Consolidate security and privacy documents (#14812)

5 files changed, 344 insertions, 259 deletions

diff --git a/docs/category-overview-pages/reverse-proxies.md b/docs/category-overview-pages/reverse-proxies.md
index 92082315bb..07c8b9bd54 100644
--- a/docs/category-overview-pages/reverse-proxies.md
+++ b/docs/category-overview-pages/reverse-proxies.md
@@ -1,8 +1,9 @@
 # Running Netdata behind a reverse proxy
 
 If you need to access a Netdata agent's user interface or API in a production environment we recommend you put Netdata behind
-another web server and secure access to the dashboard via SSL and user authentication. A dedicated web server also provides more robustness 
-and capabilities than the Agent's internal [web server](https://github.com/netdata/netdata/blob/master/web/README.md).
+another web server and secure access to the dashboard via SSL, user authentication and firewall rules. 
+
+A dedicated web server also provides more robustness and capabilities than the Agent's [internal web server](https://github.com/netdata/netdata/blob/master/web/README.md).
 
 We have documented running behind
 [nginx](https://github.com/netdata/netdata/blob/master/docs/Running-behind-nginx.md),
@@ -13,4 +14,21 @@ We have documented running behind
 and [H2O](https://github.com/netdata/netdata/blob/master/docs/Running-behind-h2o.md).
 If you prefer a different web server, we suggest you follow the documentation for nginx and tell us how you did it 
  by adding your own "Running behind webserverX" document.
- 
+
+When you run Netdata behind a reverse proxy, we recommend you firewall protect all your Netdata servers, so that only the web server IP will be allowed to directly access Netdata. To do this, run this on each of your servers (or use your firewall manager):
+
+```sh
+PROXY_IP="1.2.3.4"
+iptables -t filter -I INPUT -p tcp --dport 19999 \! -s ${PROXY_IP} -m conntrack --ctstate NEW -j DROP
+```
+
+The above will prevent anyone except your web server to access a Netdata dashboard running on the host.
+
+You can also use `netdata.conf`:
+
+```
+[web]
+	allow connections from = localhost 1.2.3.4
+```
+
+Of course, you can add more IPs.
diff --git a/docs/category-overview-pages/secure-nodes.md b/docs/category-overview-pages/secure-nodes.md
new file mode 100644
index 0000000000..7f35393019
--- /dev/null
+++ b/docs/category-overview-pages/secure-nodes.md
@@ -0,0 +1,177 @@
+# Secure your nodes

+

+Netdata is a monitoring system. It should be protected, the same way you protect all your admin apps. We assume Netdata 

+will be installed privately, for your eyes only.

+

+Upon installation, the Netdata Agent serves the **local dashboard** at port `19999`. If the node is accessible to the

+internet at large, anyone can access the dashboard and your node's metrics at `http://NODE:19999`. We made this decision

+so that the local dashboard was immediately accessible to users, and so that we don't dictate how professionals set up

+and secure their infrastructures. 

+

+Viewers will be able to get some information about the system Netdata is running. This information is everything the dashboard 

+provides. The dashboard includes a list of the services each system runs (the legends of the charts under the `Systemd Services` 

+section),  the applications running (the legends of the charts under the `Applications` section), the disks of the system and 

+their names, the user accounts of the system that are running processes (the `Users` and `User Groups` section of the dashboard), 

+the network interfaces and their names (not the IPs) and detailed information about the performance of the system and its applications.

+

+This information is not sensitive (meaning that it is not your business data), but **it is important for possible attackers**. 

+It will give them clues on what to check, what to try and in the case of DDoS against your applications, they will know if they 

+are doing it right or not.

+

+Also, viewers could use Netdata itself to stress your servers. Although the Netdata daemon runs unprivileged, with the minimum 

+process priority (scheduling priority `idle` - lower than nice 19) and adjusts its OutOfMemory (OOM) score to 1000 (so that it 

+will be first to be killed by the kernel if the system starves for memory), some pressure can be applied on your systems if 

+someone attempts a DDoS against Netdata.

+

+Instead of dictating how to secure your infrastructure, we give you many options to establish security best practices

+that align with your goals and your organization's standards.

+

+- [Disable the local dashboard](#disable-the-local-dashboard): **Simplest and recommended method** for those who have

+  added nodes to Netdata Cloud and view dashboards and metrics there.

+

+- [Expose Netdata only in a private LAN](#expose-netdata-only-in-a-private-lan). Simplest and recommended method for those who do not use Netdata Cloud.

+

+- [Fine-grained access control](#fine-grained-access-control): Allow local dashboard access from

+  only certain IP addresses, such as a trusted static IP or connections from behind a management LAN. Full support for Netdata Cloud.

