• Home
  • Platform modules
  • Digital Experience
  • Session Replay
  • Session Replay privacy

Session Replay privacy excellence

Deploy Session Replay with ease and join other Dynatrace customers who use Session Replay in highly regulated sectors, including government, healthcare, and banking.

On this page, you'll find guidelines and answers to your questions on how to roll out Session Replay within your organization. Along the way, we'll show how to fine-tune Session Replay settings so that you get valuable insights into your end users' experiences while respecting their privacy.

Download PDF

Download an abridged PDF version of this page for your privacy and security team

The following sections provide you with guidance and answers to essential questions on Session Replay. Feel free to jump to the sections that interest you.

QuestionSection
What is Session Replay?Introduction to Session Replay
Why is Session Replay safe to use?FAQ on Session Replay privacy and security
How can I implement Session Replay safely and smoothly?Deploy Session Replay for web applications
Deploy Session Replay for mobile apps
Where can I see Session Replay in action?Seeing is believing
Where can I learn more?Customers by sector
Session Replay configuration
Further reading

Introduction to Session Replay

Session Replay extends Dynatrace Real User Monitoring (RUM) as a powerful tool for visually representing the digital experiences of your end users across relevant devices, form factors, personalizations, and responsive UIs. It helps identify errors, analyzes areas of user struggle, and provides analytical data for your testing teams. Development teams use it to proactively analyze new feature adoption and user experience to make smarter investments in their applications while optimizing business success.

Session Replay for web applications

Session Replay for web applications reviews the content and structure of the monitored webpages. It then applies a masking algorithm to anonymize the content by replacing it with asterisks (*) in the user's browser before any session data is sent to Dynatrace.

By default, the Session Replay masking algorithm masks all content. User input, text, and attributes values are replaced with *****, while images are replaced with a placeholder image. For details, see Personal data captured by Dynatrace > Session Replay.

Masked HTML

Session Replay for web applications does not record a video of your end users' screens. It captures the HTML code changes of your monitored application.

Session Replay for native mobile apps

Currently only for iOS apps

Session Replay for native mobile apps is available only for those sessions that end in a crash. So, even with Session Replay enabled, not all sessions are recorded with Session Replay.

To visually recreate the end user's experience with your app before a crash, Session Replay takes screenshots of the monitored mobile app. To ensure maximum data protection, Session Replay applies a masking algorithm before storing images in the local storage of the end user's mobile device. User input and text are replaced with ***** in the Session Replay timeline and with black boxes in the screenshots, while images are replaced with a black box. For details, see Personal data captured by Dynatrace > Session Replay.

Masked mobile app

Session Replay for native mobile apps only captures screenshots and events from the monitored app; it does not record a video of your end user's screen.

FAQ on Session Replay privacy and security

Session Replay provides best-in-class privacy controls. Read further to learn about data masking, URL exclusion, opt-in mode, and more.

QuestionAddressed by Session Replay?Answer

Can I exclude personal and confidential information?

Checkmark

Yes. All content—text, user input, images, and attributes values—is masked by default in the end user's browser or device, so only masked data is sent to Dynatrace.

You can record additional content by fine-tuning the masking options for your web and mobile apps.

For web applications, you can also use the URL exclusion feature to completely exclude specific URLs from being recorded.

Can I control which sessions are recorded?

Checkmark

Yes. For web applications, enable the opt-in mode, and use the provided API to select where to start or stop recording.

For mobile apps, only sessions ending in a crash are recorded.

Can I control who can change the Session Replay settings?

Checkmark

Yes. Use our fine-grained user permissions and management zones.

Can the end user provide informed consent for data collection?

Checkmark

Yes. For web applications, you can implement this by using the provided API, which allows you to begin recording once the user consents.

For mobile apps, you can also leverage the Session Replay opt-in mode to implement end-user permission for session recording.

Can I control who has access to the recorded data?

