Privacy Controls
Privacy Controls
With groundcover's BYOC (Bring Your Own Cloud) deployment, all AI telemetry — including prompts, responses, and model metadata — stays within your own infrastructure. groundcover processes AI data exclusively in your environment; nothing is sent to external services.
For teams that need additional control, groundcover supports two approaches: disable collection entirely — a hard guarantee that no AI spans reach storage — or metadata-only mode, which keeps performance metadata (tokens, cost, latency, model) while stripping prompts and responses (best-effort; see scope note below). Both use Traces Pipeline rules.
Disable GenAI Data Collection
To prevent all GenAI spans from reaching storage, add the following rule to your traces pipeline. Non-GenAI traffic (HTTP, gRPC, DB, etc.) is completely unaffected.
Switch to YAML mode
Add the rule below
Save — changes take effect on new spans immediately, no sensor restart required
ottlRules:
- ruleName: gc-genai-off
conditions:
- 'protocol_type == "gen_ai"'
statements:
- 'set(drop, true)'This drops all GenAI spans — both eBPF-captured and SDK-instrumented — before they reach storage.
To re-enable GenAI data collection, remove the rule and save.
Custom Providers
groundcover auto-detects OpenAI, Anthropic, and AWS Bedrock traffic. If you use a provider that isn't auto-detected (e.g., Cohere, Gemini, or a self-hosted model), those calls appear as regular HTTP spans and are not affected by the rule above.
To include custom providers in the drop rule, add a rule matching their hostname:
Replace the hostnames with your provider endpoints. Each hostname needs both http.host and net.peer.name conditions because different instrumentation sources use different attribute names for the same host.
Metadata-Only Mode
To keep performance metadata (tokens, cost, latency, model) while stripping prompts and responses from storage, use two layers:
SDK Spans
Most OTel GenAI instrumentation libraries support disabling content capture at the source. The standard environment variable is:
Check your SDK's documentation — some libraries use different configuration keys. When content capture is off, spans arrive with all performance metadata intact and no prompt or response text.
eBPF Spans
Add this pipeline rule to clear content fields from eBPF-captured GenAI spans. It covers Era 3 attributes (gen_ai.input.messages, etc.), Era 1 attributes (gen_ai.prompt, gen_ai.completion), and the indexed variants emitted by Traceloop/OpenLLMetry SDKs.
If you already have an ottlRules: block in your pipeline YAML, add only the - ruleName: entry to the existing list — do not add a second ottlRules: key.
Scope of pipeline-side stripping: This rule covers content fields for auto-detected providers across all SDK convention versions. It does not guarantee zero content in storage — tool call arguments, error messages that echo input, and spans from providers not yet auto-detected are not covered. For a hard guarantee, use the kill switch above. For SDK spans, disabling content capture at the source is the definitive control.
For more surgical control — replacing specific JSON keys within request/response bodies with a placeholder rather than stripping entire fields — see Obfuscate Traces.
Pipeline rules apply to new spans only. Existing data in storage is not affected.
Last updated