- What to look for — the inspect config (info types + minimum likelihood).
- What to do with findings — the de-identify config (transformation: redact, mask, replace with info type, …).
Default SDP policies
| Policy | Info types | Transformation | Default? |
|---|---|---|---|
| General PII Redaction | EMAIL_ADDRESS, PHONE_NUMBER, PERSON_NAME, LOCATION, DATE_OF_BIRTH, AGE, IP_ADDRESS, URL | Replace with [REDACTED] | Yes |
| Financial Data Masking | CREDIT_CARD_NUMBER, IBAN_CODE, SWIFT_CODE, U.S. bank routing, U.S. financial account, credit card track | Mask all chars with * | No |
| Healthcare PHI Protection | MEDICAL_RECORD_NUMBER, US_HEALTHCARE_NPI, US_DEA_NUMBER, ICD9_CODE, ICD10_CODE, FDA_CODE, HEALTH_CARE_BENEFICIARY, BLOOD_TYPE | Replace with info type label, e.g. [MEDICAL_RECORD_NUMBER] | No |
| Government ID Protection | US_SOCIAL_SECURITY_NUMBER, US_PASSPORT, US_DRIVERS_LICENSE_NUMBER, US_INDIVIDUAL_TAXPAYER_IDENTIFICATION_NUMBER, US_ADOPTION_TAXPAYER_IDENTIFICATION_NUMBER | Mask all chars with * | No |
| Credential & Secret Detection | AUTH_TOKEN, BASIC_AUTH_HEADER, HTTP_COOKIE, PASSWORD, WEAK_PASSWORD_HASH, ENCRYPTION_KEY, GCP_API_KEY, GCP_CREDENTIALS, STORAGE_SIGNED_URL, STORAGE_SIGNED_POLICY_DOCUMENT | Fully redact (empty string) | No |
sdp_policy_id is specified on the analyzer or per request.
Authoring a custom SDP policy
In the dashboard atagnes.lasscyber.com/protection/sensitive-data:
- Click New SDP policy.
- Author the inspect config:
- Name and description.
- Add
infoTypesfrom the Cloud DLP catalog. The full list is at cloud.google.com/sensitive-data-protection/docs/infotypes-reference. - Set
minLikelihood(POSSIBLE,LIKELY,VERY_LIKELY). Higher likelihood = fewer false positives, more false negatives. - Optionally toggle
includeQuoteto receive the matched text verbatim alongside each finding.
- Author the de-identify config:
- Name and description.
- Pick a
primitiveTransformation:replaceConfig— replace with a static string (e.g.[REDACTED]).characterMaskConfig— mask every char with a chosen char (e.g.*).replaceWithInfoTypeConfig— replace with the info type label in brackets (preserves auditability).redactConfig— fully remove the value (empty string).
- Bind the two configs into a policy with a name, description,
and optional
is_defaultflag.
Example: a clinical trials team
A team accepting patient narratives in an LLM workflow needs:- Strict PHI detection (HIPAA).
- Replace findings with the info type label so analysts can audit which categories hit.
Likelihood and false positives
Cloud DLP’s likelihood scale (lowest to highest):VERY_UNLIKELY → UNLIKELY → POSSIBLE → LIKELY → VERY_LIKELY
Recommended starting points:
| Use case | minLikelihood |
|---|---|
| Exploratory / observability only | POSSIBLE |
| Production guard, tolerate some false positives | LIKELY |
| Strict guard, tolerate some false negatives | VERY_LIKELY |
LIKELY because U.S.
identifiers (especially SSNs) trigger many POSSIBLE matches on
unrelated 9-digit numbers.
Wiring it into a combined policy
Set thesdp_policy_id parameter on the dlp_analyzer (the server
key for the Sensitive Data analyzer):
Permissions
| Role | Read | Create | Delete |
|---|---|---|---|
| Owner | Yes | Yes | Yes |
| Admin | Yes | Yes | Yes |
| Member | Yes | Yes | Yes |
| Viewer | Yes | No | No |
sdp:read, sdp:create, sdp:delete. Note
that there is no in-place SDP update scope today; the dashboard
edit flow re-creates and re-binds.
Limits and cost
- Token limit: 1,000,000 tokens per request.
- DLP timeout: 30 seconds.
- Findings per request: 100 (Cloud DLP default; if your input exceeds this you’ll see truncation).
- Cost: Cloud DLP pricing per content item inspected — see cloud.google.com/sensitive-data-protection/pricing.
Next
- Sensitive Data analyzer — runtime details, metrics, and termination signals.
- Combined analyzer — wiring the SDP finding into termination.
- Cloud DLP info types reference.