Security

​

Overview

Security and privacy are paramount when handling LLM traces that may contain sensitive data. Untrace provides multiple layers of security to protect your AI application data, ensure compliance, and maintain user privacy.

​

PII Protection

​

Automatic PII Detection

Untrace automatically scans LLM traces for personally identifiable information:

// PII patterns detected by default
const defaultPatterns = {
  email: /\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b/,
  phone: /\b\d{3}[-.]?\d{3}[-.]?\d{4}\b/,
  ssn: /\b\d{3}-\d{2}-\d{4}\b/,
  creditCard: /\b\d{4}[\s-]?\d{4}[\s-]?\d{4}[\s-]?\d{4}\b/,
  ipAddress: /\b(?:\d{1,3}\.){3}\d{1,3}\b/,
};

​

Redaction Methods

Choose how sensitive data is handled:

// Original: "Contact john.doe@example.com"
// Redacted: "Contact [EMAIL_HASH:a1b2c3d4]"

init({
  piiDetection: {
    enabled: true,
    redactionMethod: 'hash'
  }
});

​

Custom PII Patterns

Define your own sensitive data patterns:

const untrace = init({
  apiKey: 'your-api-key',
  piiDetection: {
    enabled: true,
    customPatterns: [
      // API Keys
      { name: 'api_key', pattern: /sk_[a-zA-Z0-9]{32}/ },
      // Internal IDs
      { name: 'user_id', pattern: /user_[0-9]{8}/ },
      // Custom tokens
      { name: 'auth_token', pattern: /Bearer [A-Za-z0-9\-._~+\/]+=*/ }
    ]
  }
});

​

Allowlisting

Specify patterns that should never be redacted:

init({
  piiDetection: {
    enabled: true,
    allowlist: [
      // Public email domains
      /@company\.com$/,
      // Test data
      /test@example\.com/,
      // Documentation examples
      /lorem\.ipsum/
    ]
  }
});

​

Data Encryption

​

Encryption in Transit

All trace data is encrypted during transmission:

• TLS 1.3: Latest encryption standards
• Certificate Pinning: Prevent MITM attacks
• Perfect Forward Secrecy: Protect past sessions
• HSTS: Enforce HTTPS connections

// SDK automatically uses secure connections
const untrace = init({
  apiKey: 'your-api-key',
  baseUrl: 'https://api.untrace.dev', // HTTPS enforced
  tlsConfig: {
    minVersion: 'TLSv1.3',
    cipherSuites: ['TLS_AES_128_GCM_SHA256']
  }
});

​

Encryption at Rest

Trace data is encrypted when stored:

• AES-256-GCM: Military-grade encryption
• Key Rotation: Automatic key management
• HSM Storage: Hardware security modules for keys
• Encrypted Backups: Secure disaster recovery

​

Field-Level Encryption

Encrypt specific sensitive fields:

init({
  fieldEncryption: {
    enabled: true,
    fields: [
      'user.email',
      'metadata.api_key',
      'context.session_token'
    ],
    algorithm: 'AES-256-GCM'
  }
});

​

Access Control

​

API Key Management

Secure API key practices:

// Generate scoped API keys
const apiKey = await untrace.createApiKey({
  name: 'production-ingest',
  permissions: ['trace:write'],
  expiresIn: '90d',
  allowedIPs: ['10.0.0.0/8'],
  rateLimit: {
    requests: 10000,
    window: '1h'
  }
});

​

Key Rotation

Implement regular key rotation:

# Rotate API keys via CLI
untrace keys rotate --key-id key_123 --grace-period 7d

# Or programmatically
await untrace.rotateApiKey('key_123', {
  gracePeriod: '7d',
  notifyEmail: 'security@company.com'
});

​

Role-Based Access Control

Configure granular permissions:

​

OAuth Integration

Support for enterprise SSO:

// Configure OAuth providers
const untrace = init({
  auth: {
    providers: ['google', 'github', 'okta'],
    oauth: {
      clientId: process.env.OAUTH_CLIENT_ID,
      redirectUri: 'https://app.untrace.dev/auth/callback',
      scopes: ['read:traces', 'write:config']
    }
  }
});

​

Network Security

​

IP Allowlisting

Restrict access by IP address:

# untrace.config.yaml
security:
  allowedIPs:
    - 10.0.0.0/8      # Internal network
    - 172.16.0.0/12   # Private subnet
    - 52.44.0.0/16    # AWS region
  
  # Per-environment configuration
  production:
    allowedIPs:
      - 10.1.0.0/16   # Production VPC
  
  development:
    allowedIPs:
      - 0.0.0.0/0     # Allow all (dev only!)

