Session Replay privacy excellence
Deploy Session Replay with ease and join other Dynatrace customers who use Session Replay in highly regulated sectors, including government, healthcare, and banking.
On this page, you'll find guidelines and answers to your questions on how to roll out Session Replay within your organization. Along the way, we'll show how to fine-tune Session Replay settings so that you get valuable insights into your end users' experiences while respecting their privacy.
Download PDF
Download an abridged PDF version of this page for your privacy and security team
The following sections provide you with guidance and answers to essential questions on Session Replay. Feel free to jump to the sections that interest you.
| Question | Section |
|---|---|
| What is Session Replay? | Introduction to Session Replay |
| Why is Session Replay safe to use? | FAQ on Session Replay privacy and security |
| How can I implement Session Replay safely and smoothly? | Deploy Session Replay for web applications Deploy Session Replay for mobile apps |
| Where can I see Session Replay in action? | Seeing is believing |
| Where can I learn more? | Customers by sector Session Replay configuration Further reading |
Introduction to Session Replay
Session Replay extends Dynatrace Real User Monitoring (RUM) as a powerful tool for visually representing the digital experiences of your end users across relevant devices, form factors, personalizations, and responsive UIs. It helps identify errors, analyzes areas of user struggle, and provides analytical data for your testing teams. Development teams use it to proactively analyze new feature adoption and user experience to make smarter investments in their applications while optimizing business success.
Session Replay for web applications
Session Replay for web applications reviews the content and structure of the monitored webpages. It then applies a masking algorithm to anonymize the content by replacing it with asterisks (*) in the user's browser before any session data is sent to Dynatrace.
By default, the Session Replay masking algorithm masks all content. User input, text, and attributes values are replaced with *****, while images are replaced with a placeholder image. For details, see Personal data captured by Dynatrace > Session Replay.
Session Replay for web applications does not record a video of your end users' screens. It captures the HTML code changes of your monitored application.
Session Replay for native mobile apps
Currently only for iOS apps
Session Replay for native mobile apps is available only for those sessions that end in a crash. So, even with Session Replay enabled, not all sessions are recorded with Session Replay.
To visually recreate the end user's experience with your app before a crash, Session Replay takes screenshots of the monitored mobile app. To ensure maximum data protection, Session Replay applies a masking algorithm before storing images in the local storage of the end user's mobile device. User input and text are replaced with ***** in the Session Replay timeline and with black boxes in the screenshots, while images are replaced with a black box. For details, see Personal data captured by Dynatrace > Session Replay.
Session Replay for native mobile apps only captures screenshots and events from the monitored app; it does not record a video of your end user's screen.
FAQ on Session Replay privacy and security
Session Replay provides best-in-class privacy controls. Read further to learn about data masking, URL exclusion, opt-in mode, and more.
| Question | Addressed by Session Replay? | Answer |
|---|---|---|
Can I exclude personal and confidential information? |
| Yes. All content—text, user input, images, and attributes values—is masked by default in the end user's browser or device, so only masked data is sent to Dynatrace. You can record additional content by fine-tuning the masking options for your web and mobile apps. For web applications, you can also use the URL exclusion feature to completely exclude specific URLs from being recorded. |
Can I control which sessions are recorded? |
| Yes. For web applications, enable the opt-in mode, and use the provided API to select where to start or stop recording. For mobile apps, only sessions ending in a crash are recorded. |
Can I control who can change the Session Replay settings? |
| Yes. Use our fine-grained user permissions and management zones. |
Can the end user provide informed consent for data collection? |
| Yes. For web applications, you can implement this by using the provided API, which allows you to begin recording once the user consents. For mobile apps, you can also leverage the Session Replay opt-in mode to implement end-user permission for session recording. |
Can I control who has access to the recorded data? |
| Yes. Use our fine-grained user permissions and management zones. |
Can I change the data retention period? |
| Yes. For Dynatrace Managed, you control the retention period (maximum 35 days). For Dynatrace SaaS, the retention period is 35 days. For details, see Data retention periods. |
Is Session Replay data export disallowed? |
| Yes. Session Replay was intentionally built with data privacy in mind, which is why there's no means of accessing Session Replay data outside of Dynatrace. |
Can I fulfill data subject requests easily? |
| Yes. By design, no personal data is captured. Furthermore, using anonymization and leveraging our masking capabilities can ensure that no personal data is collected, facilitating the handling of data subject requests. |
Can I choose the location where my data is stored? |
| Yes. You can choose the location when setting up your environment. |
Is the data encrypted both in transit and at rest? |
| Yes. For more details, see Data encryption in transit and Data encryption at rest. |
Can Dynatrace employees play back my end users' sessions? |
| Yes. A limited number of authorized Dynatrace employees can view your Session Replay sessions for troubleshooting purposes, and the most restrictive content masking option is always applied. All access events are registered in audit logs. You can get these audit logs via the REST API. |
Data protection for Session Replay
Session Replay and Real User Monitoring offer multiple layers of security and data protection to ensure that only the required information is captured and that unauthorized use and changes are prohibited.
