PII masking

Opt-in. Regex on email / phone / card / IBAN / API keys before cache hashing.

PII masking is an opt-in pipeline stage that runs on every incoming prompt before any embedding, caching, logging or provider call. It replaces matches with typed placeholders (<EMAIL_1>, <PHONE_1>, …) and feeds the masked prompt forward.

Patterns detected

  • Email addresses
  • Phone numbers (international and national formats)
  • Credit card numbers (Luhn-checked)
  • IBAN (ISO 13616-validated)
  • Known API key prefixes (sk-..., sk-ant-..., AIza..., hw_live_..., and a configurable list)

Configuration

Enable it per workspace in Dashboard → Privacy → PII Masking. Choose which pattern families to mask, and add custom regex patterns. Toggle provider-side masking (mask before the provider call) or cache-only masking (mask before embedding / cache lookup, but send the raw prompt upstream).

Works with Scale+ semantic cache

When both features are on, masking runs before embedding — two users asking the same question with different email addresses hit the same cache entry.

Previous

Semantic cache (Scale+)

Next

A/B Experiments (Scale+)