Skip to main content
If your agent handles customer data, the two places PII leaks are the prompts you send upstream and the logs you keep. This recipe wires up pii safe logging end to end: a PII mask rule scrubs the request before the model, raw matched content stays out of your match feed by default, and request-log retention is clamped so nothing lingers. Everything below is workspace configuration in the console — your app keeps calling /v1/chat/completions unchanged.
Each config step is role-gated. Authoring a guardrail needs Developer+; changing retention or compliance residency needs workspace Admin. Reading the Matches feed is open to any Member.

1. The pii safe logging pipeline in three moves

A PII-safe pipeline is three independent controls, each one a switch you flip once for the whole workspace:

Mask at the edge

A pii guardrail rule redacts emails, SSNs, cards and more to typed tags before the upstream model ever sees the request.

Log no raw content

The guardrail Log raw content toggle is off by default, so the match feed records that a rule fired, never the matched substring.

Clamp retention

Request-log retention defaults to 30 days and is server-clamped to a 180-day hard maximum — short-lived by design.
The rest of this page wires all three together with one concrete example.

2. Mask PII before the model sees it

Create a guardrail with a single pii rule on the input stage and the mask action. On a mask action each match is replaced with a typed tag — an email becomes [EMAIL], an SSN becomes [SSN] — so the upstream model receives a sanitized request, not the original. 
{
  "type": "pii",
  "stage": "input",
  "action": "mask",
  "entities": ["email", "phone", "ssn", "credit_card", "ip"]
}
In the console: Guardrails → New guardrail, add the rule above (or start from the PII Shield preset under the PII category), then save. Attach it to an API key via the key’s Guardrail dropdown, or set it as the workspace default so every key inherits it.
Want some entities masked but others rejected outright? One rule can carry per-entity overrides — mask email/phone but block on ssn/credit_card — via entity_actions. See Guardrails for the full PII entity set, custom regex entities, and the per-entity override syntax.
Send a request with that key and the email is redacted in flight: 
curl https://api.orcarouter.ai/v1/chat/completions \
  -H "Authorization: Bearer sk-orca-..." \
  -H "Content-Type: application/json" \
  -d '{
    "model": "openai/gpt-4o-mini",
    "messages": [
      {"role": "user", "content": "Draft a reply to jane@acme.com about her SSN 123-45-6789"}
    ]
  }'
The model sees Draft a reply to [EMAIL] about her SSN [SSN]. The original values never leave the gateway.
Input-stage masking is what a PII-safe pipeline relies on — it scrubs the request before the upstream call. Output-stage masking works on both non-streaming and streaming responses (streaming rewrites each chunk in place), so you can also redact PII the model emits.

3. Keep raw content out of your logs

Every rule that fires records a match — its type, action, stage, and a detail string. Whether the match also stores the matched substring (the actual email address, the actual SSN) is gated by the guardrail’s Log raw content toggle, which is off by default — the privacy-conservative posture.
With Log raw content off, the Matches feed shows that a pii rule masked an email at the input stage, but never the address itself. That’s exactly what you want for a PII-safe pipeline: full auditability of what fired, zero retained PII. Leave it off in production; turn it on per-guardrail only for short-lived triage. The toggle is non-retroactive.
Read the feed at Guardrails → Matches (GET /api/guardrail/match, Member). Group and filter by guardrail, rule type, and action to see your masking rate without ever surfacing a real value. Marking a match a false positive is an Admin action (POST /api/guardrail/match/:id/mark-fp).

4. Clamp how long request logs live

Request-log capture is an opt-in troubleshooting feature, and when it’s on, retention is bounded:
SettingValueBehavior
Default retention30 daysApplied when no per-workspace value is set.
Hard maximum180 daysAny longer value is server-clamped down.
You cannot exceed the 180-day ceiling — it’s enforced at write time, not a suggestion. Combined with the masking from §2, even captured logs hold sanitized text, and they age out on a fixed clock.
Treat captured request logs as a debugging lever, not a data store. Enable capture during an incident, keep the retention window tight, and rely on the Matches feed (which never holds raw PII when Log raw content is off) for steady-state observability.

5. Right-to-erasure and residency

Two more controls round out a compliant pipeline:
A user self-deletion enters a 30-day grace window, after which PII is scrubbed and a cascade purge removes that user’s request logs, guardrail matches, and firewall events together — so no artifact outlives the erasure request.
Set the region your compliance report artifacts are pinned to (us, eu, uk, ap, cn, global) via PUT /api/compliance/residency (Admin). Cross-region reads of a report are withheld. This pins the report artifact region — it is not inference-data geo-pinning.

6. Verify before you ship

Prove the masking does what you expect before any traffic depends on it:
1

Sandbox the rule

Open the Test tab in the guardrail editor, paste sample text with a real-looking email and SSN, pick the input stage, and run. The sandbox returns the verdict and the rendered text ([EMAIL], [SSN]) without an upstream call or any quota spend.
2

Eval against a corpus

The Eval tab runs the policy over bundled or custom JSONL corpora so you can measure catch rate and false positives before going live.
3

Confirm the feed stays clean

Send one real request, then open Matches and confirm the entry shows the rule fired with no matched substring — proof that Log raw content is off.

Guardrails reference

The full PII entity set, custom entities, per-entity overrides, and the Matches feed.

Secure a RAG pipeline

Grounding and PII controls for retrieval-augmented agents.

SOC 2 evidence

Turn guardrail and firewall activity into signed audit reports.

Data exfiltration

The threat model behind keeping PII off the wire and out of logs.