From cb9916fd821d194361497e23e40e887d35fa6a7b Mon Sep 17 00:00:00 2001 From: Sayan Samanta Date: Tue, 14 Jul 2026 12:36:14 -0700 Subject: [PATCH 1/2] docs(telemetry): document BAA category restrictions Document that orgs with a BAA cannot capture the network, console, and screenshot telemetry categories, that enforcement happens on session create/update, and that the request is rejected with a 400 telemetry_category_restricted. --- browsers/telemetry/categories.mdx | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/browsers/telemetry/categories.mdx b/browsers/telemetry/categories.mdx index 88352f1..7bf1fae 100644 --- a/browsers/telemetry/categories.mdx +++ b/browsers/telemetry/categories.mdx @@ -57,6 +57,12 @@ Captured events are persisted and can be replayed by [resuming the stream](/brow Some exposure is reduced for you automatically: input into sensitive fields such as passwords is suppressed (`interaction_key` isn't emitted for them, and `interaction_click` omits the element text). Beyond that, because selection is opt-in, the most effective control is to capture only the categories you need - enable `network`, `console`, `page`, `interaction`, or `screenshot` deliberately, and prefer the operational categories when you only need session health. +### Restrictions for organizations with a BAA + +If your organization has signed a business associate agreement (BAA) with Kernel, the `network`, `console`, and `screenshot` categories are blocked and can't be captured. These are the categories most likely to record protected health information (PHI): full request and response data, arbitrary page logs, and rendered images of the screen. + +The restriction is enforced when you create a session (`POST /browsers`) or update one (`PATCH /browsers/{id}`). Enabling any blocked category returns a `400` response with the code `telemetry_category_restricted`, and the session's telemetry config is left unchanged. The remaining browser-activity categories (`page` and `interaction`) and all operational categories stay available. + -If you operate under HIPAA, GDPR, or similar obligations, be deliberate about the browser-activity categories: pointing them at a site that handles regulated data captures that data into storage. If you have compliance requirements around what Kernel may process, [contact us](mailto:security@kernel.sh) before enabling them. +If you operate under HIPAA, GDPR, or similar obligations, be deliberate about the browser-activity categories: pointing them at a site that handles regulated data captures that data into storage. `page` and `interaction` remain available under a BAA but can still carry identifiers or personal data - enable them only when you need them. If you have compliance requirements around what Kernel may process, [contact us](mailto:security@kernel.sh) before enabling them. From 44f6dd7d5b2bc702385790d449d84828b0b3c434 Mon Sep 17 00:00:00 2001 From: Sayan Samanta Date: Tue, 14 Jul 2026 12:39:03 -0700 Subject: [PATCH 2/2] docs(telemetry): clarify BAA restriction wording Link BAA to HIPAA for readers unfamiliar with the term, use plainer phrasing for what console captures, and trim redundant guidance from the compliance warning. Co-authored-by: Cursor --- browsers/telemetry/categories.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/browsers/telemetry/categories.mdx b/browsers/telemetry/categories.mdx index 7bf1fae..c30fa7a 100644 --- a/browsers/telemetry/categories.mdx +++ b/browsers/telemetry/categories.mdx @@ -59,10 +59,10 @@ Some exposure is reduced for you automatically: input into sensitive fields such ### Restrictions for organizations with a BAA -If your organization has signed a business associate agreement (BAA) with Kernel, the `network`, `console`, and `screenshot` categories are blocked and can't be captured. These are the categories most likely to record protected health information (PHI): full request and response data, arbitrary page logs, and rendered images of the screen. +If your organization has signed a business associate agreement (BAA) with Kernel - the contract required to handle data under HIPAA - the `network`, `console`, and `screenshot` categories are blocked and can't be captured. These are the categories most likely to record protected health information (PHI): full request and response data, anything the page logs, and rendered images of the screen. The restriction is enforced when you create a session (`POST /browsers`) or update one (`PATCH /browsers/{id}`). Enabling any blocked category returns a `400` response with the code `telemetry_category_restricted`, and the session's telemetry config is left unchanged. The remaining browser-activity categories (`page` and `interaction`) and all operational categories stay available. -If you operate under HIPAA, GDPR, or similar obligations, be deliberate about the browser-activity categories: pointing them at a site that handles regulated data captures that data into storage. `page` and `interaction` remain available under a BAA but can still carry identifiers or personal data - enable them only when you need them. If you have compliance requirements around what Kernel may process, [contact us](mailto:security@kernel.sh) before enabling them. +If you operate under HIPAA, GDPR, or similar obligations, be deliberate about the browser-activity categories: pointing them at a site that handles regulated data captures that data into storage. `page` and `interaction` stay available under a BAA but can still carry personal data. If you have compliance requirements around what Kernel may process, [contact us](mailto:security@kernel.sh) before enabling them.