- By default, each user session is anonymized so that the data subject cannot be identified.
- By default, when Session Replay is enabled, Dynatrace anonymizes all content before any session data is sent to Dynatrace.
- Full transparency and control are available to users through the opt-in functionality, which you can integrate with your existing consent solution.
- For Session Replay for mobile apps, only sessions ending in a crash are sent to Dynatrace.
- Session Replay allows for tightly controlled settings for specific purpose-based insights into user experience.
- What can be recorded:
- You can define specific masking rules for session recording, leveraging preconfigured options.
- You can exclude specific webpages from being recorded.
- What can be played back
- You can define specific masking rules for session playback, leveraging preconfigured options.
- Who can see session data:
- You can apply fine-grained user permissions to allow session playback with or without playback masking rules for specific users.
- Additionally, you can use management zones to carefully and effectively partition your monitoring environment to limit who has access to specific applications that have recorded sessions.
- What can be recorded:
- All changes to Session Replay settings are logged in an audit trail.
Deploy Session Replay for web applications
With Dynatrace, you can enable and deploy Session Replay with your existing consent solution and application rollout best practices, providing fine-grained permissions for user session playback.
Follow the steps below to roll out Session Replay for your web applications.
Enable Session Replay and start using it right away
Integrate Session Replay with your existing consent solution
Fine-tune Session Replay in a lower-level environment first
Assign permissions to Session Replay users according to their needs
Enable Session Replay and start using it right away
Start using Session Replay in your web applications by simply enabling it in your application settings in the Dynatrace web UI.
-
The default Session Replay settings mask user input before capture, so no personal or associable data is collected, thereby providing best-in-class data privacy.
-
By default, Real User Monitoring does not identify specific users. Instead, it anonymizes each user session.
-
Session Replay automatically responds to end user changes to privacy preferences, such as the "Do not track" browser privacy setting, in real time and complies with them.
Integrate Session Replay with your existing consent solution optional
Turn on the Session Replay opt-in mode, and Session Replay won't record anything until the API method to start recording is called. In this way, you can easily integrate Session Replay with your existing consent solution, fully controlling when the opt-in occurs as well as the information presented to your end user for them to opt in. The API also allows opt-out from Session Replay, allowing for fine-grained control over user consent.
This step is typically not needed for internal applications because a legal, contractual basis already exists for your own employees, enabling you to seamlessly turn on Session Replay. In this case, you may, at your own discretion, elect not to enable Session Replay opt-in for specific applications.
Fine-tune Session Replay in a lower-level environment first best practice
Start using and fine-tuning Session Replay in a staging environment. Session Replay is flexible and supports your processes by offering a means to fine-tune and later migrate your settings to another environment.
-
Start by enabling Session Replay with the default configuration, shown in the illustration below, in your development or staging environment.
With this configuration, you get relevant information such as how a page is rendered on a specific device and resolution, how the user navigates the application, and how various help elements like tooltips are used. You can see this by simply recording the page layout and the format of content without capturing personal data. The image below shows Session Replay for our own web UI with all content masked (Mask all content masking option). Note, however, that the default masking option is Mask user input.
The default masking option was changed to Mask user input starting with Dynatrace version 1.262. Before that, the default option was Mask all.
-
If you need to see more information, gradually fine-tune what is recorded and masked by leveraging the rich set of preconfigured masking options. For instance, you can use the Allow list content masking option. This option gives you complete flexibility in what is captured but is based on safe defaults. This means that nothing else is recorded beyond what you allow.
In the example shown below, a masking rule was defined to record only the content shown in the Dynatrace timeframe selector.
-
Adjust the cost control setting for Session Replay to limit the number of recorded sessions as part of risk management.
-
Exclude non-relevant pages that you may not want or need to record for your specific purposes. Use the URL exclusion setting to specify URLs that you want to exclude.
-
Export the configuration to your production environment by using the provided configuration API. For more details, check the links under Further reading.
Assign permissions to Session Replay users according to their needs
By default, all your Dynatrace users have access to session playback with the most restrictive set of masking rules applied.
During the recording (called "at capture"), all content is anonymized by default in the browser before this data is sent to Dynatrace. During the playback (called "at display"), all content is anonymized again by default as a risk management measure, preventing the viewing of personal data by your Dynatrace users.
To gain greater insight into user experience, you may elect not to anonymize some content at capture and at display. Additionally, you can decide who can play back user sessions by utilizing user permissions and management zones.
Depending on the needs of your Dynatrace users, assign the following Session Replay permissions:
-
For users that don't need to play back sessions, disable the Replay session data and Replay session data without masking permissions in user and group settings.
-
For users that need to play back user sessions for specific purposes, such as improving user experience, but don't need to see all captured information, assign the Replay session data permission.
