Security - Untrace

Overview
PII Protection
Automatic PII Detection
Redaction Methods
Custom PII Patterns
Allowlisting
Data Encryption
Encryption in Transit
Encryption at Rest
Field-Level Encryption
Access Control
API Key Management
Key Rotation
Role-Based Access Control
OAuth Integration
Network Security
IP Allowlisting
VPC Peering
Rate Limiting
Data Privacy
Data Residency
Data Retention
Right to Erasure
Compliance
GDPR Compliance
SOC2 Compliance
HIPAA Compliance
Security Monitoring
Audit Logging
Anomaly Detection
Security Alerts
Best Practices
Development Security
Production Security
Data Handling
Security Checklist
Vulnerability Disclosure
Resources

Overview

Security and privacy are paramount when handling LLM traces that may contain sensitive data. Untrace provides multiple layers of security to protect your AI application data, ensure compliance, and maintain user privacy.

PII Protection

Automatic detection and redaction of sensitive data

Data Encryption

End-to-end encryption for traces in transit and at rest

Access Control

Fine-grained permissions and API key management

Compliance

GDPR, SOC2, HIPAA compliant infrastructure

PII Protection

Automatic PII Detection

Untrace automatically scans LLM traces for personally identifiable information:

// PII patterns detected by default
const defaultPatterns = {
  email: /\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b/,
  phone: /\b\d{3}[-.]?\d{3}[-.]?\d{4}\b/,
  ssn: /\b\d{3}-\d{2}-\d{4}\b/,
  creditCard: /\b\d{4}[\s-]?\d{4}[\s-]?\d{4}[\s-]?\d{4}\b/,
  ipAddress: /\b(?:\d{1,3}\.){3}\d{1,3}\b/,
};

Redaction Methods

Choose how sensitive data is handled:

Hash
Mask
Remove

// Original: "Contact [email protected]"
// Redacted: "Contact [EMAIL_HASH:a1b2c3d4]"

init({
  piiDetection: {
    enabled: true,
    redactionMethod: 'hash'
  }
});

Custom PII Patterns

Define your own sensitive data patterns:

const untrace = init({
  apiKey: 'your-api-key',
  piiDetection: {
    enabled: true,
    customPatterns: [
      // API Keys
      { name: 'api_key', pattern: /sk_[a-zA-Z0-9]{32}/ },
      // Internal IDs
      { name: 'user_id', pattern: /user_[0-9]{8}/ },
      // Custom tokens
      { name: 'auth_token', pattern: /Bearer [A-Za-z0-9\-._~+\/]+=*/ }
    ]
  }
});

Allowlisting

Specify patterns that should never be redacted:

init({
  piiDetection: {
    enabled: true,
    allowlist: [
      // Public email domains
      /@company\.com$/,
      // Test data
      /test@example\.com/,
      // Documentation examples
      /lorem\.ipsum/
    ]
  }
});

Data Encryption

Encryption in Transit

All trace data is encrypted during transmission:

TLS 1.3: Latest encryption standards
Certificate Pinning: Prevent MITM attacks
Perfect Forward Secrecy: Protect past sessions
HSTS: Enforce HTTPS connections

// SDK automatically uses secure connections
const untrace = init({
  apiKey: 'your-api-key',
  baseUrl: 'https://untrace.dev/api', // HTTPS enforced
  tlsConfig: {
    minVersion: 'TLSv1.3',
    cipherSuites: ['TLS_AES_128_GCM_SHA256']
  }
});

Encryption at Rest

Trace data is encrypted when stored:

AES-256-GCM: Military-grade encryption
Key Rotation: Automatic key management
HSM Storage: Hardware security modules for keys
Encrypted Backups: Secure disaster recovery

Field-Level Encryption

Encrypt specific sensitive fields:

init({
  fieldEncryption: {
    enabled: true,
    fields: [
      'user.email',
      'metadata.api_key',
      'context.session_token'
    ],
    algorithm: 'AES-256-GCM'
  }
});

Access Control

API Key Management

Secure API key practices:

// Generate scoped API keys
const apiKey = await untrace.createApiKey({
  name: 'production-ingest',
  permissions: ['trace:write'],
  expiresIn: '90d',
  allowedIPs: ['10.0.0.0/8'],
  rateLimit: {
    requests: 10000,
    window: '1h'
  }
});

Key Rotation

Implement regular key rotation:

