Privacy and Security

End-to-End Data Flow with PII Handling

slaOS does not perform any hashing or transformation of identifiers - it works with the data exactly as it exists in your Prometheus metrics. If you have privacy concerns about sensitive data, you'll need to handle the hashing in your systems before the data reaches Prometheus.

Data hashing & transformation

Here's how the data flows:

Metrics in Prometheus

# Prometheus metrics (with sensitive data)
api_requests_total{
    customer_id="super_secret_user",  # Sensitive data
    endpoint="/api/v1/users"
} 150

PromQL Query Configuration

queries:
  - query: 'sum by (customer_id, endpoint) (rate(api_requests_total[5m]))'
    step: 
      value: 60
      unit: "s"
    slaos_metric_name: "request_rate"
    organization_identifier: "customer_id"
    
# In filters config:
filters:
  version: 1
  fields:
    - name: "customer_id"  # This tells the parser to reference customer_id label
      hash: true           # Hashes customer_id labels

Resulting slaOS JSON Payload

{
  "organization_id": "hashedabc123...",  # Hashed value sent
  "timestamp": "2024-10-30T23:29:00Z",
  "key": "prometheus_metrics",
  "idempotency_key": "4ac1f5c3524c05b379d3a23932756e0f156f17638b528559e62bb06dd4efbe6b",
  "values": {
    "request_rate": 0.5,
    "endpoint": "/api/v1/users"
  }
}

Key Points

slaOS passes through identifiers exactly as they appear in Prometheus
No hashing or transformation is performed by slaOS
If you need to protect sensitive data, handle the hashing in your systems before it reaches Prometheus
You are responsible for maintaining any mapping between original and hashed identifiers in your secure systems

PreviousHandling organization_id NextCloudWatch

Last updated 7 months ago