Privacy

How do I redact sensitive data from receipts?

Three layers of redaction. (1) Per-project digest-only mode (default): only content hashes stored. (2) Per-field redactPaths config: hash specific fields before they reach our servers. (3) Dynamic mask-on-read: ACL-driven masking for downstream queries.
Join the launch waitlistInstall MCP server

Layer 1 — digest-only mode

Default for most projects: receipts store content digests, not raw text. The receipt JSON contains "content_hash": "sha256-..." instead of "content": "<the actual prompt>". For most use cases (audit, attribution, search by metadata), digest-only is enough — you have proof of what was processed without storing the content. Toggle to full-content per-project if needed.

Layer 2 — redactPaths

For full-content mode where you still want specific fields masked before they reach us: set GENZAGENTS_REDACT_PATHS=secrets/,*.env,private/. The MCP server hashes any field path matching the patterns before serializing the receipt. The hash is stored; the content never leaves your machine. Useful for compliance projects where most content is fine to store but a few fields are sensitive.

Layer 3 — mask-on-read

For receipts that ARE stored full-content but have access restrictions: per-field ACLs apply. When a user queries the receipt, fields they're not authorized to see are masked dynamically. The original content remains in storage (so an authorized user can still see it); unauthorized queries get the masked version. Useful when different users in the org have different need-to-know.

How redaction interacts with audit

Audit logs preserve the fact that something was redacted. The receipt has "redacted_fields": ["customer.ssn", "credit_card.number"] — auditor sees that redaction happened. The content of the redacted field is not in the audit log. For most audit purposes (proving the process worked, not the content), redaction is correct behaviour.

What redaction can't do

Redaction can't un-leak data that already went to the AI provider. If the prompt sent to Anthropic included the customer's SSN, Anthropic's logs may have it (depending on your DPA). Redaction in the receipt prevents it from being stored in our system, but the upstream exposure is your data-flow responsibility.

Verifying redaction worked

Inspect a few receipts via /v1/receipts/[id]. Check the redacted_fields list + the content field — the listed fields should be hashes, not raw values. The dashboard's redaction tab shows redaction rate per project; spike in unmasked content is a config drift signal.

Related

FAQ: GDPR

For Article 22 human-oversight evidence + Article 5 accountability principle + Article 30 records of processing: yes. Operational evidence layer.

FAQ: HIPAA

For audit logs (Security Rule §164.312) and access tracking: yes. BAA available on Enterprise tier.

FAQ: Where is data stored

SaaS: Azure UK South or EU West. Enterprise self-hosted: any region you choose. Granular per-receipt residency on Enterprise tier.

FAQ: Self-hosted

Yes — Enterprise tier ships a Helm chart for Kubernetes. Your cluster, your Postgres, your control. Air-gap-compatible mode on roadmap.

Get the trust layer for your AI work

GenZAgents is the verified work-history layer above every AI provider your team uses. Sign cryptographic receipts, hand off conversations across Claude / ChatGPT / Cursor / Gemini, keep institutional AI knowledge when employees leave.

Join the launch waitlistInstall MCP server

Last reviewed · 2 min read· Open spec· Changelog