What You’ll Accomplish
Live Data Masking automatically detects and redacts sensitive data in your query results. Unlike traditional DLP solutions that require complex rule configuration, Hoop’s data masking works out of the box:- Automatically detect PII (names, emails, phone numbers, SSNs)
- Mask credit card numbers and financial data
- Redact passwords, API keys, and secrets
- Protect health information (HIPAA compliance)
- No regex patterns to write or maintain
How It Works
Before and After
Original query result:Quick Start
Prerequisites
To get the most out of this guide, you will need to:- Either create an account in our managed instance or deploy your own hoop.dev instance
- You must be your account administrator to perform the following actions
- A DLP provider configured (Microsoft Presidio or GCP DLP)
Step 1: Set Up a DLP Provider
Choose and deploy one of the supported providers:Microsoft Presidio
Open-source, self-hosted PII detection
Google Cloud DLP
Managed service with advanced detection
Step 2: Configure the Gateway
Set the required environment variables: For Microsoft Presidio:Step 3: Enable on a Connection
- Go to Connections in the Web App
- Select a connection and click Configure
- Enable Live Data Masking
- Click Save
Step 4: Test It
Run a query that returns sensitive data:Supported Data Types
Live Data Masking detects these sensitive data types by default:Personal Information
| Type | Example | Masked As |
|---|---|---|
| Person Name | John Smith | [PERSON] |
| Email Address | john@example.com | [EMAIL] |
| Phone Number | 555-123-4567 | [PHONE] |
| Physical Address | 123 Main St | [ADDRESS] |
Government IDs
| Type | Example | Masked As |
|---|---|---|
| SSN (US) | 123-45-6789 | [SSN] |
| Passport Number | AB1234567 | [PASSPORT] |
| Driver’s License | D1234567 | [LICENSE] |
Financial Data
| Type | Example | Masked As |
|---|---|---|
| Credit Card | 4111-1111-1111-1111 | [CREDIT_CARD] |
| Bank Account | 123456789012 | [BANK_ACCOUNT] |
| IBAN | GB82WEST12345698765432 | [IBAN] |
Credentials
| Type | Example | Masked As |
|---|---|---|
| API Key | sk_live_abc123… | [API_KEY] |
| Password | password123 | [PASSWORD] |
| AWS Key | AKIA… | [AWS_KEY] |
Health Information
| Type | Example | Masked As |
|---|---|---|
| Medical Record | MRN-12345 | [MEDICAL_RECORD] |
| Health Plan ID | HPL-98765 | [HEALTH_ID] |
Configuration Options
DLP Mode
| Mode | Behavior |
|---|---|
best-effort | Mask detected fields, continue if some fail |
strict | Block the entire result if any masking fails |
best-effort to avoid blocking legitimate queries.
Custom Fields
Add or remove fields from detection. See Supported Fields for the complete list.Per-Connection Settings
Enable or disable masking on individual connections:- Enable on production databases with real customer data
- Disable on development databases with synthetic data
Use Cases
1. Developer Access to Production
Developers need to debug production issues but shouldn’t see customer PII:- Enable Live Data Masking on production connections
- Developers can run diagnostic queries
- Customer data is automatically protected
2. Analytics Without Exposure
Data analysts need aggregate insights but not individual records:- Masking protects individual-level PII
- Aggregations (COUNT, SUM, AVG) work normally
- Compliance requirements are met
3. Support Team Access
Support teams need to look up customer records:- Enable masking on support-facing connections
- They can verify account status without seeing SSNs
- Audit trail shows who accessed what
4. Third-Party Contractor Access
External contractors need database access:- Create a connection with masking enabled
- Grant access to contractors
- Sensitive data is never exposed
Troubleshooting
Data Not Being Masked
Check:- Live Data Masking is enabled on the connection
- DLP provider is running and accessible
- Gateway environment variables are set correctly
- The data type is in the supported fields list
Too Much Data Being Masked
If legitimate data is being masked incorrectly:- Check which field type is triggering
- Disable that specific field type in configuration
- Or use Guardrails for more precise control
Performance Impact
Live Data Masking adds latency to query results:| Result Size | Typical Latency |
|---|---|
| < 100 rows | 50-100ms |
| 100-1000 rows | 100-500ms |
| > 1000 rows | 500ms+ |
- Use
LIMITclauses in queries - Select only needed columns (avoid
SELECT *) - Consider disabling masking for high-volume analytics
Compliance
Live Data Masking helps meet requirements for:- GDPR - Protect EU citizen personal data
- HIPAA - Mask protected health information
- PCI DSS - Redact credit card numbers
- SOC 2 - Demonstrate data protection controls
- CCPA - Protect California consumer data
Live Data Masking is one layer of a defense-in-depth strategy. Combine with Access Control and Guardrails for comprehensive protection.