DATA MASKING & PII
Let agents reason over your data without seeing what they shouldn't.
Sensitivity tiers and query-time masking keep names, salaries, and sensitive accounts out of the model — while the analysis still works.
Useful analysis needs structure and relationships, not real names. Most tools force a choice between sharing everything or nothing. PipeLedger masks at query time — the model gets what it needs, not what it shouldn't have.
Real data in. Tokens out. Re-identify on demand.
Click 'Admin re-identify' in the diagram below to see how a token resolves under role-gated, logged access.
| VENDOR_NAME | AMOUNT |
|---|---|
| John Smith | $145,000.00 |
| Sarah Johnson | $98,500.00 |
| Acme Corp | $234,100.00 |
| Pacific Ventures | $67,200.00 |
| VENDOR_NAME | AMOUNT |
|---|---|
| CUST_8F4KQ2A1 | $145,000.00 |
| CUST_3B7PQ9R2 | $98,500.00 |
| VEND_2A9MK5P1 | $234,100.00 |
| CUST_7H2LN5K8 | $67,200.00 |
Amounts pass through unmasked — agents reason on the numbers and keep ledger integrity; only the identity is tokenized.
Most-restrictive-wins across any path to a row. Set once per column, enforced everywhere — the tier can never be reduced by a query.
Redact, hash, round, prefix, or tokenize — per column, applied at the moment of every query. Not in the ERP, not in transit.
Rate-limited, role-gated, and logged to the immutable audit trail before any token resolves to a real value.