> ## Documentation Index
> Fetch the complete documentation index at: https://docs.gurubase.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# PII Masking

> Step-by-step guide to protecting your sensitive data

## PII Masking

PII (Personally Identifiable Information) masking automatically redacts sensitive data with your regex rules so it never reaches the underlying AI model, helping you protect privacy and comply with data protection regulations.

### How PII Masking Works

Masking is enforced at the **model egress** — the moment just before any request is sent to the AI provider. Every outbound request has your current rules applied to all of its text:

* **User questions**: the question is masked before it reaches the model.
* **Retrieved context**: data-source content pulled in to answer a question is masked before it is sent as context.
* **File attachments**: text extracted from documents, logs, PDFs, and Word (DOCX) files, plus the AI-generated descriptions of attached or embedded images, is masked before it reaches the model.
* **Embeddings**: text is masked before it is embedded, both at indexing time and at query time.
* **Answers & follow-ups**: every step of the answer pipeline is covered.

When a regex pattern matches, it is replaced with the `<<LABEL>>` format (e.g. `<<EMAIL>>`, `<<SSN>>`).

<Note>
  Because masking runs on every request with your **current** rules, adding, editing, or removing a rule takes effect immediately on the next question — there is no re-indexing step. Data sources are stored as-is and masked live whenever their content is sent to the model.
</Note>

PII masking is regex-based, so it is ideal for **pattern-based** PII (emails, IP addresses, phone numbers, IDs). Free-form values like names or company-specific terms that have no fixed pattern are best handled with a custom list rule or a dedicated masking model.

<Warning>
  Masking applies to **text, not pixels**. When you attach an image (or a document with embedded images), the image is sent to the model to be described; text shown inside the image cannot be redacted by a rule. The generated description is masked before it is reused, but the original image still reaches the vision model, so avoid uploading screenshots of highly sensitive data.
</Warning>

### Configuration

<Frame>
  <img src="https://mintcdn.com/gurubase/bGaBPEJlYrFFyb3I/images/pii-masks.png?fit=max&auto=format&n=bGaBPEJlYrFFyb3I&q=85&s=8c712418fc2379ed5c680a7b80389ef9" alt="PII Mask Configuration" width="2419" height="671" data-path="images/pii-masks.png" />
</Frame>

Each rule is a **Label** and a **Pattern**:

* **Case sensitive**: all pattern matching is case-sensitive.
* **PCRE2 standard**: patterns follow the Perl Compatible Regular Expressions 2 specification.
* **Validation**: invalid patterns are flagged inline; you can also test at [regex101.com](https://regex101.com/) before saving.

**Add rules quickly:** click **Add rule** to add a row, or **paste multiple rules at once** — paste one rule per line (label and pattern separated by a tab, `=`, or spaces) into a field and they expand into separate rows.

### Example rules

These cover the most common pattern-based PII found in logs and support tickets — network identifiers, addresses, IDs, credential hashes, and tokens. Paste the block straight into the editor (one rule per line: a label, then the pattern) and adjust to your needs:

```text theme={null}
IP        (?<!\d)(?:(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.){3}(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(?!\d)
IPV6      \b(?=[0-9A-Fa-f:]{2,40}[A-Fa-f])(?:[0-9A-Fa-f]{1,4}:){2,7}[0-9A-Fa-f]{1,4}\b
MAC       \b(?:[0-9A-Fa-f]{2}[:-]){5}[0-9A-Fa-f]{2}\b
EMAIL     [A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}
GUID      \b[0-9a-fA-F]{8}-(?:[0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}\b
HASH      \b[0-9a-fA-F]{32,128}\b
JWT       \beyJ[A-Za-z0-9_-]{15,}={0,2}
```

**Environment-specific values** (machine names, internal domains, Active Directory accounts) have no universal pattern, so tailor these to your setup — replace the example values with your own:

```text theme={null}
WINHOST     \bWIN-[A-Z0-9]{6,15}\b
HOSTNAME    \b(?:prod-db-01|app-srv-02)\b
AD_USER     \b(?:CORP|MYDOMAIN)\\[A-Za-z0-9._$-]+
```

<Tip>
  Values with no fixed pattern — like personal or company names — can't be matched reliably with regex. Mask those with an explicit list rule (e.g. `\b(?:Acme Corp|Globex)\b`) or a dedicated masking model.
</Tip>

### In the chat

Masked values render as labeled chips in the conversation (for example a small `EMAIL` chip) with a "PII masked" tooltip on hover, so it is clear where sensitive data was redacted. The original value is never shown.

<Frame>
  <img src="https://mintcdn.com/gurubase/bGaBPEJlYrFFyb3I/images/pii-pills-chat.png?fit=max&auto=format&n=bGaBPEJlYrFFyb3I&q=85&s=b3a1bdb446063e1269dde32c9ca01738" alt="Masked values shown as labeled chips in the chat, with a PII masked tooltip" width="1787" height="180" data-path="images/pii-pills-chat.png" />
</Frame>

### Analytics

Open **Analytics → PII Masking** to see masking activity for your Guru:

* totals and the labels masked most,
* a breakdown by pipeline stage,
* recent redacted examples.

Only labels, counts, and value-redacted snippets are stored — the original values are never recorded.