+

+- [Use a reverse proxy (authenticating web server in proxy mode)](#use-an-authenticating-web-server-in-proxy-mode): Password-protect 

+  a local dashboard and enable TLS to secure it. Full support for Netdata Cloud.

+

+- [Use Netdata parents as Web Application Firewalls](#use-netdata-parents-as-web-application-firewalls)

+

+- [Other methods](#other-methods) list some less common methods of protecting Netdata.

+

+## Disable the local dashboard

+

+This is the _recommended method for those who have connected their nodes to Netdata Cloud_ and prefer viewing real-time

+metrics using the War Room Overview, Nodes view, and Cloud dashboards.

+

+You can disable the local dashboard (and API) but retain the encrypted Agent-Cloud link 

+([ACLK](https://github.com/netdata/netdata/blob/master/aclk/README.md)) that

+allows you to stream metrics on demand from your nodes via the Netdata Cloud interface. This change mitigates all

+concerns about revealing metrics and system design to the internet at large, while keeping all the functionality you

+need to view metrics and troubleshoot issues with Netdata Cloud.

+

+Open `netdata.conf` with `./edit-config netdata.conf`. Scroll down to the `[web]` section, and find the `mode =

+static-threaded` setting, and change it to `none`.

+

+```conf

+[web]

+    mode = none

+```

+

+Save and close the editor, then [restart your Agent](https://github.com/netdata/netdata/blob/master/docs/configure/start-stop-restart.md) 

+using `sudo systemctl

+restart netdata`. If you try to visit the local dashboard to `http://NODE:19999` again, the connection will fail because

+that node no longer serves its local dashboard.

+

+> See the [configuration basics doc](https://github.com/netdata/netdata/blob/master/docs/configure/nodes.md) for details on how to find 

+`netdata.conf` and use

+> `edit-config`.

+

+## Expose Netdata only in a private LAN

+

+If your organisation has a private administration and management LAN, you can bind Netdata on this network interface on all your servers. 

+This is done in `Netdata.conf` with these settings:

+

+```

+[web]

+	bind to = 10.1.1.1:19999 localhost:19999

+```

+

+You can bind Netdata to multiple IPs and ports. If you use hostnames, Netdata will resolve them and use all the IPs 

+(in the above example `localhost` usually resolves to both `127.0.0.1` and `::1`).

+

+**This is the best and the suggested way to protect Netdata**. Your systems **should** have a private administration and management 

+LAN, so that all management tasks are performed without any possibility of them being exposed on the internet.

+

+For cloud based installations, if your cloud provider does not provide such a private LAN (or if you use multiple providers), 

+you can create a virtual management and administration LAN with tools like `tincd` or `gvpe`. These tools create a mesh VPN 

+allowing all servers to communicate securely and privately. Your administration stations join this mesh VPN to get access to 

+management and administration tasks on all your cloud servers.

+

+For `gvpe` we have developed a [simple provisioning tool](https://github.com/netdata/netdata-demo-site/tree/master/gvpe) you 

+may find handy (it includes statically compiled `gvpe` binaries for Linux and FreeBSD, and also a script to compile `gvpe` 

+on your macOS system). We use this to create a management and administration LAN for all Netdata demo sites (spread all over 

+the internet using multiple hosting providers).

+

+## Fine-grained access control

+

+If you want to keep using the local dashboard, but don't want it exposed to the internet, you can restrict access with

+[access lists](https://github.com/netdata/netdata/blob/master/web/server/README.md#access-lists). This method also fully 

+retains the ability to stream metrics

+on-demand through Netdata Cloud.

+

+The `allow connections from` setting helps you allow only certain IP addresses or FQDN/hostnames, such as a trusted

+static IP, only `localhost`, or connections from behind a management LAN. 

+

+By default, this setting is `localhost *`. This setting allows connections from `localhost` in addition to _all_

+connections, using the `*` wildcard. You can change this setting using Netdata's [simple

+patterns](https://github.com/netdata/netdata/blob/master/libnetdata/simple_pattern/README.md).

