Architect flow data masking failure on eu-west environment

Administration
1

Can’t get this config to load properly… we have implemented a custom data masking rule within the architect flow to obscure customer payment details before they are logged in the interaction history. the rule is configured to trigger on the ‘set variable’ block for the ‘payment_token’ field. however, the raw data is still appearing in the conversation detail view under the security compliant tab.

the environment is eu-west and we are using the latest architect version. the masking rule is set to ‘replace with asterisks’ for any string longer than 10 characters. we have verified that the variable is being passed correctly through the flow. the issue seems to persist even after clearing the cache and waiting for the standard 15-minute analytics refresh window.

we are concerned about compliance violations as this data is visible to agents who do not have the ‘view sensitive data’ permission assigned. the security policy in the admin console is correctly configured to restrict access. yet, the masking rule in the flow does not seem to override the default logging behavior.

is there a known limitation with data masking rules in architect flows when dealing with specific data types? we have checked the release notes for the eu-west region but found no mention of this issue. the flow is relatively simple, involving a single api integration and a few decision blocks. the masking rule is placed immediately after the api response is received.

we need to ensure that no raw payment data is stored in the interaction history. any guidance on how to troubleshoot this discrepancy between the architect flow configuration and the actual data storage would be appreciated. we are also seeing a slight delay in the agent performance metrics updating, which might be related. the dashboard shows the interaction as completed, but the masked data is not reflected until the next day.

please advise if there is a specific configuration step we are missing or if this is a platform bug. we are running the standard enterprise license. the timezone is set to europe/paris. we have also checked the audit logs but they do not show any errors related to the masking rule. the flow is published and active. no other users are reporting this issue. we are using the web client for all testing. the browser cache has been cleared. we are using chrome version 120. the issue is reproducible across multiple agents and queues. we need a resolution quickly as we are approaching a compliance audit.

2

If I remember correctly…

Cause:
The issue likely stems from the timing of the variable update versus the interaction history logging mechanism. In the EU-West environment, the set variable block might execute after the initial metadata snapshot is taken for the security compliant tab. The raw data persists because the masking rule does not retroactively update the already committed interaction record, only subsequent API calls.

Solution:
Verify that the masking logic is applied before the interaction is finalized or archived. Try moving the masking step earlier in the flow, perhaps immediately after data ingestion, before any set variable or log event blocks.

{
 "action": "mask_data",
 "target": "payment_token",
 "value": "***"
}

Ensure the S3 export configuration also references the masked variable. Check the audit trail to confirm when the variable state changes. This ensures chain of custody integrity for legal discovery requests while maintaining compliance.

3

I’d suggest checking out at the Data Action execution order. The masking often fails if the ServiceNow webhook fires before the variable update completes.

  • Add a ‘Wait’ block after the ‘Set Variable’ step.
  • Ensure the webhook triggers on the final interaction state, not the intermediate one.
  • Verify the payload structure in the debug logs.