Data Loss Prevention (DLP)
The gateway's DLP pipeline scans every request and response for sensitive data. When a pattern match is detected, the configured action is applied — redacting the data, blocking the request, or logging a warning. DLP policies are configured per-tenant, giving each organization control over its own data protection rules.
Built-in Patterns
Workjet includes six built-in DLP patterns that detect common sensitive data:
| Pattern | Description | Example Match |
|---|---|---|
| Credit Card Numbers | Detects Visa, MasterCard, Amex, and other major card formats | 4111-1111-1111-1111 |
| Social Security Numbers | Detects US SSN format (XXX-XX-XXXX) | 123-45-6789 |
| Email Addresses | Detects email address patterns | user@example.com |
| Phone Numbers | Detects common phone number formats (US and international) | (555) 123-4567 |
| AWS Access Keys | Detects AWS access key ID format (AKIA...) | AKIAIOSFODNN7EXAMPLE |
| API Secrets | Detects common API key and secret patterns (bearer tokens, sk_live, etc.) | sk_live_abc123... |
Custom Regex Patterns
In addition to built-in patterns, you can define custom regex patterns to detect organization-specific sensitive data:
- Internal employee IDs
- Customer account numbers
- Project code names
- Medical record numbers
- Custom API key formats
Custom patterns are added through the Portal gateway admin and support standard regex syntax.
Adding a Custom Pattern
- Open the Portal and navigate to Gateway Admin > DLP Policies
- Click Add Pattern
- Enter:
- Name: A descriptive name (e.g., "Internal Employee ID")
- Pattern: A regular expression (e.g.,
EMP-\d6) - Action: What to do when detected (redact, block, or warn)
- Click Save
Actions
When a DLP pattern matches, one of three actions is applied:
| Action | Behavior | Use Case |
|---|---|---|
| Redact | Replace the matched text with *** and allow the request to proceed | Allow the conversation to continue without exposing sensitive data to the provider |
| Block | Reject the entire request and return an error to the user | Prevent any request containing certain data types from reaching the AI provider |
| Warn | Log the detection but allow the request to proceed unchanged | Monitor for sensitive data without disrupting workflows during a rollout period |
Tip: Start with the "warn" action when rolling out new DLP patterns. This lets you monitor false positive rates before switching to "redact" or "block."
Per-Tenant Policies
DLP policies are scoped to individual tenants (organizations). Each organization can:
- Enable or disable DLP scanning entirely
- Choose which built-in patterns to activate
- Add custom patterns specific to their industry or data
- Set different actions for different patterns
This means a healthcare organization can enable SSN and medical record detection with "block" actions, while a software company might only need API secret detection with "redact."
Scanning Scope
The DLP pipeline scans both directions:
- Requests: User messages and system prompts are scanned before being sent to the AI provider
- Responses: AI-generated responses are scanned before being delivered to the user
This bidirectional scanning ensures sensitive data is caught regardless of whether it originates from the user or the model.
DLP in Audit Logs
Every DLP detection is recorded in the audit log with details including:
- Which pattern matched
- What action was taken
- The user who sent the request
- The timestamp of the detection
This provides a complete audit trail for compliance reporting.
Next Steps
- Review audit logs for DLP detections
- Configure cost controls alongside DLP
- Manage policies from the Portal gateway admin
- Learn about the full security architecture