+

+```conf

+[web]

+    # Allow only localhost connections

+    allow connections from = localhost

+

+    # Allow only from management LAN running on `10.X.X.X`

+    allow connections from = 10.*

+

+    # Allow connections only from a specific FQDN/hostname

+    allow connections from = example*

+```

+

+The `allow connections from` setting is global and restricts access to the dashboard, badges, streaming, API, and

+`netdata.conf`, but you can also set each of those access lists more granularly if you choose:

+

+```conf

+[web]

+    allow connections from = localhost *

+    allow dashboard from = localhost *

+    allow badges from = *

+    allow streaming from = *

+    allow netdata.conf from = localhost fd* 10.* 192.168.* 172.16.* 172.17.* 172.18.* 172.19.* 172.20.* 172.21.* 172.22.* 172.23.* 172.24.* 172.25.* 172.26.* 172.27.* 172.28.* 172.29.* 172.30.* 172.31.*

+    allow management from = localhost

+```

+

+See the [web server](https://github.com/netdata/netdata/blob/master/web/server/README.md#access-lists) docs for additional details

+about access lists. You can take

+access lists one step further by [enabling SSL](https://github.com/netdata/netdata/blob/master/web/server/README.md#enabling-tls-support) to encrypt data from local

+dashboard in transit. The connection to Netdata Cloud is always secured with TLS.

+

+## Use an authenticating web server in proxy mode

+

+Use one web server to provide authentication in front of **all your Netdata servers**. So, you will be accessing all your Netdata with 

+URLs like `http://{HOST}/netdata/{NETDATA_HOSTNAME}/` and authentication will be shared among all of them (you will sign-in once for all your servers). 

+Instructions are provided on how to set the proxy configuration to have Netdata run behind 

+[nginx](https://github.com/netdata/netdata/blob/master/docs/Running-behind-nginx.md), 

+[HAproxy](https://github.com/netdata/netdata/blob/master/docs/Running-behind-haproxy.md), 

+[Apache](https://github.com/netdata/netdata/blob/master/docs/Running-behind-apache.md), 

+[lighthttpd](https://github.com/netdata/netdata/blob/master/docs/Running-behind-lighttpd.md), 

+[caddy](https://github.com/netdata/netdata/blob/master/docs/Running-behind-caddy.md), and

+[H2O](https://github.com/netdata/netdata/blob/master/docs/Running-behind-h2o.md).

+

+## Use Netdata parents as Web Application Firewalls

+

+The Netdata Agents you install on your production systems do not need direct access to the Internet. Even when you use 

+Netdata Cloud, you can appoint one or more Netdata Parents to act as border gateways or application firewalls, isolating 

+your production systems from the rest of the world. Netdata 

+Parents receive metric data from Netdata Agents or other Netdata Parents on one side, and serve most queries using their own 

+copy of the data to satisfy dashboard requests on the other side.

+

+For more information see [Streaming and replication](https://github.com/netdata/netdata/blob/master/docs/metrics-storage-management/enable-streaming.md).

+

+## Other methods

+

+Of course, there are many more methods you could use to protect Netdata:

+

+-   Bind Netdata to localhost and use `ssh -L 19998:127.0.0.1:19999 remote.netdata.ip` to forward connections of local port 19998 to remote port 19999. 

+This way you can ssh to a Netdata server and then use `http://127.0.0.1:19998/` on your computer to access the remote Netdata dashboard.

+

+-   If you are always under a static IP, you can use the script given above to allow direct access to your Netdata servers without authentication, 

+from all your static IPs.

+

+-   Install all your Netdata in **headless data collector** mode, forwarding all metrics in real-time to a parent

+    Netdata server, which will be protected with authentication using an nginx server running locally at the parent

+    Netdata server. This requires more resources (you will need a bigger parent Netdata server), but does not require

+    any firewall changes, since all the child Netdata servers will not be listening for incoming connections.