-
For users that need to play back sessions and see all recorded information, such as a developer addressing a support case, assign the Replay session data without masking user permission. This disables playback masking controls. This permission is disabled by default for all users.
The ability to view and play back user sessions is further protected by management zones. If a user session traverses applications within different management zones, Dynatrace users with Session Replay permissions may only view those parts of the session associated with applications in the management zones that they have access to.
You determine who can modify the Session Replay settings through role-based authorization. All changes to the settings are logged in an audit trail that is directly accessible to you.
Deploy Session Replay for mobile apps
Currently only for iOS apps
Roll out Session Replay on crashes safely and successfully for your native mobile apps.
This section is only relevant for native mobile apps. If you have a web-based app or a web application accessed from a mobile device, refer to Deploy Session Replay for web applications.
Follow the steps below to deploy Session Replay for your mobile apps.
Instrument your app
Assign permissions to SR users according to their needs
Enable Session Replay in production
Instrument your app
-
Add the Session Replay dependency to your application code.
Session Replay can only operate for a mobile app once developers introduce changes in application code to include the Session Replay dependency. The required changes are explained in the Dynatrace web UI. For detailed instructions, see Enable Session Replay on crashes for iOS apps.
Once the dependency is included, Session Replay is enabled.
-
Adjust the masking settings.
By default, Session Replay does not record any text, user input, and images. Session Replay only captures the framing and positioning of elements and user interactions with your app. If you need to change the default masking strategy for content capture, you can do so during instrumentation with just a few lines of code. For detailed instructions, see Enable Session Replay on crashes > Mask sensitive data.
The image below shows examples of different masking options applied to the same screen. There are two predefined options to mask all the information (Safest level, which is the default one) and to mask the text entered by the user (Safe level) (developers need to add only one line of code to implement this option). If you need to record more information, one option is to opt for the Custom level, which records only the controls you specify.
-
optional Include Session Replay in your consent solution.
We offer an API that enables you to integrate Session Replay with your existing consent solution.
Once your consent solution is updated to include a transparent description of Session Replay, it can use the Dynatrace API to enable Session Replay. The API also allows opt out from Session Replay, allowing for fine-grained control over user consent in your mobile app.
The image below is an example consent solution visible to the end user to enable Session Replay to capture sessions when a crash occurs.
Assign permissions to Session Replay users according to their needs
For Session Replay on crashes, you can control who has the ability to play back captured user sessions.
Users with the Replay session data or Replay session data without masking permissions can view session recordings. Both these permissions behave almost in the same way, allowing access to user-session playback as recorded.
For more details, see Configure Session Replay > User permissions and management zone.
Enable Session Replay in production
Once you've tested your app instrumentation in development and staging environments, it's time to enable Session Replay in production.
Seeing is believing
Check out our videos of user session playback to see exactly how Session Replay implements masking.
The first video shows a user session in the Dynatrace web UI with the Mask all content masking option implemented. You can notice that all the text is masked, but you can still see how the user interacts with non-clickable elements on the page.
The video below of Session Replay for mobile shows user interactions with a mobile app where sensitive user information, such as username and password, has been masked by enabling the Custom masking level.
Customers by sector
Dynatrace Session Replay is currently 1 used by customers in highly regulated environments:
| Sector | Number of clients |
|---|---|
| Government | 64 |
| Banking and finance | 96 |
| Healthcare | 18 |
1 As of November 1, 2021 |
Session Replay configuration
Check the Session Replay default configuration and web UI for masking options and other settings.
Session Replay default configuration
Session Replay is disabled by default for all applications. Once you enable Session Replay, the defaults settings are as follows:
| Application type | Setting name | Default | Screenshots |
|---|---|---|---|
Web | Disabled | ||
Web | Empty list (no URLs are excluded) | ||
Web | Content masking preferences - Recording masking settings | Mask user input | Masking configuration: recommended approach to making changes Start using the default values and then gradually develop an Allow list to define which elements to record and to show during the replay.
|
Web | Content masking preferences - Playback masking settings | Mask user input | |
Web | Comply with 'Do Not Track' browser settings — Capture anonymous user sessions for "Do Not Track"-enabled browsers | ||
Web Mobile | Replay session data permission is enabled for all users |
Further reading
Below, you can find more information on Session Replay for your web and mobile applications.
General
- Session Replay
- Technical restrictions for Session Replay for web applications
- Personal data captured by Dynatrace > Session Replay
- Blog post Best-in-class privacy broadens applicability of visual Session Replay for web and mobile
Session Replay—web applications
- Enable Session Replay for web applications
- Configure Session Replay for web applications
- Web application configuration API: Update general settings and Update data privacy settings
- Blog post Understand customer experience with Session Replay without compromising data privacy
- Blog post Gain broader applicability for Session Replay through easier, automated, and GDPR-compliant masking presets
Session Replay—mobile apps
- Session Replay on crashes
- Mobile and custom app API: Update app settings
- Blog post Understand and replay iOS app crashes with Session Replay