Process mining represents a family of techniques for the data-driven analysis of business processes [ 1 ]. These techniques utilize event data recorded by information systems during the execution of a business process, stored in the form of event logs. Event logs are employed for a variety of use cases, such as process discovery, in which a process model is constructed on the basis of the recorded event data, conformance checking, in which event data is compared to a process model, and model enhancement, in which, for example, performance information is added to an obtained process model.

Recognizing the potential of process mining, organizations strive to record event data in an accurate and ne-granular manner. While this enables organizations to ensure the e cient and correct execution of their processes, it can also result in the disclosure of sensitive information regarding an organization's employees. Event logs may breach an individual's privacy [ 5 ], violating their ability to control who has access to their personal data [ 2 ]. Therefore, disclosure of recorded event data in the form of event logs should be assessed in light of ethical considerations, as well as in the context of privacy regulations, such as the European General Data Protection Regulation (GDPR) [ 7 ] and the California Consumer Privacy Act. For instance, the GDPR prohibits the processing of personal data unless explicit consent has been given.

Process Mining Event Log
 Sanitization Sanitized 
 Event Data Process Mining


Artifact Data Contribution

Data Extraction

Privatized Process Mining Individual

Information System

Event Data Process Mining


Artifact

To enable the appropriate handling of recorded event data in process mining, we introduce the ELPaaS (Event Log Privacy as a Service) web application. As visualized in Figure 1, the application supports two fundamental ways in which privacy guarantees in process mining can be provided: (1) event log sanitization and (2) privatized process mining. Event log sanitization involves the transformation of an extracted event log into one that satis es established privacy metrics. An event log obtained in this manner can subsequently reduce the disclosure of personally identi able records in the log. Privatized process mining, by contrast, involves process mining techniques that have been speci cally designed such that the obtained process mining artifacts, e.g., derived process models or query results, meet desired privacy guarantees. ELPaaS o ers state-of-the-art techniques for both directions. For event log sanitization, the application o ers the PRETSA [ 4 ] (PRE x-Tree based event log SAnitisation for t-closeness) algorithm, which sanitizes event logs to guarantee k-anonymity and t-closeness. For privatized process mining techniques, di erential privacy mechanisms for common queries on event logs, developed by Mannhardt et al. [ 6 ], are o ered.

The remainder of this paper is structured as follows. Section 2 describes and visualizes the functionality of ELPaaS, Section 3 discusses the maturity and availability of the application, before concluding in Section 4. 2

This section describes the main input, functions, and output of ELPaaS. Input. Figure 2 presents a snippet of the opening page of the web application. The rst step for a user is to upload an event log. Event logs should be provided as XES (eXtensible Event Stream) or CSV (Comma Separated Value) les. CSV les should at least contain a column representing a case ID and an activity, and should be sorted according to the execution order of the events. Event Log Sanitization. Users that want to sanitize an event log can directly do so by selecting the PRETSA algorithm [ 4 ] in the upload screen, as shown in

Figure 3a. It then transforms an event log into one that satis es k-anonymity and t-closeness requirements, while striving to preserve maximum utility for process discovery and process enhancement. When an event log satis es k-anonymity, any event execution can be related to at least k di erent actors, mitigating an attacker's ability to con dently associate events to speci c workers. An event log that satis es t-closeness furthermore ensures that the performance of individual workers (e.g., in terms of throughput time) cannot be derived from a sanitized event log. We kindly refer the reader to Fahrenkrog-Petersen et al. [ 4 ] for insights on the impact of di erent k and t values on process mining utility. Privatized Process Mining Queries. Users are currently able to execute two distinct privacy-preserving process mining queries: the derivation of the frequency of a directly-follows relation (i.e., how often one activity is executed after another one) and the derivation of a trace variants (i.e., how often a particular sequence of activity executions is contained in the log). Both queries follow the privacy-preserving techniques developed by Mannhardt et al. [ 6 ]. Here, the general idea is to introduce so-called Laplace noise according to a user-de ned value. By doing so, the obtained results will be guaranteed to satisfy -di erential privacy. This means that the query result will not allow attackers to accurately determine the sequencing of activity executions, which could identify a particular worker involved in the execution of the process (e.g., through a particular pattern of activity executions).

To execute the directly-follows query, i.e., the Laplacian df-based algorithm, solely the parameter needs to be speci ed. For the trace variant query, shown in Figure 3b, a user needs to select , as well as a maximum sequence length, and a pruning parameter. To avoid exploring a possibly in nite amount of trace variants, the technique only explores trace variants up to a certain maximum length. The pruning parameter is used to further limit the search space by avoiding the consideration of infrequent variants. For a detailed explanation of the queries and their privacy-preserving mechanisms, the reader is referred to [ 6 ]. Output. When an event log and algorithm have been selected, the event log will be uploaded and the application of the algorithm will be started as a batch

(b) Di erential private query job. The user will be noti ed at a provided e-mail address when the execution has been completed. The user can retrieve the obtained process mining artifact (either a sanitized event log or a query result) through the token from the e-mail. 3

ELPaaS, its source code, a tutorial, and all other information is available at github.com/samadeusfp/elpaas and accessible without registration. The source code from ELPaaS is available under the MIT licence. The project was implemented using Python. We used the Django framework4 as a basis. A screencast of our tool is available under: https://youtu.be/XLq124VpZ6Q

Our application is an online service that has been developed to provide privacy-preserving process mining techniques to other researchers. As such, the web application in its current form is not optimized for industry-scale usage. Nevertheless, the application is suitable to handle real-world event logs, such as those of the BPI challenges5. Given its computational complexity, the event log

In this paper, we introduced ELPaaS, a web application that supports privacypreserving process mining. The application bundles approaches for both event log sanitization, which transforms an event log into one that meets privacy criteria, as well as privatized process mining techniques, which ensure that obtained process mining results adhere to privacy requirements. As such, the application enables users to choose a technique that best suits their purposes.

As research into privacy-preserving process mining is ongoing, we intend to continuously expand the techniques o ered by the application in the future.

This work was in part supported by Bane NOR and the Alexander von Humboldt Foundation.