Hi SIDDHARTHJAISWAL,
Data transformation is a very common use case for the API Gateway, and we have many customers that use policy to mask or redact data (as you want to do) or alter the contents and format of messages before they are sent back to requestors. This can be done using regex, as well as XSLT, in the case of XML the latter may be faster.
There is no particular best practice for this workflow, it will come down to what makes sense for your particular data workflow, and where you feel it is best to perform this function in your environment. Some things to consider would be the sizes of the messages that you are transforming, the number of messages that are being done, and whether or not you want to have this logic in your backend service as opposed to being abstracted into a purpose-built Gateway.
CPU/memory usage should be a consideration, however that cost is not unique to the Gateway - if you perform this function on your service backend instead, it will consume additional resources there instead.
-Aaron