Support policy for accidental ingestion of sensitive data

Overview

Per the service agreement, customers are responsible for preventing the transmission of sensitive data (e.g., personally identifiable information, financial data) to Observe. If accidental ingestion occurs, Observe offers support to mitigate and remediate the issue. This policy outlines customer actions and the process for requesting data deletion.

Customer Actions to Mitigate Accidental Ingestion

To prevent further transmission and restrict access to sensitive data, customers should take the following steps before requesting deletion:

  • Stop Sending Sensitive Data: Immediately halt the transmission of sensitive data to Observe. Customers are responsible for implementing preventive measures.

  • Check Data Retention Settings: Verify if the sensitive data is within your configured retention period. Data will automatically be deleted once the retention period expires. Refer to Data Retention in Observe Documentation for details.

  • Implement RBAC Policies: Restrict access to datastreams or datasets by applying Role-Based Access Control (RBAC) policies, limiting queries to authorized users only.

Requesting Data Deletion

If sensitive data cannot be mitigated through the above steps, the preferred solution is to add a dataset query filter to exclude results that include sensitive data from any user queries. This can currently only be done by Observe support, customers may request the creation of a dataset query filter via the Observe Support Portal. To submit a dataset query filter request, provide:

  • Confirmation that sensitive data ingestion has stopped.

  • Details of mitigation strategies applied (e.g., filters, RBAC policies).

  • Opal filters that exclude the sensitive data for each affected dataset(s) or datastream(s). These filters statements cannot include make_column or other similar verbs.

Customers may also request deletion of sensitive data, in addition to a dataset query filter, via the Observe Support Portal. Deletion is a resource-intensive process, and customers are encouraged to use filters or RBAC policies to restrict access promptly.
To submit a deletion request, provide:

  • Confirmation that sensitive data ingestion has stopped.

  • Details of mitigation strategies applied (e.g., filters, RBAC policies) AND why a dataset query filter is not sufficient.

  • Queries (e.g., Opal queries) identifying the sensitive data for each affected dataset or datastream with a time period <= 7d for each filter.

  • The total number of records to be deleted per dataset for verification.

  • Confirmation that the requester is an admin of the Observe deployment

Deletion Process and Timeline

The data deletion timeline depends on your level of support with Observe:

  • Standard support: Deletion requests are targeted for completion within 30 days of submission.

  • Premier support: Completion is targeted within 14 days of submission.

Deletion requests are processed as described below:

  • Deletions under 10,000 rows can be done surgically; 10,000 to 1 million rows or time ranges greater than 30 days require Observe to perform a feasability assessment.

  • Deletions over 1 million rows are not supported; customers must use timestamp-based time-range deletions instead.

  • Deletions are based on coarse-grained timestamp filters, not precise query matches, potentially deleting more data than requested.

  • Support targets deletion completion within 30 days (standard) or 14 days (premier).

Important Notes

  • Customers should prioritize access controls (filters or RBAC) to prevent unauthorized access, as deletion may not be immediate.

  • Observe will confirm completion of the deletion process upon request.

  • For further assistance, contact us via the Observe Support Portal.