygun, the values for the keys will be replaced with [removed by filter].

Result:

FilterSomeOut: {
  "SuperSecret": "[removed by filter]"
  "IsHappy": true
  "UUID": "87654321-3333-1234-7777-121212121212",
  "CreditCardNumber": "6011300958782011"
}
FilterALLOut: "[removed by filter]"

Filter scope

If you want to filter out the value of any key in the JSON payload and not just in the custom data, add this snippet to your code:

rg4js('setFilterScope', 'all');

Let’s say you wanted to filter out the Environment data from the payload, just add Environment to the filterSensitiveData array:

rg4js('filterSensitiveData', ['SuperSecret', 'FilterALLOut', 'Environment']);

Result:

...
"Environment": "[removed by filter]",
"UserCustomData": {
  "FilterSomeOut": {
    "SuperSecret": "[removed by filter]",
    "IsHappy": true,
    "UUID": "87654321-3333-1234-7777-121212121212",
    "CreditCardNumber": "6011300958782011"
  },
  "FilterALLOut": "[removed by filter]"
},
...

Filter using Regex

If you have dynamic strings you need to filter out, you can add RegExp objects to the filterSensitiveData array.

First, create the RegExp object:

var creditCardDataRegex = /Credit\D*/; // Remove any keys that begin with 'Credit'

Then simply add the variable to the filterSensitiveData array:

rg4js('filterSensitiveData', ['SuperSecret', 'FilterALLOut', 'Environment', creditCardDataRegex]);

Result:

...
"Environment": "[removed by filter]",
"UserCustomData": {
  "FilterSomeOut": {
    "SuperSecret": "[removed by filter]",
    "IsHappy": true,
    "UUID": "87654321-3333-1234-7777-121212121212",
    "CreditCardNumber": "[removed by filter]"
  },
  "FilterALLOut": "[removed by filter]"
},
...

Need more information on filtering out sensitive data? Head to our JavaScript docs.

Prevent sensitive data from being sent to Real User Monitoring

You can send additional information about a user currently logged to your site or web app by calling the setUser object.

If you don’t want to include identifiable information through Real User Monitoring, simply remove all the keys from the setUser object, except for the identifier.

identifier is the only required parameter for setUser, and is only required if you are using user tracking. NOTE: This parameter is named user in the setUser function.

identifier is used to uniquely identify the user within Raygun. You can make this value any string to uniquely identify your users (e.g. the user ID) without identifiable information.

How Raygun’s safety measures keep your data secure

At Raygun, we’re committed to providing a secure service. We use a variety of strategies to protect your information from unauthorized access, use or disclosure.

Here are a few of the ways Raygun’s security measures provide comprehensive security for you, your customers and your applications.

Auditing

Raygun keeps a log of user actions within your account, so any changes that modify the configuration of your Raygun applications (e.g. enabling an integration with a 3rd party provider) or any destructive operations (e.g. deleting data) are clearly tracked and can be reviewed at any time.

Data encryption

We encrypt all data that is transmitted between you (or your customers) and Raygun using industry-standard TLS (Transport Layer Security), protecting the information you send to us. Your data is also encrypted at rest when it is stored on our servers, and encrypted when we transfer it between data centres for backup and replication.

Data processing

Raygun only processes data for the applications where the customer has installed Raygun Crash Reporting or Real User Monitoring. We only extract specific parts of the data for indexing purposes to help you analyze the data at a high level.

Handling of sensitive data

Customers have complete control over the data which is transmitted to Raygun to remove any sensitive data prior to transmission. We provide options for handling this in our standard provider libraries or alternatively you can customize this implementation yourself.

Privacy

We understand the need for teams working in the medical and financial industries to be compliant with the laws of their government. Raygun is HIPAA compliant and happy to work with you if you need any specific requirements.

Secure data centres

Raygun is hosted within enterprise-grade hosting facilities that employ robust physical security controls to prevent physical access to the servers they house. These controls include 24/7 monitoring and surveillance, on-site security staff and regular ongoing security audits. Raygun maintains multiple geographically separated data replicas to minimize the risk of data loss or outages.

Service security

Raygun has multiple layers of security controls to protect access to and within our environment, including firewalls and network segregation.

Our security services are configured, monitored and maintained regularly. We partner with industry-leading security vendors to leverage their expertise and global threat intelligence to protect our systems. We also conduct regular independent third-party penetration tests to validate application and network security of our systems.

User management

We provide standard access to Raygun with a user login and password. Optionally two factor authentication can also be enabled to provide additional security for your user account. Enterprise customers also have the option to utilize SAML based Single Sign On (SSO).

You control access

The application’s owners group gives rights to administer a subscription. Any Plan Owner can control these permissions, not just the person who holds the subscription.

We hope this post has answered any questions that you have about Raygun’s security measures, and how we keep your data safe.

If you still have questions or any specific requirements we can help with, reach out to support@raygun.com and a team member will be in touch.