AISecurityWorkflow AutomationOperations

Send Customer Data to AI? Mask It First

The safe way to put customer data through an AI step is not just using a no-training API tier, it is sending only the fields the task needs. Mask every identifier the model does not use into a token before the call and map it back after, which is the one control that also shrinks the copy in your own execution logs and the provider's retention window.

Alexey YushkinFounder, GENERAL INFORMATICS3 min read

You can send customer data through an AI step safely, but the control that matters is not the one most guides name. Using a paid API or enterprise tier, so the vendor does not train on your data, is the floor, not the fix. The stronger move is to send only the fields the task actually needs. Mask every identifier the model does not use into a placeholder before the call, then map it back after the response. That single step removes the data from the model, from the provider's retention window, and from your own execution logs at once.

What does the AI step actually need?

Most extraction, classification, and routing jobs do not need the customer's name, email, or card number to work. A model deciding whether a support message is a refund request, a bug report, or a sales question needs the message text, not the sender's identity. A model pulling line items off an invoice needs the line items, not the buyer's home address. The identifier is along for the ride because it happened to sit in the same record, not because the task uses it.

So the first move is a field-by-field pass over the payload. For each field, ask one question: does the model use this value to produce its answer? That sorts every field into send, mask, or drop.

Field in the recordDoes the model use it?What to send
Support message bodyYes, it is the inputSend as-is
Customer nameNo, the task classifies the textMask to [NAME_1]
Email addressNo, but you need it to route the replyMask to [EMAIL_1], rehydrate after
Order IDOnly to write the result backMask to [ORDER_1], rehydrate after
Credit card, SSN, DOBNeverDrop entirely, never send
Free-text notesMaybe, read itSend only if the task reads it, and scrub names inside it

The important split is between drop and mask. Drop a field when the task never needs it and you never need it back in the output: card numbers, national IDs, anything the model has no business seeing. Mask a field when the model does not use the value but your automation needs it downstream, to write to the right record or send to the right address. Masking is reversible. Dropping is not. Getting that distinction right is most of the design.

Mask and rehydrate: the build pattern

The pattern has two transform steps around the AI node. The first masks, the second restores.

Insert a transform right after the trigger and before the model call. It scans the payload, replaces each identifier with a deterministic token, and holds the token-to-value map in the run's working data. The AI node then sees only tokens and the text that matters. When the response comes back, a second transform swaps any tokens the model echoed back to their real values, so downstream steps write real data to real records.

Determinism matters here. If the same email appears twice in one payload, it must become the same token both times, or the model loses the thread that two mentions are the same person. Off-the-shelf tooling handles this. Microsoft's open-source Presidio detects entities like names, emails, cards, and phone numbers and applies operators such as replace and mask, including a reversible mode built for exactly this rehydrate step. In a no-code flow you can also do it with a Code node and a handful of regexes for the structured identifiers, which catch the highest-risk fields (email, phone, card) even without full named-entity detection.

One limit is worth stating plainly. Masking works when the identity is incidental to the task. It breaks when the task is about the identity, like "is this the same customer who complained last week." There the model needs to reason across the real values, and tokens hide the very thing it is comparing. For those jobs, keep the data in a keyed lookup you control and let a rule, not the model, do the matching. That is the same instinct as deciding when a step needs a model at all: if an exact key answers it, do not hand it to the model.

Why this beats "just use the enterprise tier"

Vendor-tier advice is correct as far as it goes. On a paid API tier, both OpenAI and Anthropic state they do not train on your inputs or outputs by default, which is why your automation should call the API rather than run through a staff member's personal ChatGPT account. That is the door question, and it is worth getting right, since the same logo answers oppositely on a consumer plan versus an API plan. We covered that split in does AI train on your business data. But not training is not the same as not storing. OpenAI retains API content for up to 30 days for abuse monitoring by default, unless you are on Zero Data Retention. That is a real copy of your customer's data, on someone else's servers, for a month.

Redaction shrinks three copies with one step:

  • The model never sees the masked fields, so they cannot appear in any output or be reflected back into a later prompt.
  • The provider's abuse-monitoring window holds tokens, not the customer's email or card.
  • Your own execution history, which saves the full input and output of every step by default, logs tokens too.

That last one is the copy operators forget. Your automation platform's execution log is usually your largest store of customer data, larger than your database, as we laid out in automation logs hold more PII than your database. Masking before the AI node keeps the sensitive values out of that log for the AI step and everything downstream of the transform.

Picking the safe tier removes one copy. Redacting before the call removes the data from every copy after the mask step. It also matches the principle regulators actually enforce, data minimization: personal data should be adequate, relevant, and limited to what the purpose needs. "We only sent the fields the task required" is a far stronger position than "we sent the whole record to a vendor who promised not to train on it." This is general information about how the tools behave, not legal advice.

The no-code trap: never log the map

Here is the mistake that quietly undoes the whole thing. The token-to-value map has to live somewhere so the rehydrate step can reverse it. If you write that map to a variable that gets logged, a scratch row in a data store, or a field that flows into a step which saves its payload, you have just re-created the PII inside your execution history. You masked the AI call and un-masked everything around it.

Keep the map in the run's working data, passed directly from the mask step to the rehydrate step, and nowhere else. Do not persist it. Do not dump it into a Slack message for debugging. Because n8n, Zapier, and Make all log the full payload of every node by default, confirm the map is not sitting in a node output the platform records. The safe shape is a tight sequence: mask, call the model, rehydrate, drop the map, and only then run any step that writes to a durable store. Test it the honest way. Read one full execution end to end and check that the real email appears only where it must, not in the AI node's input and not in a stray variable riding along to the end of the run.

What to do next

Pick your highest-volume AI automation and read one real execution, field by field, from trigger to final write. For every place a customer's name, email, phone, or card number appears, ask whether that specific step needs the real value. Most of the time the AI node does not. Add one transform before it that masks what the model does not use and drops what no one needs, and one after it that maps the reversible tokens back.

We build workflow automation systems with that mask-and-rehydrate step in front of every model call by default, so the AI provider and the execution log both see tokens instead of customers. If you are already running AI steps on real customer data and want to know what is actually crossing the wire, send us the flow and we will show you which fields to drop, which to mask, and where the map is leaking.

Frequently Asked Questions

SOURCES & CITATIONS

  1. Data controls in the OpenAI platform OpenAIhttps://developers.openai.com/api/docs/guides/your-data
  2. Is my data used for model training? Anthropichttps://privacy.claude.com/en/articles/7996868-is-my-data-used-for-model-training
  3. Principle (c): Data minimisation Information Commissioner's Officehttps://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/data-protection-principles/a-guide-to-the-data-protection-principles/data-minimisation/
  4. Presidio: data protection and de-identification SDK Microsofthttps://github.com/microsoft/presidio

About Alexey Yushkin

Alexey is the founder of GENERAL INFORMATICS LLC. He designs and ships AI and automation systems for businesses and operators across the US.

Connect on LinkedIn

Related reading

Want this kind of system in your business?

We build practical AI and automation systems for operators. Send us your current workflow and we will show you what to automate first.

Request a Workflow Review