Amplitude Auditor
← Resources
Checklistdraft · not yet final

Session Replay Privacy Checklist

What Amplitude's default masking covers, what it doesn't, and the custom blur rules every team should add before recording production traffic.

Amplitude Session Replay is powerful and useful — and its default privacy configuration is below the bar most B2B and finance-adjacent products need. This is the checklist Adasight runs when commissioning Session Replay on a new client engagement.

Pre-recording checklist

Before enabling Session Replay on production traffic, verify each item.

  • Default masking is on. maskAllInputs: true covers <input>, <textarea>, <select>. This is the floor — never disable.
  • blockSelector configured for fully sensitive elements. Anything that should not be recorded at all (account balances, payment details, internal admin panels staff-only).
  • maskSelector configured for selectively sensitive elements. Anything where the structure is fine to record but the text content is sensitive (account numbers, customer names, internal IDs).
  • data-sensitive and data-pii attributes are part of your component library. Tagging elements at build time is more durable than enumerating CSS selectors.
  • Sample rate set to 10–20% initially. Start small, increase once the privacy config is verified.
  • Replay retention period explicitly set. Default may be longer than your data-retention policy permits.
  • Access controls reviewed. Who in the team can view replays? Restrict to roles that genuinely need it.

Surface-by-surface checklist

Inventory the application by surface, marking what to block or mask.

Account and billing surfaces

  • Account balances → block
  • Payment methods → block
  • Invoice line items → block
  • Billing email → mask

Admin panels

  • Customer lists (staff-only) → block
  • Internal IDs → mask
  • Support tickets → block

Messaging surfaces

  • Chat content → mask
  • Comment bodies → mask
  • Notes → mask

B2B account information

  • Other employees' names → mask
  • Internal team structures → mask
  • Organisation-level settings → mask (selectively)

Notification surfaces

  • Banner content with user data → mask
  • Notification body content → mask
  • Tooltip content with user data → mask

Sample configuration

import { sessionReplayPlugin } from '@amplitude/plugin-session-replay-browser';

amplitude.add(sessionReplayPlugin({
  sampleRate: 0.1,
  privacyConfig: {
    blockSelector: [
      '[data-sensitive]',
      '.account-balance',
      '.payment-details',
      '[data-replay-block]'
    ],
    maskSelector: [
      '[data-pii]',
      '.account-number',
      '[data-replay-mask]'
    ],
  },
}));

Verification

Three tests, in order, before production rollout.

  • Local DOM test. Add a sensitive-tagged element to a test page. Trigger replay. Verify the element is blocked or masked in the recording.
  • Production smoke test. After deploying, run an end-to-end session in a known-sensitive flow (sign in, view billing, view admin). Verify the resulting replay does not show the sensitive content.
  • Quarterly audit. Designers ship new sensitive UIs. Walk through the most-recorded screens; verify nothing new is leaking.

What we check for

The Amplitude Auditor flags Session Replay configurations where:

  • Replay is enabled with default masking only
  • No blockSelector or maskSelector rules are defined
  • The team has not added at least one custom rule

Run an audit and the report includes the masking findings with specific recommendations for your project.

Want to skip the manual work?

Run an automated audit on your project.

Same checklist, run automatically against your Amplitude configuration. ~60 seconds. Configuration metadata only.