[DOCS-12427] Add sampling info (#32511)

maycmlee · domalessi · web-flow · commit 2d63463118ac · 2025-11-03T09:34:32.000-05:00
* add info

* Apply suggestions from code review

* Apply suggestions from code review

Co-authored-by: domalessi &lt;111786334+domalessi@users.noreply.github.com&gt;

---------

Co-authored-by: domalessi &lt;111786334+domalessi@users.noreply.github.com&gt;
diff --git a/content/en/security/sensitive_data_scanner/_index.md b/content/en/security/sensitive_data_scanner/_index.md
@@ -66,13 +66,17 @@ The data that can be scanned and redacted are:
 - **RUM**: Event attribute values only
 - **Events**: Event attribute values only
 
+Optionally, sampling rates can be set between 10% and 99% for each product. This helps manage costs when you first get started by reducing the amount of data that gets scanned for sensitive information.
+
 For each [scanning rule][17], one of the following actions can be applied to matched sensitive data:
 
 - **Redact**: Replace the entire matched data with a single token that you choose, such as `[sensitive_data]`.
 - **Partially redact**: Replace a specific portion of all matching values.
 - **Hash**: Replace the entire matched data with a non-reversible unique identifier.
 - **Mask** (available for logs only): Obfuscate all matching values. Users with the `Data Scanner Unmask` permission can de-obfuscate (unmask) and view this data in Datadog. See [Mask action][16] for more information.
 
+**Note**: When scanning sampled data, you will not be able to select actions that obfuscate the data it scans.
+
 To use Sensitive Data Scanner, set up a scanning group to define what data to scan and then set up scanning rules to determine what sensitive information to match within the data. For scanning rules you can:
 - Add predefined scanning rules from Datadog's [Scanning Rule Library][2]. These rules detect common patterns such as email addresses, credit card numbers, API keys, authorization tokens, network and device information, and more.
 - [Create your own rules using regex patterns][3].
diff --git a/content/en/security/sensitive_data_scanner/setup/telemetry_data.md b/content/en/security/sensitive_data_scanner/setup/telemetry_data.md
@@ -24,13 +24,17 @@ Sensitive Data Scanner in the Cloud scans telemetry data, such as your applicati
 - **RUM**: Event attribute values only
 - **Events**: Event attribute values only
 
+Optionally, sampling rates can be set between 10% and 99% for each product. This helps manage costs when you first get started by reducing the amount of data that gets scanned for sensitive information.
+
 For each scanning rule, one of the following actions can be applied to matched sensitive data:
 
 - **Redact**: Replace the entire matched data with a single token that you choose, such as `[sensitive_data]`.
 - **Partially redact**: Replace a specific portion of all matching values.
 - **Hash**: Replace the entire matched data with a non-reversible unique identifier.
 - **Mask** (available for logs only): Obfuscate all matching values. Users with the `Data Scanner Unmask` permission can de-obfuscate (unmask) and view this data in Datadog. See [Mask action](#mask-action) for more information.
 
+**Note**: When scanning sampled data, you will not be able to select actions that obfuscate the data it scans.
+
 You submit logs and events to the Datadog backend, so the data leaves your environment before it gets redacted. The logs and events are scanned and redacted in the Datadog backend during processing, so sensitive data is redacted before events are indexed and shown in the Datadog UI.
 
 If you don't want data to leave your environment before it gets redacted, use [Observability Pipelines][12] and the [Sensitive Data Scanner processor][13] to scan and redact sensitive data. See [Set Up Pipelines][14] for information on how to set up a pipeline and its components.
