PII Redaction & Compliance
ThinkHive includes built-in PII detection and redaction to help you meet privacy and compliance requirements. This guide covers configuring PII handling, data retention, and compliance features.
PII Detection & Redaction
ThinkHive automatically scans trace data for personally identifiable information (PII) and can redact it before storage.
Supported PII Types
ThinkHive detects the following categories of PII:
| Category | Examples | Detection Method |
|---|---|---|
| Email Addresses | user@example.com | Pattern matching |
| Phone Numbers | +1-555-123-4567 | Pattern matching |
| Credit Card Numbers | 4111-XXXX-XXXX-1234 | Luhn validation + patterns |
| Social Security Numbers | XXX-XX-XXXX | Pattern matching |
| IP Addresses | 192.168.x.x | Pattern matching |
| Names | Personal names in text | NLP-based detection |
| Physical Addresses | Street addresses | NLP-based detection |
| Dates of Birth | Birthdate references | Pattern matching |
| API Keys/Tokens | Bearer tokens, secrets | Pattern matching |
| Medical Records | Health-related identifiers | Pattern matching |
Configuring PII Redaction
Enable and configure PII redaction in Settings → Privacy & Compliance.
Redaction modes:
| Mode | Behavior |
|---|---|
| Off | No PII detection or redaction |
| Detect | Flag PII in traces but don’t redact |
| Redact | Replace PII with placeholder tokens (e.g., [EMAIL_REDACTED]) |
| Hash | Replace PII with a one-way hash for linkability without exposure |
PII redaction occurs at ingestion time — before data is stored. Once redacted, original values cannot be recovered.
SDK Configuration
Configure PII handling when initializing the SDK:
import { ThinkHive } from 'thinkhive-js';
const th = new ThinkHive({
apiKey: process.env.THINKHIVE_API_KEY,
endpoint: 'https://app.thinkhive.ai',
serviceName: 'my-agent',
pii: {
redact: true,
mode: 'redact', // 'detect' | 'redact' | 'hash'
allowList: ['email'] // PII types to skip redaction
}
});Client-Side vs Server-Side Redaction
| Approach | Pros | Cons |
|---|---|---|
| Client-side (SDK) | PII never leaves your infrastructure | Requires SDK configuration |
| Server-side (ThinkHive) | No client changes needed | PII transmitted before redaction |
For maximum privacy, use client-side redaction so PII is removed before data leaves your network.
Data Retention
Configure how long ThinkHive retains trace data:
| Tier | Default Retention | Configurable |
|---|---|---|
| Free | 30 days | No |
| Standard | 90 days | Yes (30–180 days) |
| Professional | 180 days | Yes (30–365 days) |
| Enterprise | 365 days | Yes (custom) |
Configuring Retention
Set retention policies in Settings → Privacy & Compliance → Data Retention.
# Update retention via API
curl -X PUT "https://app.thinkhive.ai/api/v1/settings/retention" \
-H "Authorization: Bearer thk_your_api_key" \
-H "Content-Type: application/json" \
-d '{
"traceRetentionDays": 90,
"evaluationRetentionDays": 180,
"auditLogRetentionDays": 365
}'Compliance Features
GDPR
ThinkHive supports GDPR compliance with:
- Data Subject Requests (DSR) — export or delete all data for a specific user
- Right to Erasure — delete trace data containing user identifiers
- Data Portability — export data in machine-readable format
- Consent Management — track consent status per data subject
Processing a Data Subject Request
# Export all data for a user
curl -X POST "https://app.thinkhive.ai/api/v1/compliance/dsr/export" \
-H "Authorization: Bearer thk_your_api_key" \
-H "Content-Type: application/json" \
-d '{
"subjectIdentifier": "user@example.com",
"identifierType": "email"
}'
# Delete all data for a user
curl -X POST "https://app.thinkhive.ai/api/v1/compliance/dsr/delete" \
-H "Authorization: Bearer thk_your_api_key" \
-H "Content-Type: application/json" \
-d '{
"subjectIdentifier": "user@example.com",
"identifierType": "email",
"reason": "user_request"
}'HIPAA
For healthcare workloads, ThinkHive provides:
- PHI Redaction — automatic detection and redaction of Protected Health Information
- Audit Logging — immutable logs of all data access
- Encryption — data encrypted at rest and in transit
- Access Controls — role-based access with session management
HIPAA compliance requires the Enterprise tier. Contact sales@thinkhive.ai for BAA arrangements.
SOC 2
ThinkHive’s SOC 2 compliance covers:
- Access Control — role-based permissions with API key scoping
- Monitoring — audit logging and anomaly detection
- Data Protection — encryption, PII redaction, retention policies
- Incident Response — automated alerts and escalation
Audit Logging
All data access and administrative actions are logged:
# View audit logs
curl "https://app.thinkhive.ai/api/v1/audit-logs?limit=50" \
-H "Authorization: Bearer thk_your_api_key"Audit log entry example:
{
"id": "log_abc123",
"timestamp": "2025-01-15T10:30:00Z",
"action": "trace.viewed",
"actor": {
"type": "user",
"id": "user_xyz"
},
"resource": {
"type": "trace",
"id": "trace_def456"
},
"metadata": {
"ip": "203.0.113.0",
"userAgent": "Mozilla/5.0..."
}
}Multi-Tenant Isolation
ThinkHive enforces strict tenant isolation:
- Row-Level Security — database queries are scoped to your organization
- API Key Scoping — keys are bound to specific agents within your organization
- Network Isolation — Enterprise tier supports dedicated infrastructure
Best Practices
- Enable PII redaction before sending production data
- Use client-side redaction for maximum privacy
- Set appropriate retention periods — keep data only as long as needed
- Review audit logs regularly for unusual access patterns
- Document your data processing activities for compliance audits
- Test PII detection with sample data before production deployment
Next Steps
- API Key Management — Secure your API integrations
- Authentication — Authentication reference
- Deployment — Production deployment guide