Why Your Monitoring Pipeline Needs PII Scrubbing at the Edge

The Compliance Risk of Cloud Logging

Every log statement in your application is a potential compliance violation. Database connection strings, customer email addresses, authorization headers, and API keys frequently end up in log output — especially during development and debugging. When these logs are shipped to a cloud observability provider, you are sending sensitive data to third-party infrastructure. This creates exposure under SOC 2, GDPR, and HIPAA.

The challenge: developers cannot reasonably be expected to audit every log statement for PII. The volume is too high, the patterns are too varied, and the development velocity required in a startup environment makes manual review untenable. The solution is automated edge scrubbing — redacting sensitive data before it ever leaves your process.

Edge Scrubbing: Redact Before Transit

ObservabilityOS takes a privacy-first approach: PII is redacted on your own infrastructure before any data leaves the process. The built-in scrubber runs recursive regex algorithms on object fields, string parameters, and arrays before they enter the log buffer.

import { createScrubber } from "@observability-os/sdk";

const scrubber = createScrubber({
  redactKeys: ["password", "token", "authorization", "credit_card"],
  customPatterns: [
    { name: "SocialSecurity", regex: /\d{3}-\d{2}-\d{4}/g },
    { name: "Email", regex: /[a-z0-9._%+-]+@[a-z0-9.-]+\.[a-z]{2,}/gi },
  ],
});

const clean = scrubber.scrub({
  msg: "User login failure",
  email: "user@example.com",
  password: "super_secret_123",
  token: "eyJhbGci...",
});
// → { msg: "User login", email: "[REDACTED]", password: "[REDACTED]", token: "[REDACTED]" }

Configurable Redaction Rules

The scrubber ships with sensible defaults for common sensitive field names (password, token, secret, authorization, api_key, credit_card, ssn) and common PII patterns (email addresses, US Social Security Numbers, credit card numbers matching the Luhn algorithm). Extend it with custom patterns for domain-specific data: health record identifiers, financial account numbers, or internal employee IDs. Rules can be scoped per service or per environment.