# Rotate API keys via CLI
untrace keys rotate --key-id key_123 --grace-period 7d

# Or programmatically
await untrace.rotateApiKey('key_123', {
  gracePeriod: '7d',
  notifyEmail: '[email protected]'
});

Role-Based Access Control

Configure granular permissions:

Role	View Traces	Configure Routing	Manage Keys	Access PII
Admin	✅	✅	✅	✅
Developer	✅	✅	❌	❌
Analyst	✅	❌	❌	❌
Viewer	✅ (redacted)	❌	❌	❌

OAuth Integration

Support for enterprise SSO:

// Configure OAuth providers
const untrace = init({
  auth: {
    providers: ['google', 'github', 'okta'],
    oauth: {
      clientId: process.env.OAUTH_CLIENT_ID,
      redirectUri: 'https://untrace.dev/app/auth/callback',
      scopes: ['read:traces', 'write:config']
    }
  }
});

Network Security

IP Allowlisting

Restrict access by IP address:

# untrace.config.yaml
security:
  allowedIPs:
    - 10.0.0.0/8      # Internal network
    - 172.16.0.0/12   # Private subnet
    - 52.44.0.0/16    # AWS region

  # Per-environment configuration
  production:
    allowedIPs:
      - 10.1.0.0/16   # Production VPC

  development:
    allowedIPs:
      - 0.0.0.0/0     # Allow all (dev only!)

VPC Peering

Connect securely via private networks:

// Configure VPC endpoint
const untrace = init({
  apiKey: 'your-api-key',
  endpoint: {
    type: 'vpc',
    vpcEndpointId: 'vpce-1234567890abcdef0',
    privateDns: true
  }
});

Rate Limiting

Protect against abuse:

// SDK-level rate limiting
init({
  rateLimit: {
    enabled: true,
    maxRequests: 1000,
    windowMs: 60000, // 1 minute
    keyGenerator: (req) => req.apiKey
  }
});

Data Privacy

Data Residency

Control where your data is stored:

const untrace = init({
  apiKey: 'your-api-key',
  dataResidency: {
    region: 'eu-west-1', // EU data residency
    restrictCrossRegion: true
  }
});

Available regions:

US: us-east-1, us-west-2
EU: eu-west-1, eu-central-1
APAC: ap-southeast-1, ap-northeast-1

Data Retention

Configure retention policies:

retention:
  traces:
    default: 30d
    byEnvironment:
      production: 90d
      development: 7d

  # Automatic deletion rules
  rules:
    - condition: "contains_pii"
      retention: 24h
    - condition: "error_traces"
      retention: 60d

Right to Erasure

GDPR-compliant data deletion:

// Delete user data
await untrace.deleteUserData({
  userId: 'user_123',
  includeTraces: true,
  includeMetadata: true,
  confirmation: 'DELETE-USER-123'
});

// Bulk deletion
await untrace.bulkDelete({
  filter: {
    dateRange: { start: '2024-01-01', end: '2024-02-01' },
    tags: ['test-data']
  }
});

Compliance

Untrace helps you meet GDPR requirements:

Data Minimization

Automatic PII redaction
Configurable data collection
Field-level exclusion
Sampling strategies

Purpose Limitation

Explicit data usage policies
Purpose-based retention
Access controls by purpose
Audit trails

Data Subject Rights

Right to access (data export)
Right to rectification
Right to erasure
Right to data portability

Security Measures

Encryption at rest and in transit
Access controls
Regular security audits
Breach notification

SOC2 Compliance

Our SOC2 Type II certification covers:

Security: Encryption, access controls, monitoring
Availability: 99.9% uptime SLA, redundancy
Processing Integrity: Data validation, error handling
Confidentiality: Data classification, encryption
Privacy: PII handling, consent management

HIPAA Compliance

For healthcare applications:

// Enable HIPAA-compliant mode
const untrace = init({
  compliance: {
    hipaa: {
      enabled: true,
      baaRequired: true,
      phiRedaction: 'aggressive',
      auditLevel: 'detailed'
    }
  }
});

Features:

Business Associate Agreement (BAA)
PHI detection and redaction
Audit logging
Access controls
Encryption standards

Security Monitoring

Audit Logging

Comprehensive security audit trail:

{
  "timestamp": "2024-01-15T10:30:00Z",
  "event": "api_key.accessed",
  "actor": {
    "id": "user_123",
    "ip": "10.0.0.50",
    "userAgent": "untrace-sdk/1.0.0"
  },
  "resource": {
    "type": "trace",
    "id": "trace_abc123"
  },
  "outcome": "success",
  "metadata": {
    "dataAccessed": ["model", "tokens"],
    "piiRedacted": true
  }
}