​

VPC Peering

Connect securely via private networks:

// Configure VPC endpoint
const untrace = init({
  apiKey: 'your-api-key',
  endpoint: {
    type: 'vpc',
    vpcEndpointId: 'vpce-1234567890abcdef0',
    privateDns: true
  }
});

​

Rate Limiting

Protect against abuse:

// SDK-level rate limiting
init({
  rateLimit: {
    enabled: true,
    maxRequests: 1000,
    windowMs: 60000, // 1 minute
    keyGenerator: (req) => req.apiKey
  }
});

​

Data Privacy

​

Data Residency

Control where your data is stored:

const untrace = init({
  apiKey: 'your-api-key',
  dataResidency: {
    region: 'eu-west-1', // EU data residency
    restrictCrossRegion: true
  }
});

Available regions:

• US: us-east-1, us-west-2
• EU: eu-west-1, eu-central-1
• APAC: ap-southeast-1, ap-northeast-1

​

Data Retention

Configure retention policies:

retention:
  traces:
    default: 30d
    byEnvironment:
      production: 90d
      development: 7d
  
  # Automatic deletion rules
  rules:
    - condition: "contains_pii"
      retention: 24h
    - condition: "error_traces"
      retention: 60d

​

Right to Erasure

GDPR-compliant data deletion:

// Delete user data
await untrace.deleteUserData({
  userId: 'user_123',
  includeTraces: true,
  includeMetadata: true,
  confirmation: 'DELETE-USER-123'
});

// Bulk deletion
await untrace.bulkDelete({
  filter: {
    dateRange: { start: '2024-01-01', end: '2024-02-01' },
    tags: ['test-data']
  }
});

​

Compliance

​

GDPR Compliance

Untrace helps you meet GDPR requirements:

​

SOC2 Compliance

Our SOC2 Type II certification covers:

• Security: Encryption, access controls, monitoring
• Availability: 99.9% uptime SLA, redundancy
• Processing Integrity: Data validation, error handling
• Confidentiality: Data classification, encryption
• Privacy: PII handling, consent management

​

HIPAA Compliance

For healthcare applications:

// Enable HIPAA-compliant mode
const untrace = init({
  compliance: {
    hipaa: {
      enabled: true,
      baaRequired: true,
      phiRedaction: 'aggressive',
      auditLevel: 'detailed'
    }
  }
});

Features:

• Business Associate Agreement (BAA)
• PHI detection and redaction
• Audit logging
• Access controls
• Encryption standards

​

Security Monitoring

​

Audit Logging

Comprehensive security audit trail:

{
  "timestamp": "2024-01-15T10:30:00Z",
  "event": "api_key.accessed",
  "actor": {
    "id": "user_123",
    "ip": "10.0.0.50",
    "userAgent": "untrace-sdk/1.0.0"
  },
  "resource": {
    "type": "trace",
    "id": "trace_abc123"
  },
  "outcome": "success",
  "metadata": {
    "dataAccessed": ["model", "tokens"],
    "piiRedacted": true
  }
}

​

Anomaly Detection

Automatic detection of suspicious activity:

// Configure anomaly detection
init({
  security: {
    anomalyDetection: {
      enabled: true,
      rules: [
        { type: 'unusual_volume', threshold: 10000 },
        { type: 'new_ip_location', notify: true },
        { type: 'api_key_abuse', action: 'block' }
      ]
    }
  }
});

​

Security Alerts

Real-time security notifications:

​

Best Practices

​

Development Security

1. Use separate API keys for each environment

   Copy

   Ask AI

   # Production
   UNTRACE_API_KEY=utr_prod_xxx
   
   # Staging
   UNTRACE_API_KEY=utr_stage_xxx
   
   # Development
   UNTRACE_API_KEY=utr_dev_xxx
   

2. Never commit credentials

   Copy

   Ask AI

   # .gitignore
   .env
   .env.local
   *.key
   credentials/
   

3. Use secret management

   Copy

   Ask AI

   // Use secret manager
   const apiKey = await secretManager.getSecret('untrace-api-key');
   init({ apiKey });
   

​

Production Security

1. Enable all security features

   Copy

   Ask AI

   init({
     apiKey: process.env.UNTRACE_API_KEY,
     piiDetection: { enabled: true },
     encryption: { fieldLevel: true },
     audit: { level: 'detailed' }
   });
   

2. Regular security reviews

   • Monthly API key rotation
   • Quarterly access reviews
   • Annual security audits
   • Penetration testing

3. Incident response plan

   • Security team contacts
   • Escalation procedures
   • Communication templates
   • Recovery procedures

​

Data Handling

1. Minimize sensitive data in traces

   Copy

   Ask AI

   // Bad: Including full user object
   span.setAttribute('user', userObject);
   
   // Good: Only necessary fields
   span.setAttribute('user.id', user.id);
   span.setAttribute('user.tier', user.subscriptionTier);
   

2. Use structured logging

   Copy

   Ask AI

   // Structured data is easier to redact
   span.setAttributes({
     'request.path': '/api/chat',
     'request.method': 'POST',
     'user.id': userId,
     // PII fields will be auto-redacted
   });
   

3. Implement data classification

   Copy

   Ask AI

   span.setAttribute('data.classification', 'internal');
   span.setAttribute('data.sensitivity', 'high');
   span.setAttribute('data.retention', '30d');
   

​

Security Checklist

Use this checklist to ensure your Untrace implementation is secure:

• PII detection enabled in production
• API keys stored securely (environment variables, secret manager)
• Separate API keys for each environment
• IP allowlisting configured for production
• Field-level encryption for sensitive data
• Audit logging enabled for compliance
• Data retention policies configured
• Access controls properly set up
• Regular key rotation scheduled
• Security alerts configured
• Incident response plan documented
• Compliance requirements identified and met

​

Vulnerability Disclosure

Found a security issue? Please report it responsibly:

1. Email: security@untrace.dev
2. PGP Key: Available on our website
3. Response Time: Within 24 hours
4. Bug Bounty: Available for critical issues

​

Resources