> ## Documentation Index
> Fetch the complete documentation index at: https://docs.lasscyber.com/llms.txt
> Use this file to discover all available pages before exploring further.

# SDP policies

> Configure which info types Cloud DLP inspects and how findings are de-identified.

A **Sensitive Data Protection (SDP) policy** tells the
[Sensitive Data analyzer](/analyzers/sensitive-data) two things:

1. *What to look for* — the **inspect config** (info types + minimum
   likelihood).
2. *What to do with findings* — the **de-identify config**
   (transformation: redact, mask, replace with info type, …).

Agnes ships five default policies so common cases work out of the box;
you author your own when those defaults are too broad or too narrow.

## Default SDP policies

| Policy                            | Info types                                                                                                                                                                                     | Transformation                                               | Default? |
| --------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------ | -------- |
| **General PII Redaction**         | `EMAIL_ADDRESS`, `PHONE_NUMBER`, `PERSON_NAME`, `LOCATION`, `DATE_OF_BIRTH`, `AGE`, `IP_ADDRESS`, `URL`                                                                                        | Replace with `[REDACTED]`                                    | Yes      |
| **Financial Data Masking**        | `CREDIT_CARD_NUMBER`, `IBAN_CODE`, `SWIFT_CODE`, U.S. bank routing, U.S. financial account, credit card track                                                                                  | Mask all chars with `*`                                      | No       |
| **Healthcare PHI Protection**     | `MEDICAL_RECORD_NUMBER`, `US_HEALTHCARE_NPI`, `US_DEA_NUMBER`, `ICD9_CODE`, `ICD10_CODE`, `FDA_CODE`, `HEALTH_CARE_BENEFICIARY`, `BLOOD_TYPE`                                                  | Replace with info type label, e.g. `[MEDICAL_RECORD_NUMBER]` | No       |
| **Government ID Protection**      | `US_SOCIAL_SECURITY_NUMBER`, `US_PASSPORT`, `US_DRIVERS_LICENSE_NUMBER`, `US_INDIVIDUAL_TAXPAYER_IDENTIFICATION_NUMBER`, `US_ADOPTION_TAXPAYER_IDENTIFICATION_NUMBER`                          | Mask all chars with `*`                                      | No       |
| **Credential & Secret Detection** | `AUTH_TOKEN`, `BASIC_AUTH_HEADER`, `HTTP_COOKIE`, `PASSWORD`, `WEAK_PASSWORD_HASH`, `ENCRYPTION_KEY`, `GCP_API_KEY`, `GCP_CREDENTIALS`, `STORAGE_SIGNED_URL`, `STORAGE_SIGNED_POLICY_DOCUMENT` | Fully redact (empty string)                                  | No       |

The "Default?" column marks the tenant default — used when no
`sdp_policy_id` is specified on the analyzer or per request.

## Authoring a custom SDP policy

In the dashboard at
[`agnes.lasscyber.com/protection/sensitive-data`](https://agnes.lasscyber.com/protection/sensitive-data):

1. Click **New SDP policy**.
2. Author the **inspect config**:
   * Name and description.
   * Add `infoTypes` from the Cloud DLP catalog. The full list is at
     [cloud.google.com/sensitive-data-protection/docs/infotypes-reference](https://cloud.google.com/sensitive-data-protection/docs/infotypes-reference).
   * Set `minLikelihood` (`POSSIBLE`, `LIKELY`, `VERY_LIKELY`).
     Higher likelihood = fewer false positives, more false negatives.
   * Optionally toggle `includeQuote` to receive the matched text
     verbatim alongside each finding.
3. Author the **de-identify config**:
   * Name and description.
   * Pick a `primitiveTransformation`:
     * `replaceConfig` — replace with a static string (e.g.
       `[REDACTED]`).
     * `characterMaskConfig` — mask every char with a chosen char
       (e.g. `*`).
     * `replaceWithInfoTypeConfig` — replace with the info type label
       in brackets (preserves auditability).
     * `redactConfig` — fully remove the value (empty string).
4. Bind the two configs into a **policy** with a name, description,
   and optional `is_default` flag.

