diff --git a/dd-trace-api/src/main/java/datadog/trace/api/Config.java b/dd-trace-api/src/main/java/datadog/trace/api/Config.java
index e9b6e9c816..430b01adf0 100644
--- a/dd-trace-api/src/main/java/datadog/trace/api/Config.java
+++ b/dd-trace-api/src/main/java/datadog/trace/api/Config.java
@@ -202,6 +202,18 @@ public class Config {
   /** A tag intended for internal use only, hence not added to the public api DDTags class. */
   private static final String INTERNAL_HOST_NAME = "_dd.hostname";
 
+  /** Used for masking sensitive information when doing toString */
+  @ToString.Include(name = "profilingApiKey")
+  private String profilingApiKeyMasker() {
+    return profilingApiKey != null ? "****" : null;
+  }
+
+  /** Used for masking sensitive information when doing toString */
+  @ToString.Include(name = "profilingProxyPassword")
+  private String profilingProxyPasswordMasker() {
+    return profilingProxyPassword != null ? "****" : null;
+  }
+
   /**
    * this is a random UUID that gets generated on JVM start up and is attached to every root span
    * and every JMX metric that is sent out.
diff --git a/dd-trace-api/src/test/groovy/datadog/trace/api/ConfigTest.groovy b/dd-trace-api/src/test/groovy/datadog/trace/api/ConfigTest.groovy
index db37f07a6a..853552b7a9 100644
--- a/dd-trace-api/src/test/groovy/datadog/trace/api/ConfigTest.groovy
+++ b/dd-trace-api/src/test/groovy/datadog/trace/api/ConfigTest.groovy
@@ -93,6 +93,7 @@ class ConfigTest extends DDSpecification {
   private static final DD_PROFILING_API_KEY_ENV = "DD_PROFILING_API_KEY"
   private static final DD_PROFILING_API_KEY_OLD_ENV = "DD_PROFILING_APIKEY"
   private static final DD_PROFILING_TAGS_ENV = "DD_PROFILING_TAGS"
+  private static final DD_PROFILING_PROXY_PASSWORD_ENV = "DD_PROFILING_PROXY_PASSWORD"
 
   def "verify defaults"() {
     when:
@@ -1105,4 +1106,30 @@ class ConfigTest extends DDSpecification {
 
     config.mergedProfilingTags == [a: "1", f: "6", (HOST_TAG): config.getHostName(), (RUNTIME_ID_TAG): config.getRuntimeId(), (SERVICE_TAG): config.serviceName, (LANGUAGE_TAG_KEY): LANGUAGE_TAG_VALUE]
   }
+
+  def "sensitive information removed for toString/debug log"() {
+    setup:
+    environmentVariables.set(DD_PROFILING_API_KEY_ENV, "test-secret-api-key")
+    environmentVariables.set(DD_PROFILING_PROXY_PASSWORD_ENV, "test-secret-proxy-password")
+
+    when:
+    def config = new Config()
+
+    then:
+    config.toString().contains("profilingApiKey=****")
+    !config.toString().contains("test-secret-api-key")
+    config.toString().contains("profilingProxyPassword=****")
+    !config.toString().contains("test-secret-proxy-password")
+    config.profilingApiKey == "test-secret-api-key"
+    config.profilingProxyPassword == "test-secret-proxy-password"
+  }
+
+  def "toString works when passwords are empty"() {
+    when:
+    def config = new Config()
+
+    then:
+    config.toString().contains("profilingApiKey=null")
+    config.toString().contains("profilingProxyPassword=null")
+  }
 }