diff --git a/docs/cloud/data-privacy.md b/docs/cloud/data-privacy.md
deleted file mode 100644
index dcd4852c92..0000000000
--- a/docs/cloud/data-privacy.md
+++ /dev/null
@@ -1,31 +0,0 @@
-# Data privacy in Netdata Cloud
-
-[Data privacy](https://netdata.cloud/privacy/) is very important to us. We firmly believe that your data belongs to
-you. This is why **we don't store any metric data in Netdata Cloud**.
-
-Your local installations of the Netdata Agent form the basis for the Netdata Cloud. All the data that you see in the web browser when using Netdata Cloud, is actually streamed directly from the Netdata Agent to the Netdata Cloud dashboard.
-The data passes through our systems, but it isn't stored. You can learn more about [the Agent's security design](https://github.com/netdata/netdata/blob/master/docs/netdata-security.md) in the Agent documentation.
-
-However, to be able to offer the stunning visualizations and advanced functionality of Netdata Cloud, it does store a limited number of _metadata_.
-
-## Data Netdata Cloud stores and processes
-
-Let's look at the metadata Netdata Cloud stores using the publicly available demo server `frankfurt.my-netdata.io`:
-
-- The email address you used to sign up/or sign in
-- For each node connected to your Spaces in Netdata Cloud:
-  - Hostname (as it appears in Netdata Cloud)
-  - Information shown in `/api/v1/info`. For example: [https://frankfurt.my-netdata.io/api/v1/info](https://frankfurt.my-netdata.io/api/v1/info).
-  - Metric metadata information shown in `/api/v1/contexts`. For example: [https://frankfurt.my-netdata.io/api/v1/contexts](https://frankfurt.my-netdata.io/api/v1/contexts).
-  - Alarm configurations shown in `/api/v1/alarms?all`. For example: [https://frankfurt.my-netdata.io/api/v1/alarms?all](https://frankfurt.my-netdata.io/api/v1/alarms?all).
-  - Active alarms shown in `/api/v1/alarms`. For example: [https://frankfurt.my-netdata.io/api/v1/alarms](https://frankfurt.my-netdata.io/api/v1/alarms).
-
-How we use them:
-
-- The data is stored in our production database on AWS. Some of it is also used in Google BigQuery, our data lake, for analytics purposes. These analytics are crucial for our product development process.
-- Email is used to identify users in regards to product use and to enrich our tools with product use, such as our CRM. 
-- This data is only available to Netdata and never to a 3rd party.
-
-## Delete all personal data
-
-To remove all personal info we have about you (email and activities) you need to delete your cloud account by logging into https://app.netdata.cloud and accessing your profile, at the bottom left of your screen.
diff --git a/docs/cloud/pci-soc-hipaa.md b/docs/cloud/pci-soc-hipaa.md
deleted file mode 100644
index 9cf716b782..0000000000
--- a/docs/cloud/pci-soc-hipaa.md
+++ /dev/null
@@ -1,29 +0,0 @@
-# PCI DSS, SOC 2 and HIPAA environments
-
-When running Netdata in environments requiring Payment Card Industry Data Security Standard (PCI DSS), Systems and Organization Controls (SOC 2),
-or Health Insurance Portability and Accountability Act (HIPAA) compliance, please keep in mind the following:
-
-## All collected data is always stored inside your infrastructure
-
-Even when you use Netdata Cloud, your data is never stored outside your infrastructure. Dashboard data you view and alert notifications do travel 
-over Netdata Cloud, as they also travel over third party networks, to reach your web browser or the notification integrations you have configured, 
-but Netdata Cloud does not store metric data. It only transforms them as they pass through it, aggregating them from multiple Agents and Parents, 
-to appear as one data source on your browser.
-
-For more information see [Metric Retention - Database](https://github.com/netdata/netdata/blob/master/database/README.md) and 
-[Data Netdata Cloud Stores and Processes](https://github.com/netdata/netdata/blob/master/docs/cloud/data-privacy.md#data-netdata-cloud-stores-and-processes).
-
-## Netdata Parents can be used as Web Application Firewalls (WAFs) for accessing your monitoring data
-
-The Netdata Agents you install on your production systems do not need direct access to the Internet. Even when you use Netdata Cloud, you can appoint 
-one or more Netdata Parents to act as border gateways or application firewalls, isolating your production systems from the rest of the world. Netdata 
-Parents receive metric data from Netdata Agents or other Netdata Parents on one side, and serve most queries using their own copy of the data to satisfy 
-dashboard requests on the other side.
-
-For more information see [Streaming and replication](https://github.com/netdata/netdata/blob/master/docs/metrics-storage-management/enable-streaming.md).
-
-[Functions](https://github.com/netdata/netdata/blob/master/docs/cloud/netdata-functions.md) is currently the only feature that routes requests back to 
-origin Netdata Agents via Netdata Parents. The feature allows Netdata Cloud to send a request to the Netdata Agent data collection plugin running at the 
-edge, to provide additional information, such as the process tree of a server, or the long queries of a DB. 
-
-<!-- You have full control over the available functions. For more information see “Controlling Access to Functions” and “Disabling Functions”. -->
diff --git a/docs/netdata-security.md b/docs/netdata-security.md
index cf0752383e..2ae443855d 100644
--- a/docs/netdata-security.md
+++ b/docs/netdata-security.md
@@ -1,256 +1,184 @@
 # Security design
 
