How to remove pii from json audit logs for compliance reporting
- Step 1Export the audit log as JSON — Export the audit log records for the period under analysis as a JSON array. Each record should contain the event type, timestamp, and relevant metadata.
- Step 2Configure which fields to anonymize — Identify the PII fields in the log records: userId, email, ipAddress, userAgent. Configure these as fields to anonymize. Retain event type, timestamp, resource ID, and outcome fields for analysis.
- Step 3Run anonymization — Run the anonymizer. Personal identifiers are replaced with consistent synthetic tokens: userId 'usr_12345' →’ 'anon_7a3f1b'. The same original value always maps to the same token, preserving user activity patterns across events.
- Step 4Share the sanitized log — Share the sanitized log with the security auditor or compliance team. The event pattern — what actions were taken, when, and in what sequence — is fully preserved. Only personal identities are replaced.
Frequently asked questions
Should I anonymize or pseudonymize audit logs for compliance reporting?+
For security audits that need to trace user actions across events, pseudonymization is more useful than anonymization — consistent tokens let auditors see 'user A accessed this resource 5 times' without knowing who user A is. The consistent replacement this tool provides is a form of pseudonymization.
How long should audit logs be retained under GDPR?+
GDPR does not specify a retention period for audit logs. Retention should be documented in your Records of Processing Activities (ROPA) with a justified purpose and duration. Common practice is 90 days for security logs, 1-3 years for compliance logs, and the minimum necessary for the stated purpose.
Is the audit log data transmitted to JAD Apps?+
No. Anonymization runs entirely in your browser. Audit log records are never transmitted to JAD Apps servers.
Privacy first
Conversion runs locally in your browser. No file is uploaded — only metadata counters are saved for signed-in dashboard stats.