Data Masking
Data Masking
Protect sensitive data during export by applying masking transformations. Data masking allows you to export data for development, testing, or analytics while obscuring personally identifiable information (PII) and other sensitive fields. Essential for GDPR, HIPAA, and SOC 2 compliance.
Quick Start
Apply data masking to your exports:
- Create or edit an export job
- Open the Field Mapping section
- Click on a sensitive field (email, phone, SSN)
- Add a transformation script with masking logic
- Preview to verify masking works correctly
- Execute the export with masked data
Why Data Masking?
Data masking is critical for several scenarios:
- Development & Testing - Use realistic data without exposing real customer information
- Analytics & Reporting - Share data with analysts while protecting PII
- Third-Party Sharing - Provide data to vendors without compliance risks
- Regulatory Compliance - Meet GDPR, HIPAA, CCPA, SOC 2 requirements
- Data Breach Prevention - Limit exposure if non-production data is compromised
Masking Types
Choose the appropriate masking strategy based on your data type and use case.
| Mask Type | Description | Input | Output |
|---|---|---|---|
| Redact | Replace with fixed placeholder | john@email.com |
[REDACTED] |
| Partial Mask | Show first/last characters only | john@email.com |
j***@***.com |
| Hash | One-way hash (SHA-256) | john@email.com |
a8f5f167f44f... |
| Tokenize | Replace with consistent token | john@email.com |
USER_8472 |
| Randomize | Replace with random value of same format | 555-123-4567 |
555-847-2918 |
| Fake | Generate realistic fake data | John Smith |
Jane Wilson |
| Null | Replace with null/empty | secret123 |
null |
| Truncate | Keep only first N characters | 1234-5678-9012-3456 |
1234-XXXX-XXXX-XXXX |
Applying Masks
Apply masking through the field transformation editor. Select a field, open the transformation panel, and choose or write your masking logic.
Email Masking
Partially mask emails to hide the full address while preserving format recognition.
Phone & SSN Masking
Reveal only the last 4 digits for phone numbers and SSNs - enough for identification, safe for compliance.
Credit Card Masking
Standard PCI-compliant masking showing only the last 4 digits.
Name & Address Masking
Generate fake but realistic names, or redact addresses while keeping city/state for geographic analysis.
Field Recommendations
Common PII fields and recommended masking strategies.
| Field Type | Sensitivity | Recommended Mask | Example Output |
|---|---|---|---|
| High | Partial or Hash | j***@***.com |
|
| Phone | High | Partial (last 4) | ***-***-1234 |
| SSN | Critical | Partial (last 4) or Hash | ***-**-6789 |
| Credit Card | Critical | Partial (last 4) | ****-****-****-1234 |
| Name | Medium | Fake or Initials | J. S. or fake name |
| Address | Medium | Generalize or Redact | [REDACTED], City, ST |
| Birthdate | Medium | Year only or Age bracket | 1990-01-01 or 30-39 |
| IP Address | Medium | Truncate or Randomize | 192.168.XXX.XXX |
| Password | Critical | Null or Exclude | Don't export |
| API Keys | Critical | Null or Exclude | Don't export |
Consistent Masking
For data that needs referential integrity (e.g., user IDs that appear in multiple collections), use hash-based masking. The same input always produces the same output, preserving relationships across exports.
Conditional Masking
Apply masking based on document properties - mask only EU users for GDPR, skip admin accounts, or apply different rules per data classification.
Excluding Fields
For highly sensitive fields like passwords and API keys, exclude them entirely rather than masking.
- Disable field - Uncheck the field in field mapping to exclude it from export
- Projection - Use MongoDB projection to never fetch sensitive fields
Pro Tips
- Test with preview - Always preview masked data before running the full export to verify masking works correctly.
- Use consistent hashing - When you need referential integrity across collections, use
crypto.sha256()for deterministic masking. - Document your masks - Keep a record of which fields are masked and how, for audit and compliance purposes.
- Exclude rather than mask - For passwords, API keys, and tokens, exclude them entirely instead of masking.
- Consider data utility - Choose masking that preserves data usefulness (e.g., keep domain for emails, keep format for testing).
- Save as template - Save your export job with masking as a template for consistent use across environments.
- Validate output - After masking, verify no PII leaked through edge cases (nulls, empty strings, unusual formats).
Related Features
- Export/Import Data - Full guide to creating export jobs with field mapping
- SQL Migration - Export masked data to SQL databases
- Task Manager - Schedule automated masked exports
Ready to try VisuaLeaf?
Download and start managing your MongoDB databases with ease.
Download Free Trial