-We have given special attention to all aspects of Netdata, ensuring that everything throughout its operation is as secure as possible. Netdata has been designed with security in mind.
-
-**Table of Contents**
-
-- [Your data is safe with Netdata](#your-data-is-safe-with-netdata)
-- [Your systems are safe with Netdata](#your-systems-are-safe-with-netdata)
-- [Netdata is read-only](#netdata-is-read-only)
-- [Why Netdata should be protected](#why-netdata-should-be-protected)
-- [Protect Netdata from the internet](#protect-netdata-from-the-internet)
-- [Anonymous Statistics](#anonymous-statistics)
-- [Netdata directories](#netdata-directories)
-
-## Your data is safe with Netdata
-
-Netdata collects raw data from many sources. For each source, Netdata uses a plugin that connects to the source (or reads the relative files produced by the source), receives raw data and processes them to calculate the metrics shown on Netdata dashboards.
-
-Even if Netdata plugins connect to your database server, or read your application log file to collect raw data, the product of this data collection process is always a number of **chart metadata and metric values** (summarized data for dashboard visualization). All Netdata plugins (internal to the Netdata daemon, and external ones written in any computer language), convert raw data collected into metrics, and only these metrics are stored in Netdata databases, sent to upstream Netdata servers, or archived to external time-series databases.
-
-> The **raw data** collected by Netdata, does not leave the host when collected. **The only data Netdata exposes are chart metadata and metric values.**
-
-This means that Netdata can safely be used in environments that require the highest level of data isolation (like PCI Level 1).
-
-## Your systems are safe with Netdata
-
-We are very proud that **the Netdata daemon runs as a normal system user, without any special privileges**. This is quite an achievement for a monitoring system that collects all kinds of system and application metrics.
-
-There are a few cases, however, that raw source data are only exposed to processes with escalated privileges. To support these cases, Netdata attempts to minimize and completely isolate the code that runs with escalated privileges.
-
-So, Netdata **plugins**, even those running with escalated capabilities or privileges, perform a **hard coded data collection job**. They do not accept commands from Netdata. The communication is strictly **unidirectional**: from the plugin towards the Netdata daemon. The original application data collected by each plugin do not leave the process they are collected, are not saved and are not transferred to the Netdata daemon. The communication from the plugins to the Netdata daemon includes only chart metadata and processed metric values.
-
-Child nodes use the same protocol when streaming metrics to their parent nodes. The raw data collected by the plugins of
-child Netdata servers are **never leaving the host they are collected**. The only data appearing on the wire are chart
-metadata and metric values. This communication is also **unidirectional**: child nodes never accept commands from
-parent Netdata servers.
-
-## Netdata is read-only
-
-Netdata **dashboards are read-only**. Dashboard users can view and examine metrics collected by Netdata, but cannot instruct Netdata to do something other than present the already collected metrics.
-
-Netdata dashboards do not expose sensitive information. Business data of any kind, the kernel version, O/S version, application versions, host IPs, etc are not stored and are not exposed by Netdata on its dashboards.
-
-## Why Netdata should be protected
-
-Netdata is a monitoring system. It should be protected, the same way you protect all your admin apps. We assume Netdata will be installed privately, for your eyes only.
-
-Upon installation, the Netdata Agent serves the **local dashboard** at port `19999`. If the node is accessible to the
-internet at large, anyone can access the dashboard and your node's metrics at `http://NODE:19999`. We made this decision
-so that the local dashboard was immediately accessible to users, and so that we don't dictate how professionals set up
-and secure their infrastructures. 
+This document serves as the relevant Annex to the [Terms of Service](http://netdata.cloud/service-terms/) and
+the Data Processing Addendum, when applicable. It provides more information regarding Netdata’s technical and organizational security and privacy measures.
 
-Viewers will be able to get some information about the system Netdata is running. This information is everything the dashboard provides. The dashboard includes a list of the services each system runs (the legends of the charts under the `Systemd Services` section),  the applications running (the legends of the charts under the `Applications` section), the disks of the system and their names, the user accounts of the system that are running processes (the `Users` and `User Groups` section of the dashboard), the network interfaces and their names (not the IPs) and detailed information about the performance of the system and its applications.
-
-This information is not sensitive (meaning that it is not your business data), but **it is important for possible attackers**. It will give them clues on what to check, what to try and in the case of DDoS against your applications, they will know if they are doing it right or not.
-
-Also, viewers could use Netdata itself to stress your servers. Although the Netdata daemon runs unprivileged, with the minimum process priority (scheduling priority `idle` - lower than nice 19) and adjusts its OutOfMemory (OOM) score to 1000 (so that it will be first to be killed by the kernel if the system starves for memory), some pressure can be applied on your systems if someone attempts a DDoS against Netdata.
-
-## Protect Netdata from the internet
-
-Instead of dictating how to secure your infrastructure, we give you many options to establish security best practices
-that align with your goals and your organization's standards.
-
-- [Disable the local dashboard](#disable-the-local-dashboard): **Simplest and recommended method** for those who have
-  added nodes to Netdata Cloud and view dashboards and metrics there.
-
-- [Expose Netdata only in a private LAN](#expose-netdata-only-in-a-private-lan). Simplest and recommended method for those who do not use Netdata Cloud.
-
-- [Fine-grained access control](#fine-grained-access-control): Allow local dashboard access from
-  only certain IP addresses, such as a trusted static IP or connections from behind a management LAN. Full support for Netdata Cloud.
-
-- [Use a reverse proxy (authenticating web server in proxy mode)](#use-an-authenticating-web-server-in-proxy-mode): Password-protect 
-  a local dashboard and enable TLS to secure it. Full support for Netdata Cloud.
-
-- [Other methods](#other-methods) list some less common methods of protecting Netdata.
-
-### Disable the local dashboard
+We have given special attention to all aspects of Netdata, ensuring that everything throughout its operation is as secure as possible. Netdata has been designed with security in mind.
 