### Example: a clinical trials team

A team accepting patient narratives in an LLM workflow needs:

* Strict PHI detection (HIPAA).
* Replace findings with the info type label so analysts can audit
  which categories hit.

Inspect config:

```json theme={null}
{
  "infoTypes": [
    { "name": "MEDICAL_RECORD_NUMBER" },
    { "name": "US_HEALTHCARE_NPI" },
    { "name": "ICD10_CODE" },
    { "name": "DATE_OF_BIRTH" },
    { "name": "PERSON_NAME" }
  ],
  "minLikelihood": "POSSIBLE",
  "includeQuote": true
}
```

De-identify config:

```json theme={null}
{
  "infoTypeTransformations": {
    "transformations": [
      { "primitiveTransformation": { "replaceWithInfoTypeConfig": {} } }
    ]
  }
}
```

Then bind the two configs into a policy named "Clinical PHI" and mark
it as the tenant default.

## Likelihood and false positives

Cloud DLP's likelihood scale (lowest to highest):

`VERY_UNLIKELY → UNLIKELY → POSSIBLE → LIKELY → VERY_LIKELY`

Recommended starting points:

| Use case                                        | `minLikelihood` |
| ----------------------------------------------- | --------------- |
| Exploratory / observability only                | `POSSIBLE`      |
| Production guard, tolerate some false positives | `LIKELY`        |
| Strict guard, tolerate some false negatives     | `VERY_LIKELY`   |

Bump the threshold up when an info type fires noisily. The shipped
**Government ID Protection** policy uses `LIKELY` because U.S.
identifiers (especially SSNs) trigger many `POSSIBLE` matches on
unrelated 9-digit numbers.

## Wiring it into a combined policy

Set the `sdp_policy_id` parameter on the `dlp_analyzer` (the server
key for the [Sensitive Data analyzer](/analyzers/sensitive-data)):

```json theme={null}
{
  "name": "dlp_analyzer",
  "params": { "sdp_policy_id": "<uuid-of-sdp-policy>" }
}
```

Or override per-request:

```bash theme={null}
curl -X POST https://api.lasscyber.com/api/v1/analyze/ \
  -H "Authorization: Bearer ak_…" \
  -H "Content-Type: application/json" \
  -d '{
    "prompt": "...",
    "policy_slug": "default-outbound",
    "sdp_policy_id": "<uuid>"
  }'
```

Use overrides to swap policies for different products or routes
without authoring N copies of the combined policy.

## Permissions

| Role   | Read | Create | Delete |
| ------ | ---- | ------ | ------ |
| Owner  | Yes  | Yes    | Yes    |
| Admin  | Yes  | Yes    | Yes    |
| Member | Yes  | Yes    | Yes    |
| Viewer | Yes  | No     | No     |

The relevant scopes are `sdp:read`, `sdp:create`, `sdp:delete`. Note
that there is no in-place SDP `update` scope today; the dashboard
edit flow re-creates and re-binds.

## Limits and cost

* **Token limit:** 1,000,000 tokens per request.
* **DLP timeout:** 30 seconds.
* **Findings per request:** 100 (Cloud DLP default; if your input
  exceeds this you'll see truncation).
* **Cost:** Cloud DLP pricing per content item inspected — see
  [cloud.google.com/sensitive-data-protection/pricing](https://cloud.google.com/sensitive-data-protection/pricing).

## Next

* [Sensitive Data analyzer](/analyzers/sensitive-data) — runtime
  details, metrics, and termination signals.
* [Combined analyzer](/concepts/combined-analyzer) — wiring the SDP
  finding into termination.
* [Cloud DLP info types reference](https://cloud.google.com/sensitive-data-protection/docs/infotypes-reference).
