PII & Data Loss Prevention

Protect sensitive data across prompts and outputs

14 PII types with business logic validation, configurable redaction policies, and enterprise compliance for GDPR, HIPAA, and SOC 2.

PII types

< 15ms

Full PII scan

SHA-256

Audit trail hashing

How It Works

Detect and redact PII in every request.

Scan request content

14 detection types with business logic validation analyze prompts and tool arguments.

Apply redaction policy

Per-type policies determine masking, hashing, or blocking behavior.

Log and forward

Immutable audit trail records detections. Safe content forwarded to the LLM.

14 PII Types

Comprehensive sensitive data detection.

Type	Validation	Category
SSN	US format + checksum	Identity
Email	RFC-compliant parsing	Identity
Phone	International formats	Identity
Driver's License	US state formats	Identity
Passport	International formats	Identity
Credit Card	Luhn algorithm	Financial
Bank Account	US routing validation	Financial
IBAN	International identifiers	Financial
Medical Record	Healthcare identifiers	Healthcare
IP Address	IPv4 and IPv6	Technical
MAC Address	Hardware identifiers	Technical
API Key	Service tokens	Technical
URL / Domain	Web address parsing	Technical
GPS Coordinates	Location data	Technical

Redaction Methods

Four strategies for handling sensitive data.

Method	Behavior	Example
mask_complete	Replace with [TYPE_REDACTED] token	john@co.com → [EMAIL_REDACTED]
mask_partial	Keep format, hide sensitive portions	4532-1234-****-9012
hash_and_store	SHA-256 hash for audit trail	SSN → Hash: a4b2c8...
block_request	Reject request entirely	Request blocked: PII_DETECTED

What's included

Detection, redaction, and compliance — built in

Every request gets automatic PII scanning with configurable policies and compliance-ready audit trails.

14 PII types with validation

Business logic detection (not just regex)

Context-aware false positive reduction

Complete & partial masking

SHA-256 hashing for audit trails

Block requests containing PII

Per-type configurable policies

GDPR compliance support

HIPAA PHI detection

SOC 2 confidentiality controls

ReDoS-resistant pattern design

Immutable audit logging

Policy Configuration

Configure redaction behavior per PII type with granular control.

{
  "pii_policies": {
    "email": {
      "action": "mask_partial",
      "preserve_domain": true
    },
    "ssn": {
      "action": "block_request",
      "alert_security_team": true
    },
    "credit_card": {
      "action": "hash_and_mask",
      "preserve_last_four": true
    }
  }
}

Detection Response

Every detection includes type, location, and action taken.

{
  "pii_detected": [
    {
      "type": "credit_card",
      "action": "mask_partial",
      "original_hash": "a4b2c8...",
      "masked": "4532-****-****-9012"
    },
    {
      "type": "email",
      "action": "mask_partial",
      "masked": "j***@company.com"
    }
  ]
}

Context-Aware Detection

Business logic validation reduces false positives on legitimate data like order numbers and product IDs.

Enterprise Compliance

Built-in support for GDPR, HIPAA, and SOC 2 with audit trails and data residency controls.

Zero-Copy Analysis

Bounded memory algorithms scan requests in under 15ms without copying sensitive data.

Start protecting sensitive data

PII detection and redaction included with every plan. No extra cost.

Get started free Read the docs