Anomaly Detection

Automatic detection of suspicious activity:

// Configure anomaly detection
init({
  security: {
    anomalyDetection: {
      enabled: true,
      rules: [
        { type: 'unusual_volume', threshold: 10000 },
        { type: 'new_ip_location', notify: true },
        { type: 'api_key_abuse', action: 'block' }
      ]
    }
  }
});

Security Alerts

Real-time security notifications:

Email Alerts
Webhook Alerts
SIEM Integration

Failed authentication attempts
New IP addresses
API key usage anomalies
Data export requests

Best Practices

Development Security

Use separate API keys for each environment

# Production
UNTRACE_API_KEY=utr_prod_xxx

# Staging
UNTRACE_API_KEY=utr_stage_xxx

# Development
UNTRACE_API_KEY=utr_dev_xxx

Never commit credentials

# .gitignore
.env
.env.local
*.key
credentials/

Use secret management

// Use secret manager
const apiKey = await secretManager.getSecret('untrace-api-key');
init({ apiKey });

Production Security

Enable all security features

init({
  apiKey: process.env.UNTRACE_API_KEY,
  piiDetection: { enabled: true },
  encryption: { fieldLevel: true },
  audit: { level: 'detailed' }
});

Regular security reviews
- Monthly API key rotation
- Quarterly access reviews
- Annual security audits
- Penetration testing
Incident response plan
- Security team contacts
- Escalation procedures
- Communication templates
- Recovery procedures

Data Handling

Minimize sensitive data in traces

// Bad: Including full user object
span.setAttribute('user', userObject);

// Good: Only necessary fields
span.setAttribute('user.id', user.id);
span.setAttribute('user.tier', user.subscriptionTier);

Use structured logging

// Structured data is easier to redact
span.setAttributes({
  'request.path': '/api/chat',
  'request.method': 'POST',
  'user.id': userId,
  // PII fields will be auto-redacted
});

Implement data classification

span.setAttribute('data.classification', 'internal');
span.setAttribute('data.sensitivity', 'high');
span.setAttribute('data.retention', '30d');

Security Checklist

Use this checklist to ensure your Untrace implementation is secure:

Vulnerability Disclosure

Found a security issue? Please report it responsibly:

Email: [email protected]
PGP Key: Available on our website
Response Time: Within 24 hours
Bug Bounty: Available for critical issues

Please do not disclose security vulnerabilities publicly until we’ve had a chance to address them.

Resources

Security Updates

Subscribe to security advisories

Security Whitepaper

Detailed security architecture

Compliance Docs

SOC2, GDPR, HIPAA documentation

Privacy Policy

How we handle your data

Elixir SDK Configuration

⌘I

Get Started

Core Features

SDK Reference

Advanced

Reference

Development

​Overview

PII Protection

Data Encryption

Access Control

Compliance

​PII Protection

​Automatic PII Detection

​Redaction Methods

​Custom PII Patterns

​Allowlisting

​Data Encryption

​Encryption in Transit

​Encryption at Rest

​Field-Level Encryption

​Access Control

​API Key Management

​Key Rotation

​Role-Based Access Control

​OAuth Integration

​Network Security

​IP Allowlisting

​VPC Peering

​Rate Limiting

​Data Privacy

​Data Residency

​Data Retention

​Right to Erasure

​Compliance

​GDPR Compliance

​SOC2 Compliance

​HIPAA Compliance

​Security Monitoring

​Audit Logging

​Anomaly Detection

​Security Alerts

​Best Practices

​Development Security

​Production Security

​Data Handling

​Security Checklist

​Vulnerability Disclosure

​Resources

Security Updates

Security Whitepaper

Compliance Docs

Privacy Policy

Overview

PII Protection

Automatic PII Detection

Redaction Methods

Custom PII Patterns

Allowlisting

Data Encryption

Encryption in Transit

Encryption at Rest

Field-Level Encryption

Access Control

API Key Management

Key Rotation

Role-Based Access Control

OAuth Integration

Network Security

IP Allowlisting

VPC Peering

Rate Limiting

Data Privacy

Data Residency

Data Retention

Right to Erasure

Compliance

GDPR Compliance

SOC2 Compliance

HIPAA Compliance

Security Monitoring

Audit Logging

Anomaly Detection

Security Alerts

Best Practices

Development Security

Production Security

Data Handling

Security Checklist

Vulnerability Disclosure

Resources