What data from my application exactly is Tideways collecting?

Tideways collects different kinds of data from your application that we can group into three categories:

  • Request Monitoring data

  • Timeline Traces and Callgraph Profiles

  • Errors and Exception

The following documentation chapter explains in detail what information we retrieve from your application for each of the three categories.

Whenever we collect data that could potentially contain user data then we require you to opt-in to the collection of this data. By default we are very careful collecting as little data as possible to provide valuable information to you.

Request Monitoring Data

For every production server that continuously monitors your application, we collect the response time, memory consumption and transaction name for every request.

We also collect the name of your servers we are sending from, but you can control this with the  --hostname flag passed to the daemon.

Monitoring data can include information such as your used PHP version, different extensions and the URL that was visited.

Timeline Traces and Callgraph Profiles

For Callgraph profiling data, we collect Parent-Child call stack information, for example:

<code>main(), 1 Call, 20ms Wall-Time, 19ms CPU time, 0.1 KB Memory main()==>foo, 1 Call, 20ms Wall-Time, 19ms CPU time, 0.1 KB Memory foo==>strlen, 1 Call, 17ms Wall-Time, 16ms CPU time, 0.1 KB Memory

Callgraph profiles never contain function arguments only the function names itself. The collected data is in the same format that XHProf collects and you can check the public source code of the Tideways C extension and the PHP library wrapped around it to see what data we are collecting.

For timeline tracing we look at several interesting events happening in your code, such as cURL HTTP requests or SQL queries. We collect these calls including some function arguments and filter them on the Tideways daemon running on your machine.

SQL queries with input data never leaves your server. By default all SQL statements are only passed as summary in the form  SELECT|UPDATE|INSERT|DELETE table to Tideways. Only if you opt-in are we collecting anonymized versions of your queries where all literal strings, floats, booleans and numbers are replaced with placeholders.

Timeline tracing can contain information such as:

  • Anonymized SQL Queries using either just a summary or a more complete query (configurable by you).

  • Target URL of cURL or other HTTP request

  • Name of a template when using Twig, Smarty or other template engines.

  • Event names for Event Dispatcher implementations of various frameworks

  • Controller Names

  • Garbage Collection information

The Timeline Tracing API allows you to pass arbitrary data to Tideways through the Custom Instrumentation API. We cannot control or anonymize this information and you are responsible for not transmitting user data as per paragraph 19 of our Terms of Service.

Information that we are not collecting that other Profiling or Tracing services usually collect:

  • Cookies of users

  • Environment Variables

  • GET, POST, SESSION or other request data

You can opt-in to sending us non-critical data yourself by using the custom instrumentation API only by white-listing it manually.

Error and Exception Data

If enabled by you explicitly we collect error and exception data including:

  • Type of the Exception class or Error

  • An anonymized version of your Exception or PHP (Fatal-) Error Message. We do our best to have an up to date database of exceptions that could contain private information and strip this before transmitting to Tideways. One example here is PDOException containing username and password.

  • A stack trace with types of the arguments only, not with the actual values of the callstack arguments.

If you want, we can also collect and transmit the PHP code (5 lines before and after) the error or exception occurred, but this is optional and off by default.

Information about errors that we are not collecting that other services usually collect:

  • Cookies of users

  • Environment Variables

  • IP Address, Browser and other identifying values

  • GET, POST, SESSION or other request data

You can opt-in to sending us non-critical data yourself by using the custom instrumentation API only by white-listing it manually.

Still need help? Email [email protected]