Checkmark

Yes. Use our fine-grained user permissions and management zones.

Can I change the data retention period?

Checkmark

Yes. For Dynatrace Managed, you control the retention period (maximum 35 days). For Dynatrace SaaS, the retention period is 35 days.

For details, see Data retention periods.

Is Session Replay data export disallowed?

Checkmark

Yes. Session Replay was intentionally built with data privacy in mind, which is why there's no means of accessing Session Replay data outside of Dynatrace.

Can I fulfill data subject requests easily?

Checkmark

Yes. By design, no personal data is captured. Furthermore, using anonymization and leveraging our masking capabilities can ensure that no personal data is collected, facilitating the handling of data subject requests.

Can I choose the location where my data is stored?

Checkmark

Yes. You can choose the location when setting up your environment.

Is the data encrypted both in transit and at rest?

Checkmark

Yes. For more details, see Data encryption in transit and Data encryption at rest.

Can Dynatrace employees play back my end users' sessions?

Checkmark

Yes. A limited number of authorized Dynatrace employees can view your Session Replay sessions for troubleshooting purposes, and the most restrictive content masking option is always applied. All access events are registered in audit logs. You can get these audit logs via the REST API.

Data protection for Session Replay

Session Replay and Real User Monitoring offer multiple layers of security and data protection to ensure that only the required information is captured and that unauthorized use and changes are prohibited.

  • By default, each user session is anonymized so that the data subject cannot be identified.
  • By default, when Session Replay is enabled, Dynatrace anonymizes all content before any session data is sent to Dynatrace.
  • Full transparency and control are available to users through the opt-in functionality, which you can integrate with your existing consent solution.
  • For Session Replay for mobile apps, only sessions ending in a crash are sent to Dynatrace.
  • Session Replay allows for tightly controlled settings for specific purpose-based insights into user experience.
    • What can be recorded:
      • You can define specific masking rules for session recording, leveraging preconfigured options.
      • You can exclude specific webpages from being recorded.
    • What can be played back
      • You can define specific masking rules for session playback, leveraging preconfigured options.
    • Who can see session data:
      • You can apply fine-grained user permissions to allow session playback with or without playback masking rules for specific users.
      • Additionally, you can use management zones to carefully and effectively partition your monitoring environment to limit who has access to specific applications that have recorded sessions.
  • All changes to Session Replay settings are logged in an audit trail.

Deploy Session Replay for web applications

With Dynatrace, you can enable and deploy Session Replay with your existing consent solution and application rollout best practices, providing fine-grained permissions for user session playback.

Expand to find out more

Follow the steps below to roll out Session Replay for your web applications.

Enable Session Replay and start using it right away

Integrate Session Replay with your existing consent solution

Fine-tune Session Replay in a lower-level environment first

Assign permissions to Session Replay users according to their needs

Enable Session Replay and start using it right away

Start using Session Replay in your web applications by simply enabling it in your application settings in the Dynatrace web UI.

  • The default Session Replay settings mask all content before capture, so no personal or associable data is collected, thereby providing best-in-class data privacy.

  • By default, Real User Monitoring does not identify specific users. Instead, it anonymizes each user session.

    Anonymized user session

  • Session Replay automatically responds to end user changes to privacy preferences, such as the "Do not track" browser privacy setting, in real time and complies with them.

Integrate Session Replay with your existing consent solution optional

Turn on the Session Replay opt-in mode, and Session Replay won't record anything until the API method to start recording is called. In this way, you can easily integrate Session Replay with your existing consent solution, fully controlling when the opt-in occurs as well as the information presented to your end user for them to opt in. The API also allows opt-out from Session Replay, allowing for fine-grained control over user consent.

Banner example

This step is typically not needed for internal applications because a legal, contractual basis already exists for your own employees, enabling you to seamlessly turn on Session Replay. In this case, you may, at your own discretion, elect not to enable Session Replay opt-in for specific applications.

