Data Protection Policies and Data Masking

Data Protection Policies and Data Masking

Data protection is a crucial aspect of business operations, especially when dealing with sensitive information. Kadeck Teams Enterprise is equipped with a Data Protection Policy module that helps you define data protection policies through the administration panel.

Understanding Data Protection Policies

Kadeck's data protection policies revolve around data masking - a process of making certain fields in a structured data object unrecognisable before it's displayed to the user. This masking is based on policies set for all servers or specific servers and resources.
Data policies comprise of:
  • Category (e.g., PII)
  • Resources (All, certain servers, all + certain topics, or regular expressions)
  • Fields (e.g., "creditcard", "creditno", "cardno" or regular expressions)
  • Masking Type (either random chars, or specific redaction methods)

These policies are applied on key, value and headers (converted to string) directly after decoding the data. The quick processors and filters are applied afterwards. It's also important to note that in case of decoding failure, no "raw" data is sent to the user to troubleshoot. Instead, the user will only receive a "failed" message.

Incompatible Codecs

Certain codecs are incompatible with data protection policies. For instance, the string and CSV codecs are deactivated when a data protection policy applies to a corresponding topic. This limitation means that certain codecs are not available for use with topics subject to a data protection policy.

Note: If your team is using custom codecs, make sure that you have implemented proper error handling (i.e., throwing a DecodingException if decoding is not possible) so that no data is leaked as custom codecs are available on topics covered by a Data Protection Policy.

Creating and Managing Data Protection Policies

Step 1: Access Data Protection Policies

Navigate to the Administration panel and click on the new menu entry, "Data Protection Policies". This will open a view with a list of your existing policies.

Step 2: Create a New Data Protection Policy

As a Kadeck administrator, you have the rights to create data protection policies. Click on "Add Policy" and you'll be prompted to fill out the following information:

  • Name of the policy
  • Status (active/inactive)
  • Description
  • Resources (Either specific name or regular expressions: connectionId and topicName, or connection.* and topic.* , etc.)
  • Fields
    • Name (incl. support for regular expressions, e.g. .*ID for all fields that end with ID)
    • Redaction method
  • Impact (LOW, MEDIUM, HIGH)
  • Classification (PCI, PII, HIPAA-PHI, SSN, GDPR-SPD)

Step 3: Choosing Redaction Methods

Depending on the type of data you're dealing with, choose a suitable redaction method. These range from fully redacting matched values, replacing them with random characters, or showing certain parts of the data. The priority level of the redaction methods dictates the order of application. More specific policies with higher priority are applied first.

You also can select “no redaction”. This way, only the access to the data is audited.

Step 4: Apply the Policy

Save the policy. It will be applied to all relevant data, depending on the resources and fields specified in the policy. It's important to note that all applicable data policies will always be applied.

Note: If multiple policies apply to a particular field, the redaction method with the higher priority will be applied. If multiple redaction methods with the same priority are configured for a field, only the first one will get applied.


Every time a user views data with a data policy or when a policy is created, read, updated, or deleted (CRUD), the event is logged for audit purposes.

    • Related Articles

    • Password Policy

      To make it easier for administrators to enforce strong password practices, Kadeck Teams Enterprise allows you to set up a password policy. This feature is part of our commitment to providing robust security options for our users. What is a Password ...
    • Introduction to the Quick Processor

      The Quick Processor allows you to create filters and modify records using JavaScript. In this article, we show how to create a Quick Processor and how to access, filter, and modify records. A Quick Processor is always linked to a view. This means ...
    • Data Limit and Parallel Factor

      Data Display Limit (no unit) How many records will be displayed in the UI of the Data Browser. After this limit is hit, all data coming from the backend for the same request will be ignored. Parallelism Factor (Kafka only) (no unit) How many ...
    • Release 5.X

      This article describes the changes of the version 5.x update. Latest image tag: xeotek/kadeck:5.2.3 Release 5.2 We’re excited to launch Kadeck 5.2, packed with major updates to our data protection policies, data catalog, and core architecture. This ...
    • Release 4.3

      This article describes the changes of the version 4.3.x update. New image tag: xeotek/kadeck:4.3.7 Kadeck Teams is no longer run as root as of version 4.3.5. Instead, a separate user kadeck is used. Depending on the container service, this requires ...