Skip to main content

PII Masking

PII (Personally Identifiable Information) masking automatically redacts sensitive data with your regex rules so it never reaches the underlying AI model, helping you protect privacy and comply with data protection regulations.

How PII Masking Works

Masking is enforced at the model egress — the moment just before any request is sent to the AI provider. Every outbound request has your current rules applied to all of its text:
  • User questions: the question is masked before it reaches the model.
  • Retrieved context: data-source content pulled in to answer a question is masked before it is sent as context.
  • File attachments: text extracted from documents, logs, PDFs, and Word (DOCX) files, plus the AI-generated descriptions of attached or embedded images, is masked before it reaches the model.
  • Embeddings: text is masked before it is embedded, both at indexing time and at query time.
  • Answers & follow-ups: every step of the answer pipeline is covered.
When a regex pattern matches, it is replaced with the <<LABEL>> format (e.g. <<EMAIL>>, <<SSN>>).
Because masking runs on every request with your current rules, adding, editing, or removing a rule takes effect immediately on the next question — there is no re-indexing step. Data sources are stored as-is and masked live whenever their content is sent to the model.
PII masking is regex-based, so it is ideal for pattern-based PII (emails, IP addresses, phone numbers, IDs). Free-form values like names or company-specific terms that have no fixed pattern are best handled with a custom list rule or a dedicated masking model.
Masking applies to text, not pixels. When you attach an image (or a document with embedded images), the image is sent to the model to be described; text shown inside the image cannot be redacted by a rule. The generated description is masked before it is reused, but the original image still reaches the vision model, so avoid uploading screenshots of highly sensitive data.

Configuration

PII Mask Configuration
Each rule is a Label and a Pattern:
  • Case sensitive: all pattern matching is case-sensitive.
  • PCRE2 standard: patterns follow the Perl Compatible Regular Expressions 2 specification.
  • Validation: invalid patterns are flagged inline; you can also test at regex101.com before saving.
Add rules quickly: click Add rule to add a row, or paste multiple rules at once — paste one rule per line (label and pattern separated by a tab, =, or spaces) into a field and they expand into separate rows.

Example rules

These cover the most common pattern-based PII found in logs and support tickets — network identifiers, addresses, IDs, credential hashes, and tokens. Paste the block straight into the editor (one rule per line: a label, then the pattern) and adjust to your needs:
IP        (?<!\d)(?:(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.){3}(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(?!\d)
IPV6      \b(?=[0-9A-Fa-f:]{2,40}[A-Fa-f])(?:[0-9A-Fa-f]{1,4}:){2,7}[0-9A-Fa-f]{1,4}\b
MAC       \b(?:[0-9A-Fa-f]{2}[:-]){5}[0-9A-Fa-f]{2}\b
EMAIL     [A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}
GUID      \b[0-9a-fA-F]{8}-(?:[0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}\b
HASH      \b[0-9a-fA-F]{32,128}\b
JWT       \beyJ[A-Za-z0-9_-]{15,}={0,2}
Environment-specific values (machine names, internal domains, Active Directory accounts) have no universal pattern, so tailor these to your setup — replace the example values with your own:
WINHOST     \bWIN-[A-Z0-9]{6,15}\b
HOSTNAME    \b(?:prod-db-01|app-srv-02)\b
AD_USER     \b(?:CORP|MYDOMAIN)\\[A-Za-z0-9._$-]+
Values with no fixed pattern — like personal or company names — can’t be matched reliably with regex. Mask those with an explicit list rule (e.g. \b(?:Acme Corp|Globex)\b) or a dedicated masking model.

In the chat

Masked values render as labeled chips in the conversation (for example a small EMAIL chip) with a “PII masked” tooltip on hover, so it is clear where sensitive data was redacted. The original value is never shown.
Masked values shown as labeled chips in the chat, with a PII masked tooltip

Analytics

Open Analytics → PII Masking to see masking activity for your Guru:
  • totals and the labels masked most,
  • a breakdown by pipeline stage,
  • recent redacted examples.
Only labels, counts, and value-redacted snippets are stored — the original values are never recorded.