Fine-tune Session Replay in a lower-level environment first best practice

Environments

Start using and fine-tuning Session Replay in a staging environment. Session Replay is flexible and supports your processes by offering a means to fine-tune and later migrate your settings to another environment.

  • Start by enabling Session Replay with the default configuration, shown in the illustration below, in your development or staging environment.

    Mask All by default

    With this configuration, you will get relevant information such as how a page is rendered on a specific device and resolution, how the user navigates the application, and how various help elements like tooltips are used. You can see this by simply recording the page layout and the format of content without capturing personal data. The image below shows Session Replay for our own web UI with all content masked (Mask all content masking option).

    Playback Mask all

  • If you need to see more information, gradually fine-tune what is recorded and masked by leveraging the rich set of preconfigured masking options. For instance, you can use the Allow list content masking option. This option gives you complete flexibility in what is captured but is based on safe defaults. This means that nothing else is recorded beyond what you allow.

    In the example shown below, a masking rule was defined to record only the content shown in the Dynatrace timeframe selector.

    Playback allow list

  • Adjust the cost control setting for Session Replay to limit the number of recorded sessions as part of risk management.

  • Exclude non-relevant pages that you may not want or need to record for your specific purposes. Use the URL exclusion setting to specify URLs that you want to exclude.

    URL exclusion

  • Export the configuration to your production environment by using the provided configuration API. For more details, check the links under Further reading.

Assign permissions to Session Replay users according to their needs

By default, all your Dynatrace users have access to session playback with the most restrictive set of masking rules applied.

During the recording (called "at capture"), all content is anonymized by default in the browser before this data is sent to Dynatrace. During the playback (called "at display"), all content is anonymized again by default as a risk management measure, preventing the viewing of personal data by your Dynatrace users.

To gain greater insight into user experience, you may elect not to anonymize some content at capture and at display. Additionally, you can decide who can play back user sessions by utilizing user permissions and management zones.

Depending on the needs of your Dynatrace users, assign the following Session Replay permissions:

  • For users that don't need to play back sessions, disable the Replay session data and Replay session data without masking permissions in user and group settings.

    No playback permissions

  • For users that need to play back user sessions for specific purposes, such as improving user experience, but don't need to see all captured information, assign the Replay session data permission.

    Replay with masking

  • For users that need to play back sessions and see all recorded information, such as a developer addressing a support case, assign the Replay session data without masking user permission. This disables playback masking controls. This permission is disabled by default for all users.

    Replay without masking

The ability to view and play back user sessions is further protected by management zones. If a user session traverses applications within different management zones, Dynatrace users with Session Replay permissions may only view those parts of the session associated with applications in the management zones that they have access to.

Management zone restrictions for Session Replay

You determine who can modify the Session Replay settings through role-based authorization. All changes to the settings are logged in an audit trail that is directly accessible to you.

Deploy Session Replay for mobile apps

Currently only for iOS apps

Roll out Session Replay on crashes safely and successfully for your native mobile apps.

Expand to find out more

This section is only relevant for native mobile apps. If you have a web-based app or a web application accessed from a mobile device, refer to Deploy Session Replay for web applications.

Follow the steps below to deploy Session Replay for your mobile apps.

Instrument your app

Assign permissions to SR users according to their needs

Enable Session Replay in production

Instrument your app

  • Add the Session Replay dependency to your application code.

    Session Replay can only operate for a mobile app once developers introduce changes in application code to include the Session Replay dependency. The required changes are explained in the Dynatrace web UI. For detailed instructions, see Enable Session Replay on crashes for iOS apps.

    Once the dependency is included, Session Replay is enabled.

  • Adjust the masking settings.

    By default, Session Replay does not record any text, user input, and images. Session Replay only captures the framing and positioning of elements and user interactions with your app. If you need to change the default masking strategy for content capture, you can do so during instrumentation with just a few lines of code. For detailed instructions, see Enable Session Replay on crashes > Mask sensitive data.

