What is PII?

Personally Identifiable Information (PII) refers to any data that can directly or indirectly identify an individual.

  • Direct identifiers: Full name, email address, phone number, government-issued ID, payment information.
  • Indirect identifiers: IP address, location, device ID, or cookie identifiers, which may identify an individual when combined with other data.

PII Collection and Protection Across Modules

Application Performance Monitoring (APM)

Atatus APM collects only technical data such as metrics, traces, and errors. It does not capture PII by default. Developers may add custom attributes, but any included PII will be stored. Data masking and exclusion filters help prevent accidental exposure.

Browser Monitoring (RUM)

Browser Monitoring records page load times, JavaScript errors, sessions, and network requests. By default, it does not capture form fields, typed input, or any personal data. If you extend instrumentation with custom data, you must ensure PII is excluded or masked.

Analytics & Log Management

Analytics and Log Management collect data strictly based on user configuration. If you include PII in logs, events, or metadata, Atatus will process it as provided. Responsibility lies with the user to avoid sending sensitive PII unless required. Atatus provides features like filters, masking, and redaction to help prevent accidental PII storage.

Infrastructure Monitoring

Infrastructure Monitoring tracks system and resource metrics, not user information. PII exposure occurs only if custom metadata or logs sent with the infra agent contain such information.

Other Monitoring Modules

Atatus systems and agents are designed to collect operational telemetry, not PII, unless specifically configured by the user.

Data Protection

Atatus recommends and supports industry-standard data protection methods:

  • Anonymization: Irreversibly removes identifiers so individuals cannot be re-identified (e.g., aggregating or deleting identifiers).
  • Pseudonymization: Replaces identifiers with tokens or codes. This process is reversible and still considered PII under GDPR and other laws.
  • Redaction & Masking: Mask or redact sensitive values in traces, logs, and analytics to enforce compliance and prevent exposure.