diff --git a/browsers/telemetry/categories.mdx b/browsers/telemetry/categories.mdx index 88352f1..c30fa7a 100644 --- a/browsers/telemetry/categories.mdx +++ b/browsers/telemetry/categories.mdx @@ -57,6 +57,12 @@ Captured events are persisted and can be replayed by [resuming the stream](/brow Some exposure is reduced for you automatically: input into sensitive fields such as passwords is suppressed (`interaction_key` isn't emitted for them, and `interaction_click` omits the element text). Beyond that, because selection is opt-in, the most effective control is to capture only the categories you need - enable `network`, `console`, `page`, `interaction`, or `screenshot` deliberately, and prefer the operational categories when you only need session health. +### Restrictions for organizations with a BAA + +If your organization has signed a business associate agreement (BAA) with Kernel - the contract required to handle data under HIPAA - the `network`, `console`, and `screenshot` categories are blocked and can't be captured. These are the categories most likely to record protected health information (PHI): full request and response data, anything the page logs, and rendered images of the screen. + +The restriction is enforced when you create a session (`POST /browsers`) or update one (`PATCH /browsers/{id}`). Enabling any blocked category returns a `400` response with the code `telemetry_category_restricted`, and the session's telemetry config is left unchanged. The remaining browser-activity categories (`page` and `interaction`) and all operational categories stay available. + -If you operate under HIPAA, GDPR, or similar obligations, be deliberate about the browser-activity categories: pointing them at a site that handles regulated data captures that data into storage. If you have compliance requirements around what Kernel may process, [contact us](mailto:security@kernel.sh) before enabling them. +If you operate under HIPAA, GDPR, or similar obligations, be deliberate about the browser-activity categories: pointing them at a site that handles regulated data captures that data into storage. `page` and `interaction` stay available under a BAA but can still carry personal data. If you have compliance requirements around what Kernel may process, [contact us](mailto:security@kernel.sh) before enabling them.