-This is the _recommended method for those who have connected their nodes to Netdata Cloud_ and prefer viewing real-time
-metrics using the War Room Overview, Nodes view, and Cloud dashboards.
+> When running Netdata in environments requiring Payment Card Industry Data Security Standard (**PCI DSS**), Systems and Organization Controls (**SOC 2**),
+or Health Insurance Portability and Accountability Act (**HIPAA**) compliance, please keep in mind that 
+**even when you use Netdata Cloud, all collected data is always stored inside your infrastructure**. 
 
-You can disable the local dashboard (and API) but retain the encrypted Agent-Cloud link ([ACLK](https://github.com/netdata/netdata/blob/master/aclk/README.md)) that
-allows you to stream metrics on demand from your nodes via the Netdata Cloud interface. This change mitigates all
-concerns about revealing metrics and system design to the internet at large, while keeping all the functionality you
-need to view metrics and troubleshoot issues with Netdata Cloud.
+Dashboard data you view and alert notifications do travel 
+over Netdata Cloud, as they also travel over third party networks, to reach your web browser or the notification integrations you have configured, 
+but Netdata Cloud does not store metric data. It only transforms them as they pass through it, aggregating them from multiple Agents and Parents, 
+to appear as one data source on your browser.
 
-Open `netdata.conf` with `./edit-config netdata.conf`. Scroll down to the `[web]` section, and find the `mode =
-static-threaded` setting, and change it to `none`.
+**Table of Contents**
+- [Cloud design](#cloud-design)
+  - [User identification and authorization](#user-identification-and-authorization)
+  - [Personal Data stored](#personal-data-stored)
+  - [Infrastructure data stored](#infrastructure-data-stored)
+  - [Data transfer](#data-transfer)
+  - [Data retention](#data-retention)
+  - [Data portability and erasure](#data-portability-and-erasure)
+- [Agent design](#agent-design)
+  - [Your data is safe with Netdata](#your-data-is-safe-with-netdata)
+  - [Your systems are safe with Netdata](#your-systems-are-safe-with-netdata)
+  - [Netdata is read-only](#netdata-is-read-only)
+  - [Protect Netdata from the internet](#protect-netdata-from-the-internet)
+  - [Anonymous Statistics](#anonymous-statistics)
+  - [Netdata directories](#netdata-directories)
+- [Organization processes](#organization-processes)
+  - [Employee identification and authorization](#employee-identification-and-authorization)
+  - [Systems security](#systems-security)
 
-```conf
-[web]
-    mode = none
-```
 
-Save and close the editor, then [restart your Agent](https://github.com/netdata/netdata/blob/master/docs/configure/start-stop-restart.md) using `sudo systemctl
-restart netdata`. If you try to visit the local dashboard to `http://NODE:19999` again, the connection will fail because
-that node no longer serves its local dashboard.
+## Cloud design
 
-> See the [configuration basics doc](https://github.com/netdata/netdata/blob/master/docs/configure/nodes.md) for details on how to find `netdata.conf` and use
-> `edit-config`.
+### User identification and authorization
 
-### Expose Netdata only in a private LAN
+Netdata ensures that only an email address is stored to create an account and use the Service. 
+User identification and authorization is done 
+either via third parties (Google, GitHub accounts), or short-lived access tokens, sent to the user’s email account. 
 
-If your organisation has a private administration and management LAN, you can bind Netdata on this network interface on all your servers. This is done in `Netdata.conf` with these settings:
+### Personal Data stored
 
-```
-[web]
-	bind to = 10.1.1.1:19999 localhost:19999
-```
+Netdata ensures that only an email address is stored to create an account and use the Service. The same email 
+address is used for Netdata product and marketing communications (via Hubspot and Sendgrid). 
 
-You can bind Netdata to multiple IPs and ports. If you use hostnames, Netdata will resolve them and use all the IPs (in the above example `localhost` usually resolves to both `127.0.0.1` and `::1`).
+Email addresses are stored in our production database on AWS and copied to Google BigQuery, our data lake, 
+for analytics purposes. These analytics are crucial for our product development process.
 
