Protecting User Privacy in Session Replay
Learn about how Session Replay captures data while protecting user privacy.
If you have any questions, feedback or would like to report a bug, please open a GitHub issue with a link to a relevant replay or, if possible, a publicly accessible URL to the page you're attempting to record a replay of.
With the extra scrutiny and sensitivity around session replay products and the logging of user interactions (e.g., text inputs, page visits, mouse movements, clicks, and scrolls) on websites and applications, we built our own session replay product with an eye towards privacy.
Sentry's Session Replay is not an actual “screen” recording, but instead a recording of changes in the web browsers' Document Object Model (DOM) (i.e., the data representation of the page). This important distinction means that the data captured by Session Replay can be searched and stripped.
We provide our customers with a range of configuration options to control how much (or how little) data is collected. Customers can use our privacy controls to help ensure no sensitive user data leaves the browser. Customers can also use server-side scrubbing capabilities to further filter and remove sensitive user data, or our deletion capabilities to delete individual recordings after ingestion.
Below we expand on what data is potentially collected, how they are treated by default, and what additional controls are available to customers. At the bottom of this page you'll also find our Legal & Privacy FAQ.
To reduce the risk of Personally Identifiable Information (PII) being ingested and stored on our servers, Sentry’s Session Replay SDK is designed to be “private by default”. The Session Replay SDK in its default configuration redacts all HTML text nodes and images before it leaves the browser. During playback, redacted text nodes and images are clearly denoted using asterisks and static gray boxes, respectively.
To see unredacted HTML content – for example, your static navigation items, menus, and links – you may additionally opt-in static HTML elements that are known not to contain PII by denoting those elements with the sentry-unmask
class name. It’s strongly recommended not to opt-in any known, user-generated content.
Alternatively, you can turn off the default privacy configuration, which will cause all text nodes and images to be transferred unredacted. This is only recommended when working with static content websites known not to contain any sensitive user information. Note that when using this configuration option, failure to carefully identify HTML elements containing PII means risking sensitive content leaving the user’s browser.
To learn more, including other additional configuration options, see Session Replay Privacy.
In addition to HTML content, Session Replay records key user interactions like mouse movements, mouse clicks, and keyboard presses. By default, all user keypresses are redacted and replaced with asterisks. Captured mouse movements are limited to source and target destinations (for example, where the mouse came from and where it went, not the exact path). A low-fidelity approximation of this movement is recreated during playback.
To assist in debugging, Session Replay captures additional metadata like console.log entries, network requests, browser, operating system, and more. By default, Sentry scans this data on the server and automatically removes potentially sensitive strings like credit card numbers, social security numbers, API tokens, and more. This same process is applied to other Sentry event types like Errors and Transactions.
To learn more see Server-Side Data Scrubbing.
Q: Can I use Session Replay and comply with the GDPR and CCPA?
A: Yes, we offer a Data Processing Addendum (DPA) to cover GDPR and CCPA requirements for any personal data sent to Sentry, including via our Session Replay product. You can enter into our DPA by following the instructions here.
Q: I have an existing DPA with Sentry, does it apply to Session Replay?
A: Yes, see above. The data processing and security commitments in our DPA apply to the personal data you send to the Sentry service (including via our Session Replay product).
Q: I have an existing Business Associate Addendum (BAA) with Sentry, does it apply to Session Replay?
A: Yes, our BAA covers HIPAA requirements for any protected health information (PHI) sent to the Sentry service (including if you elect to do so via our Session Replay product).
Q: Do I need to change my legal policies or notices to use Session Replay?
A: As with all user data that you submit to Sentry for processing on your behalf, you are responsible for providing appropriate notices to your users. How you choose to configure Session Replay and your own site or app will ultimately determine the contents and presentation of your user privacy notices.
Q: Where is Session Replay data hosted?
See our subprocessor list for our infrastructure hosting location, which applies to all data within your specific Sentry instance, including Session Replay data.
Q: How long do you retain Session Replay data?
Please see our security policy. Our data retention policy applies to the overall Sentry service, including Session Replay.
Our documentation is open source and available on GitHub. Your contributions are welcome, whether fixing a typo (drat!) or suggesting an update ("yeah, this would be better").