1.301 Event stream permissions, Item collections & CSP-compliant personalization

Control security and data quality with event stream permissions, transform complex product data with enhanced item collections capabilities, and implement secure personalization on websites with strict Content Security Policy requirements.
Version released between 27.01. - 05.02.2026.

Subscribe to Engagement updates

Event stream permissions

Event stream permissions give you security controls to manage what data flows into Data Hub through each event stream, with different permission models for public (web) and private (server-side) sources:

Control data quality with permission rules: Configure allow/deny rules for customer identifiers, properties, and event types to prevent data pollution and stop uncontrolled schema growth from undefined tracking.
Separate untrusted from trusted tracking: Create public event streams for client-side tracking (authenticated with a stream ID) and private event streams for server-side tracking (authenticated with a stream ID and a secret key) to ensure sensitive data comes only from verified backend systems.
Configure permissions using templates: Start with pre-built templates for the Web JS SDK or backend tracking that include common identifiers, properties, and event types, then customize them based on your specific requirements.
Manage authentication credentials: Generate, rotate, and revoke secret keys for private streams via the interface or API.
Enforce least-privilege tracking: Strip disallowed identifiers from requests and reject denied event types or properties before data enters Data Hub, preventing profile tampering and maintaining consistent customer data.

These capabilities help you implement secure tracking architectures that prevent the introduction of garbage data while maintaining flexibility for legitimate client-side and server-side tracking needs.

Item collections

Item collections now include capabilities to help you manage complex data transformations with granular control over how data flows to Bloomreach products:

Write custom expressions to transform data: Use Python-like code to combine fields, apply conditional logic, build category paths, and generate attribute values when standard mapping options don't meet your needs—without modifying your source systems.
Aggregate variant data to product-level attributes: New built-in transformation methods (MAX, MIN, SUM, AVERAGE, COUNT, AGGREGATE) to help you aggregate the full range of variant information at the product level.
Manage schema configurations: Export and import schema configurations (link) to replicate and manage attribute settings across collections, saving setup time and ensuring consistency.
Review configurations before saving: Review configuration changes, deselect changes, and view side-by-side differences before saving to maintain precise control over schema updates and improve accuracy.
Revert to a configuration: Revert to a previous job's schema configuration (link) with a single click, minimizing downtime and simplifying troubleshooting unexpected results from configuration updates.

These capabilities provide flexible data transformation tools for managing complex product catalogs without requiring changes to your source systems.

CSP-compliant personalization

Implement Bloomreach personalization features on websites with strict Content Security Policy (CSP) requirements with our new CSP-compliant personalization support:

Nonce-based authentication: JavaScript SDK now supports nonce-based authentication, eliminating the need for the unsafe-eval directive.
Full feature compatibility: Use weblayers, experiments, and managed tags while maintaining security compliance.
Regulatory compliance: Enable customers in regulated industries like financial services to implement personalization without compromising security standards.

This update ensures secure personalization implementation for organizations with stringent web security requirements.