-**This is the best and the suggested way to protect Netdata**. Your systems **should** have a private administration and management LAN, so that all management tasks are performed without any possibility of them being exposed on the internet.
+If the user accepts the use of analytical cookies, the email address is also stored in the systems we use to track the 
+usage of the application (Posthog and Gainsight PX)
 
-For cloud based installations, if your cloud provider does not provide such a private LAN (or if you use multiple providers), you can create a virtual management and administration LAN with tools like `tincd` or `gvpe`. These tools create a mesh VPN allowing all servers to communicate securely and privately. Your administration stations join this mesh VPN to get access to management and administration tasks on all your cloud servers.
+The IP address used to access Netdata Cloud is stored in web proxy access logs. If the user accepts the use of analytical 
+cookies, the IP is also stored in the systems we use to track the usage of the application (Posthog and Gainsight PX). 
 
-For `gvpe` we have developed a [simple provisioning tool](https://github.com/netdata/netdata-demo-site/tree/master/gvpe) you may find handy (it includes statically compiled `gvpe` binaries for Linux and FreeBSD, and also a script to compile `gvpe` on your macOS system). We use this to create a management and administration LAN for all Netdata demo sites (spread all over the internet using multiple hosting providers).
+### Infrastructure data stored
 
-### Fine-grained access control
+The metric data that you see in the web browser when using Netdata Cloud is streamed directly from the Netdata Agent 
+to the Netdata Cloud dashboard, via the Agent-Cloud link (see [data transfer](#data-transfer)). The data passes through our systems, but it isn’t stored. 
 
-If you want to keep using the local dashboard, but don't want it exposed to the internet, you can restrict access with
-[access lists](https://github.com/netdata/netdata/blob/master/web/server/README.md#access-lists). This method also fully retains the ability to stream metrics
-on-demand through Netdata Cloud.
+The metadata we do store for each node connected to your Spaces in Netdata Cloud is:
+  - Hostname (as it appears in Netdata Cloud)
+  - Information shown in `/api/v1/info`. For example: [https://frankfurt.my-netdata.io/api/v1/info](https://frankfurt.my-netdata.io/api/v1/info).
+  - Metric metadata information shown in `/api/v1/contexts`. For example: [https://frankfurt.my-netdata.io/api/v1/contexts](https://frankfurt.my-netdata.io/api/v1/contexts).
+  - Alarm configurations shown in `/api/v1/alarms?all`. For example: [https://frankfurt.my-netdata.io/api/v1/alarms?all](https://frankfurt.my-netdata.io/api/v1/alarms?all).
+  - Active alarms shown in `/api/v1/alarms`. For example: [https://frankfurt.my-netdata.io/api/v1/alarms](https://frankfurt.my-netdata.io/api/v1/alarms).
 
-The `allow connections from` setting helps you allow only certain IP addresses or FQDN/hostnames, such as a trusted
-static IP, only `localhost`, or connections from behind a management LAN. 
+The infrastructure data is stored in our production database on AWS and copied to Google BigQuery, our data lake, for
+ analytics purposes.
 
-By default, this setting is `localhost *`. This setting allows connections from `localhost` in addition to _all_
-connections, using the `*` wildcard. You can change this setting using Netdata's [simple
-patterns](https://github.com/netdata/netdata/blob/master/libnetdata/simple_pattern/README.md).
+### Data transfer
 
-```conf
-[web]
-    # Allow only localhost connections
-    allow connections from = localhost
+All infrastructure data visible on Netdata Cloud has to pass through the Agent-Cloud link (ACLK) mechanism, which 
+securely connects a Netdata Agent to Netdata Cloud. The Netdata agent initiates and establishes an outgoing secure 
+WebSocket (WSS) connection to Netdata Cloud. The ACLK is encrypted, safe, and is only established if you connect your node. 
 
-    # Allow only from management LAN running on `10.X.X.X`
-    allow connections from = 10.*
+Data is encrypted when in transit between a user and Netdata Cloud using TLS.
 
-    # Allow connections only from a specific FQDN/hostname
-    allow connections from = example*
-```
+### Data retention
 
-The `allow connections from` setting is global and restricts access to the dashboard, badges, streaming, API, and
-`netdata.conf`, but you can also set each of those access lists more granularly if you choose:
+Netdata may maintain backups of Netdata Cloud Customer Content, which would remain in place for approximately thirty 
+(30) days following a deletion in Netdata Cloud. 
 
