Privacy & GDPR1 min read

PII Protection

How Aforo automatically masks personal data in API responses — five mask strategies, role-based access, and a regulator-ready PII access audit trail.

Docs  Privacy & GDPR  PII Protection

Aforo enforces data-minimisation by default (GDPR Article 25). Personal data — email addresses, phone numbers, names, payment identifiers, tax IDs — is automatically masked in API responses and in the operator console based on the role of whoever is looking. There is nothing to configure: protection is on by default, and every time a privileged user views raw PII it is written to an audit trail.

How PII masking works#

Every response that contains personal data passes through Aforo's masking layer before it leaves the platform. The layer inspects the caller's role: privileged roles receive the raw value, everyone else receives a masked value. The same rule applies whether the data is read through the operator console, the customer storefront, or the API — so a developer or support agent never accidentally sees data they are not entitled to.

 INFO

Masking is applied on the way out, close to the network boundary. That means it protects every surface uniformly — you cannot accidentally leak PII by adding a new endpoint, because the masking layer sees the response regardless of which endpoint produced it.

What gets masked#

Aforo treats the following as personal data and masks it for unprivileged callers:

Contact details — email addresses and phone numbers.
Names — customer and contact names.
Payment identifiers — card and bank-account numbers (last four digits preserved).
Government identifiers — tax IDs, passport numbers, and similar high-sensitivity fields (fully redacted).

Five mask strategies#

Each field is masked with the strategy best suited to it — enough is preserved for a human to recognise the record without exposing the underlying value:

StrategyInputMasked outputBest for

Emailalice@acme.example.coma***@a***.comEmail addresses — preserves first letter + TLD for visual recognition

Phone+14155551234+1***-***-1234Phone numbers — preserves country code + last 4 digits

Last 44111 1111 1111 1234************1234Card numbers, bank accounts — PCI / FFIEC convention

NameAlice Johnson SmithAlice J. S.Full names — preserves first name + initials of remaining parts

Full redactAny PII string[REDACTED]Tax IDs, SSN, government-issued IDs, and free-text fields where any leak is intolerable

Role-based access#

Whether a caller sees the raw value or the masked value depends on their role. Aforo's default policy is the most restrictive — only privileged roles see raw PII; everyone else sees masks:

RoleSees raw PII?Notes

OWNERYesTop-level admin — full visibility for legal investigations

ADMINYesWorkspace admin — needs PII for support cases

BILLING_ADMINYesNeeds raw email + tax ID for invoicing / compliance

DEVELOPERNoSees masked — developers do not need raw PII to do their job

SUPPORT_AGENTNoSees masked — escalates to an admin when raw data is genuinely needed

VIEWERNoRead-only operator role — masked by default

PII access audit trail#

Every time a privileged role views raw PII, Aforo records it in your audit log under the pii.* action namespace. This is the regulator-facing access trail: who saw what personal data, when, and why.

ActionWhen recordedCaptured

pii.read_customerA privileged role views a single customer detail (raw PII surfaced)customer id, operator id, IP, user agent

pii.dsr_openedAn operator opens a data-subject-request detail viewsubject email, customer id, request type

pii.bulk_exportAn operator triggers a CSV / JSON export containing PIIexport job id, row count, fields included

pii.modifiedA PII field is updated (operator edits a customer record)field name, before/after (hashed)

pii.cross_tenant_attemptAn operator attempts to read PII outside their own tenantattempted tenant id, blocked: true

 PRO TIP

Because raw-PII access is always logged, you can answer an auditor's "who accessed this customer's data?" question directly from the audit log — no forensic reconstruction required.