Skip to main content

What You’ll Accomplish

Live Data Masking automatically detects and redacts sensitive data in your query results. Unlike traditional DLP solutions that require complex rule configuration, Hoop’s data masking works out of the box:
  • Automatically detect PII (names, emails, phone numbers, SSNs)
  • Mask credit card numbers and financial data
  • Redact passwords, API keys, and secrets
  • Protect health information (HIPAA compliance)
  • No regex patterns to write or maintain

How It Works

Live Data Masking operates at the protocol layer. When someone queries a resource role that has masking enabled, hoop.dev intercepts the response as it streams back, sends the content to your configured DLP provider for inspection, and redacts any sensitive values before the results reach the user. This happens in memory and in real time — the original data is never stored or exposed.
1

Query Executed

A user runs a query or command through hoop.dev
2

Response Intercepted

hoop.dev intercepts the result stream at the protocol layer
3

Data Inspected

The configured DLP provider scans the content for sensitive data
4

Results Masked

Sensitive values are redacted in memory; the user sees masked results

Before and After

Original query result: 
| name         | email              | ssn         | phone        |
|--------------|--------------------| ------------|--------------|
| John Smith   | john@example.com   | 123-45-6789 | 555-123-4567 |
| Jane Doe     | jane@company.org   | 987-65-4321 | 555-987-6543 |
With Live Data Masking enabled: 
| name         | email              | ssn         | phone        |
|--------------|--------------------| ------------|--------------|
| [REDACTED]   | [REDACTED]         | [REDACTED]  | [REDACTED]   |
| [REDACTED]   | [REDACTED]         | [REDACTED]  | [REDACTED]   |

Supported Data Types

Live Data Masking relies on your DLP provider’s detection engine to recognize a wide range of sensitive data out of the box, grouped into categories such as:
  • Personal information — names, email addresses, phone numbers, physical addresses
  • Government & national IDs — SSNs, passport numbers, driver’s licenses
  • Financial data — credit card numbers, bank accounts, IBANs
  • Credentials & secrets — API keys, passwords, access keys
  • Health information — medical record numbers, health plan IDs
A default set of the most common fields is enabled automatically, and you can add or remove fields per resource role. For the complete, provider-specific catalog, see the full list of supported fields.

Use Cases

1. Developer Access to Production

Developers need to debug production issues but shouldn’t see customer PII:
  • Enable Live Data Masking on production resource roles
  • Developers can run diagnostic queries
  • Customer data is automatically protected

2. Analytics Without Exposure

Data analysts need aggregate insights but not individual records:
  • Masking protects individual-level PII
  • Aggregations (COUNT, SUM, AVG) work normally
  • Compliance requirements are met

3. Support Team Access

Support teams need to look up customer records:
  • Enable masking on support-facing resource roles
  • They can verify account status without seeing SSNs
  • Audit trail shows who accessed what

4. Third-Party Contractor Access

External contractors need database access:
  • Create a resource role with masking enabled
  • Grant access to contractors
  • Sensitive data is never exposed

Compliance

Live Data Masking helps meet requirements for:
  • GDPR - Protect EU citizen personal data
  • HIPAA - Mask protected health information
  • PCI DSS - Redact credit card numbers
  • SOC 2 - Demonstrate data protection controls
  • CCPA - Protect California consumer data
Live Data Masking is one layer of a defense-in-depth strategy. Combine with Access Control and Guardrails for comprehensive protection.
Ready to turn it on? The Live Data Masking configuration guide walks through setting up a DLP provider, choosing a redact mode, and enabling masking on your resource roles.

Next Steps

Configuration Guide

Set up Microsoft Presidio or GCP DLP

Supported Fields

See all detectable data types

Guardrails

Block queries before they execute

Access Control

Control who can access resource roles