-```conf
-[web]
-    allow connections from = localhost *
-    allow dashboard from = localhost *
-    allow badges from = *
-    allow streaming from = *
-    allow netdata.conf from = localhost fd* 10.* 192.168.* 172.16.* 172.17.* 172.18.* 172.19.* 172.20.* 172.21.* 172.22.* 172.23.* 172.24.* 172.25.* 172.26.* 172.27.* 172.28.* 172.29.* 172.30.* 172.31.*
-    allow management from = localhost
-```
+### Data portability and erasure
 
-See the [web server](https://github.com/netdata/netdata/blob/master/web/server/README.md#access-lists) docs for additional details about access lists. You can take
-access lists one step further by [enabling SSL](https://github.com/netdata/netdata/blob/master/web/server/README.md#enabling-tls-support) to encrypt data from local
-dashboard in transit. The connection to Netdata Cloud is always secured with TLS.
+Netdata will, as necessary to enable the Customer to meet its obligations under Data Protection Law, provide the Customer 
+via the availability of Netdata Cloud with the ability to access, retrieve, correct and delete the Personal Data stored in 
+Netdata Cloud. The Customer acknowledges that such ability may from time to time be limited due to temporary service outages 
+for maintenance or other updates to Netdata Cloud, or technically not feasible. 
 
-### Use an authenticating web server in proxy mode
+To the extent that the Customer, in its fulfillment of its Data Protection Law obligations, is unable to access, retrieve, 
+correct or delete Customer Personal Data in Netdata Cloud due to prolonged unavailability of Netdata Cloud due to an issue 
+within Netdata’s control, Netdata will where possible use reasonable efforts to provide, correct or delete such Customer Personal Data.
 
-Use one web server to provide authentication in front of **all your Netdata servers**. So, you will be accessing all your Netdata with URLs like `http://{HOST}/netdata/{NETDATA_HOSTNAME}/` and authentication will be shared among all of them (you will sign-in once for all your servers). Instructions are provided on how to set the proxy configuration to have Netdata run behind 
-[nginx](https://github.com/netdata/netdata/blob/master/docs/Running-behind-nginx.md), 
-[HAproxy](https://github.com/netdata/netdata/blob/master/docs/Running-behind-haproxy.md), 
-[Apache](https://github.com/netdata/netdata/blob/master/docs/Running-behind-apache.md), 
-[lighthttpd](https://github.com/netdata/netdata/blob/master/docs/Running-behind-lighttpd.md), 
-[caddy](https://github.com/netdata/netdata/blob/master/docs/Running-behind-caddy.md), and
-[H2O](https://github.com/netdata/netdata/blob/master/docs/Running-behind-h2o.md).
+If a Customer is unable to delete Personal Data via the self-services functionality, then Netdata deletes Personal Data upon 
+the Customer’s written request, within the timeframe specified in the DPA and in accordance with applicable data protection law. 
 
-To use this method, you should firewall protect all your Netdata servers, so that only the web server IP will be allowed to directly access Netdata. To do this, run this on each of your servers (or use your firewall manager):
+#### Delete all personal data
 
-```sh
-PROXY_IP="1.2.3.4"
-iptables -t filter -I INPUT -p tcp --dport 19999 \! -s ${PROXY_IP} -m conntrack --ctstate NEW -j DROP
-```
+To remove all personal info we have about you (email and activities) you need to delete your cloud account by logging into https://app.netdata.cloud and accessing your profile, at the bottom left of your screen. 
 
-*commands to allow direct access to Netdata from a web server proxy*
 
-The above will prevent anyone except your web server to access a Netdata dashboard running on the host.
+## Agent design
 
-For Netdata v1.9+ you can also use `netdata.conf`:
+### Your data is safe with Netdata
 
-```
-[web]
-	allow connections from = localhost 1.2.3.4
-```
+Netdata collects raw data from many sources. For each source, Netdata uses a plugin that connects to the source (or reads the 
+relative files produced by the source), receives raw data and processes them to calculate the metrics shown on Netdata dashboards.
 
-Of course you can add more IPs.
+Even if Netdata plugins connect to your database server, or read your application log file to collect raw data, the product of 
+this data collection process is always a number of **chart metadata and metric values** (summarized data for dashboard visualization). 
+All Netdata plugins (internal to the Netdata daemon, and external ones written in any computer language), convert raw data collected 
+into metrics, and only these metrics are stored in Netdata databases, sent to upstream Netdata servers, or archived to external 
+time-series databases.
 
-For Netdata prior to v1.9, if you want to allow multiple IPs, use this:
+The **raw data** collected by Netdata does not leave the host when collected. **The only data Netdata exposes are chart metadata and metric values.**
 
-```sh
-# space separated list of IPs to allow access Netdata
-NETDATA_ALLOWED="1.2.3.4 5.6.7.8 9.10.11.12"
-NETDATA_PORT=19999