Data Usage
Per-user data volume, lens keyed by who pushed through what. The exfiltration-detection counterpart to Action Usage.
Sidebar → Compliance → Data Usage — at /admin/throughput on your gateway. Same persistent counters as Action Usage; different table key. Action Usage asks which actions get reached for; Data Usage asks how much did each user push through. Two lenses, one substrate.
What the table shows
| Column | What it means |
|---|---|
| User | Pseudonymised actor (SHA-256 hash, stable across calls). Reversibly identifying only via the gateway’s actor-mapping behind the admin gate. |
| Tool | The MCP tool the user called. With Group by user, this collapses into a per-user aggregate. |
| Client | The AI client that made the call (claude_code, chatgpt, codex, etc.). |
| Calls | Total invocations in the window. |
| Volume (MB) | Outbound bytes — the data the upstream returned that flowed back through the gateway to the model. Rendered as a proportional bar so the shape of the distribution is visible at a glance. This is the DLP-relevant number. |
| ~Tokens | Estimated LLM token cost across all calls in the window, derived from the byte counts. |
| Last seen | Most recent invocation timestamp for the row. |
The Volume bar is the headline. A user pulling 80 MB out of Drive in a single hour is a row that screams; the next-largest row in that same hour might be 0.3 MB. The visual contrast is the point.
Time windows
The six unified windows shared with Action Usage (so the two siblings speak the same vocabulary):
- 1h — the default; "what is happening right now". Tuned for the DLP question.
- Today — the calendar day so far.
- Yesterday — the full previous calendar day.
- This week — calendar week so far (Monday onward).
- Last week — the previous full Monday–Sunday window.
- All time — everything still in the 90-day retention window.
Data Usage opens on 1h; Action Usage opens on 24h. The defaults are intentional — volume reads better over the most recent hour, usage trend reads better over a day.
Group by user
A toggle in the toolbar collapses every row that shares a user into one row, summing Calls / Volume / Tokens across all the tools that user touched. The DLP question often lives at the user level (is anyone, anywhere, exfiltrating?); the tool breakdown is the second step.
Slack alert thresholds
Configure a volume threshold per user, per tool, or org-wide. When the threshold is crossed in the window, a Slack message posts to the configured channel with a deep-link back to the audit row that triggered it.
The threshold-editor lives at Compliance → Data Usage → Thresholds. It accepts sub-megabyte values, so you can alert on small but unusual volumes — e.g. a single 200 KB Slack DM with a CSV attachment.
The Slack delivery path here is the older, channel-post mechanism (configured per workspace), not the unified Notifications dispatcher. Migration onto the unified dispatcher is on the roadmap; for now Data Usage threshold alerts post to a Slack channel directly.
CSV export
Footer link exports the full window’s rows (within the top-N cap) as a CSV. Header columns mirror what the dashboard renders. The export is itself an audit event — the audit log records who took it, when, with which filter (data-egress events are tracked, by design).
Honest scope
The page is a bounded top-N operator view; the table caps at the busiest rows in the selected window. In realistic deployments the cap covers all observed traffic; when it is hit, the footer flags it so the table never silently implies this is everything.
Counters carry a 90-day retention; older calls fall out of the bucket store. The Data Usage dashboard never claims to read further back than that.
Where it lives in the admin panel
| What | Where in the admin |
|---|---|
| Data Usage dashboard | Compliance → Data Usage |
| Time-window filter | Compliance → Data Usage → toolbar (same vocabulary as Action Usage) |
| Group-by-user toggle | Compliance → Data Usage → toolbar |
| Threshold editor | Compliance → Data Usage → Thresholds |
| Threshold-breach Slack alert deep-link | Slack channel → links into the audit log at the breaching row |
| CSV export | Compliance → Data Usage → footer link |
| Sibling: Action Usage | Compliance → Action Usage |
Related
- Compliance — the umbrella surface; Data Usage is the throughput layer
- Audit Log — the forensic substrate underneath
- Action Usage — the sibling lens, keyed by (tool, action) not by user
- Notifications — the unified operator-alert dispatcher; threshold alerts will migrate onto it
- What flows through, what gets blocked, what gets logged — the editorial argument behind the four-layer compliance surface this dashboard sits on