    The image below shows examples of different masking options applied to the same screen. There are two predefined options to mask all the information (Safest level, which is the default one) and to mask the text entered by the user (Safe level) (developers need to add only one line of code to implement this option). If you need to record more information, one option is to opt for the Custom level, which records only the controls you specify.

    Session Replay masking for mobile

  • optional Include Session Replay in your consent solution.

    We offer an API that enables you to integrate Session Replay with your existing consent solution.

    Once your consent solution is updated to include a transparent description of Session Replay, it can use the Dynatrace API to enable Session Replay. The API also allows opt out from Session Replay, allowing for fine-grained control over user consent in your mobile app.

    The image below is an example consent solution visible to the end user to enable Session Replay to capture sessions when a crash occurs.

    User opt-in  mode for Session Replay mobile

Assign permissions to Session Replay users according to their needs

For Session Replay on crashes, you can control who has the ability to play back captured user sessions.

Users with the Replay session data or Replay session data without masking permissions can view session recordings. Both these permissions behave almost in the same way, allowing access to user-session playback as recorded.

For more details, see Configure Session Replay > User permissions and management zone.

Enable Session Replay in production

Once you've tested your app instrumentation in development and staging environments, it's time to enable Session Replay in production.

Seeing is believing

Check out our videos of user session playback to see exactly how Session Replay implements masking.

The first video shows a user session in the Dynatrace web UI with the Mask all content masking option implemented. You can notice that all the text is masked, but you can still see how the user interacts with non-clickable elements on the page.

The video below of Session Replay for mobile shows user interactions with a mobile app where sensitive user information, such as username and password, has been masked by enabling the Custom masking level.

Customers by sector

Dynatrace Session Replay is currently 1 used by customers in highly regulated environments:

SectorNumber of clients
Government64
Banking and finance96
Healthcare18
1

As of November 1, 2021

Session Replay configuration

Check the Session Replay default configuration and web UI for masking options and other settings.

Session Replay default configuration

Session Replay is disabled by default for all applications. Once you enable Session Replay, the defaults settings are as follows:

Application typeSetting nameDefaultScreenshots

Web

Session Replay opt-in mode

Disabled

Enable Session Replay opt-in mode

Enable opt-in mode

Web

URL exclusion

Empty list (no URLs are excluded)

URL exclusion configuration

URL exclusion configuration

Web

Content masking preferences - Recording masking settings

Mask all

Masking configuration---default options for recording

Recording Mask all setting

Masking configuration---recommended approach to making changes

Start using the default values and then gradually develop an Allow list to define which elements to record and to show during the replay.

Allow list setting

Web

Content masking preferences - Playback masking settings

Mask all

Masking configuration---default options for playback

Playback Mask all setting

Web

Do Not Track

Comply with 'Do Not Track' browser settings — Capture anonymous user sessions for "Do Not Track"-enabled browsers

Comply with Do Not Track browser setting

Comply with Do Not Track settings

Web

Mobile

User permissions

Replay session data permission is enabled for all users

User permissions

Replay with masking

Further reading

Below, you can find more information on Session Replay for your web and mobile applications.

General

  • Session Replay
  • Technical restrictions for Session Replay for web applications
  • Personal data captured by Dynatrace > Session Replay
  • Blog post Best-in-class privacy broadens applicability of visual Session Replay for web and mobile

Session Replay—web applications

  • Enable Session Replay for web applications
  • Configure Session Replay for web applications
  • Web application configuration API: Update general settings and Update data privacy settings
  • Blog post Understand customer experience with Session Replay without compromising data privacy
  • Blog post Gain broader applicability for Session Replay through easier, automated, and GDPR-compliant masking presets

Session Replay—mobile apps

  • Session Replay on crashes
  • Mobile and custom app API: Update app settings
  • Blog post Understand and replay iOS app crashes with Session Replay