Security and Privacy
Relicx takes a security and privacy first approach to collecting and storing user data.
- All sensitive or confidential data can be blocked, tokenized, or redacted on the browser side. This ensures that no confidential data is ever sent to Relicx
- Well-known PII data such as email, password, credit card, US social security, etc. is automatically tokenized/redacted. Relicx session recording will only show a parameterized token ($EMAIL, $PASSWORD, etc.) rather than the actual values entered by the user. Additional fields or UI elements can be blocked or redacted as described below.
- Data is encrypted in transit and at rest
- Row-level database security ensures only you have access to your session recordings
Relicx allows you to configure privacy policies using the UI or programmatically. You have the option to
- Redact/tokenize any user input fields. This will ensure that Relicx session recordings only contain parameters tokens (e.g. $DEPOSIT_AMOUNT) instead of the actual value. By parametrizing the user input, Relicx allows you to create data-driven tests based on user sessions/flows while ensuring data privacy.
- Completely block certain parts of the UI using the block class capability. The blocked classes will be completely excluded from the session recording. Please note that no user interaction will be recorded against the blocked classes and thus those steps will not be part of any Relicx generated tests. This option should, therefore, be used with caution and primarily to exclude sensitive static information such as text or images that don't involve any user interaction.
The following fields are redacted by default and you do not need to enter any rules for these. We will continue to add and revise this list periodically
- Credit card number
- US social security number
- Phone number
- Monetary values
- Numeric data
You can Relicx UI for no-code redaction configuration. The redaction rules can be configured using the CSS properties, such as
The example below shows how to configure a redaction rule using CSS attributes. The Selectors and XPath based rules are also similar.
To configure the redaction for the email field, open the inspect mode using the browser right-click menu and select the "inspect" option. (Please note that this is just for illustration purposes. Email fields are automatically redacted and no additional configuration is needed).
In the inspect mode, you will see the various attributes of this field
You can use the name and the type attribute to redact this field input. The screenshot below shows two entries. One for the name attribute with email value, and the one for the type attribute. The redaction rules apply to more than one field then all the fields will be redacted. The rule applies to the entire app and not on individual pages. With this redaction rule in place, Relicx will automatically redact any CSS element in the application with name=email or type=email to $EMAIL in session recordings.
To block a class, you would need a uniquely identifiable class name associated with the element that you would like to block. The Class names are listed in rules and Relicx builds an internal rule to completely block the information. For example, if you want to block the entire string Welcome Josh from the session replay, open the browser inspect mode and look for the class name of the element.
Once you have the class name, you can create a block class rule under Settings --> Applications --> Privacy. The example below shows the block class configuration for the class named active.
With this block class configuration, Relicx session replay will block this string and will not display it anymore.
While Relicx supports a number of methods to block and redact sensitive information, the recommended method to apply these privacy rules would be to add these special class identifiers that will automatically block or redact sensitive data. This is particularly useful if your application is evolving fast and you can simply add this class and the privacy rules are applied automatically.
Relicx supports two programmatic ways to specify privacy rules.
Elements with relicx-block class will be blocked.
Input elements with attribute relicx-mask=name will be redacted to $name. Here name can be account number, address, etc.