Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.lasscyber.com/llms.txt

Use this file to discover all available pages before exploring further.

A Sensitive Data Protection (SDP) policy tells the Sensitive Data analyzer two things:
  1. What to look for — the inspect config (info types + minimum likelihood).
  2. What to do with findings — the de-identify config (transformation: redact, mask, replace with info type, …).
Agnes ships five default policies so common cases work out of the box; you author your own when those defaults are too broad or too narrow.

Default SDP policies

PolicyInfo typesTransformationDefault?
General PII RedactionEMAIL_ADDRESS, PHONE_NUMBER, PERSON_NAME, LOCATION, DATE_OF_BIRTH, AGE, IP_ADDRESS, URLReplace with [REDACTED]Yes
Financial Data MaskingCREDIT_CARD_NUMBER, IBAN_CODE, SWIFT_CODE, U.S. bank routing, U.S. financial account, credit card trackMask all chars with *No
Healthcare PHI ProtectionMEDICAL_RECORD_NUMBER, US_HEALTHCARE_NPI, US_DEA_NUMBER, ICD9_CODE, ICD10_CODE, FDA_CODE, HEALTH_CARE_BENEFICIARY, BLOOD_TYPEReplace with info type label, e.g. [MEDICAL_RECORD_NUMBER]No
Government ID ProtectionUS_SOCIAL_SECURITY_NUMBER, US_PASSPORT, US_DRIVERS_LICENSE_NUMBER, US_INDIVIDUAL_TAXPAYER_IDENTIFICATION_NUMBER, US_ADOPTION_TAXPAYER_IDENTIFICATION_NUMBERMask all chars with *No
Credential & Secret DetectionAUTH_TOKEN, BASIC_AUTH_HEADER, HTTP_COOKIE, PASSWORD, WEAK_PASSWORD_HASH, ENCRYPTION_KEY, GCP_API_KEY, GCP_CREDENTIALS, STORAGE_SIGNED_URL, STORAGE_SIGNED_POLICY_DOCUMENTFully redact (empty string)No
The “Default?” column marks the tenant default — used when no sdp_policy_id is specified on the analyzer or per request.

Authoring a custom SDP policy

In the dashboard at agnes.lasscyber.com/protection/sensitive-data:
  1. Click New SDP policy.
  2. Author the inspect config:
    • Name and description.
    • Add infoTypes from the Cloud DLP catalog. The full list is at cloud.google.com/sensitive-data-protection/docs/infotypes-reference.
    • Set minLikelihood (POSSIBLE, LIKELY, VERY_LIKELY). Higher likelihood = fewer false positives, more false negatives.
    • Optionally toggle includeQuote to receive the matched text verbatim alongside each finding.
  3. Author the de-identify config:
    • Name and description.
    • Pick a primitiveTransformation:
      • replaceConfig — replace with a static string (e.g. [REDACTED]).
      • characterMaskConfig — mask every char with a chosen char (e.g. *).
      • replaceWithInfoTypeConfig — replace with the info type label in brackets (preserves auditability).
      • redactConfig — fully remove the value (empty string).
  4. Bind the two configs into a policy with a name, description, and optional is_default flag.

Example: a clinical trials team

A team accepting patient narratives in an LLM workflow needs:
  • Strict PHI detection (HIPAA).
  • Replace findings with the info type label so analysts can audit which categories hit.
Inspect config: 
{
  "infoTypes": [
    { "name": "MEDICAL_RECORD_NUMBER" },
    { "name": "US_HEALTHCARE_NPI" },
    { "name": "ICD10_CODE" },
    { "name": "DATE_OF_BIRTH" },
    { "name": "PERSON_NAME" }
  ],
  "minLikelihood": "POSSIBLE",
  "includeQuote": true
}
De-identify config: 
{
  "infoTypeTransformations": {
    "transformations": [
      { "primitiveTransformation": { "replaceWithInfoTypeConfig": {} } }
    ]
  }
}
Then bind the two configs into a policy named “Clinical PHI” and mark it as the tenant default.

Likelihood and false positives

Cloud DLP’s likelihood scale (lowest to highest): VERY_UNLIKELY → UNLIKELY → POSSIBLE → LIKELY → VERY_LIKELY Recommended starting points:
Use caseminLikelihood
Exploratory / observability onlyPOSSIBLE
Production guard, tolerate some false positivesLIKELY
Strict guard, tolerate some false negativesVERY_LIKELY
Bump the threshold up when an info type fires noisily. The shipped Government ID Protection policy uses LIKELY because U.S. identifiers (especially SSNs) trigger many POSSIBLE matches on unrelated 9-digit numbers.

Wiring it into a combined policy

Set the sdp_policy_id parameter on the dlp_analyzer (the server key for the Sensitive Data analyzer): 
{
  "name": "dlp_analyzer",
  "params": { "sdp_policy_id": "<uuid-of-sdp-policy>" }
}
Or override per-request: 
curl -X POST https://api.lasscyber.com/api/v1/analyze/ \
  -H "Authorization: Bearer ak_…" \
  -H "Content-Type: application/json" \
  -d '{
    "prompt": "...",
    "policy_slug": "default-outbound",
    "sdp_policy_id": "<uuid>"
  }'
Use overrides to swap policies for different products or routes without authoring N copies of the combined policy.

Permissions

RoleReadCreateDelete
OwnerYesYesYes
AdminYesYesYes
MemberYesYesYes
ViewerYesNoNo
The relevant scopes are sdp:read, sdp:create, sdp:delete. Note that there is no in-place SDP update scope today; the dashboard edit flow re-creates and re-binds.

Limits and cost

  • Token limit: 1,000,000 tokens per request.
  • DLP timeout: 30 seconds.
  • Findings per request: 100 (Cloud DLP default; if your input exceeds this you’ll see truncation).
  • Cost: Cloud DLP pricing per content item inspected — see cloud.google.com/sensitive-data-protection/pricing.

Next