DLP coverage and locales
Control Zero scans both the requests your agent sends and the responses it receives for sensitive data. Detection runs at every surface: SDK, gateway, MCP server, browser extension, and coding hooks. 65 patterns ship by default across PII, financial, healthcare, and secrets categories. You can also add custom regex rules for organization-specific data.
What's covered out of the box
Personal identifiers (PII)
Identifiers that vary by region. The detector recognizes:
| Region | Patterns |
|---|---|
| United States | SSN, phone numbers (with area code variants) |
| Korea | Resident Registration Number (RRN) with Mod-11 check digit, mobile, business registration (BRN), driver license, passport, bank account |
| Japan | My Number (individual), My Number (corporate), mobile phone |
| Europe | UK National Insurance Number, German Steuer-ID, French NIR (social security) |
| India | Aadhaar, PAN |
| Brazil | CPF |
| Canada | SIN |
| Australia | TFN |
| Singapore | NRIC / FIN |
| Hong Kong | HKID |
| Universal | Email addresses |
Financial
| Pattern | Notes |
|---|---|
| Credit card | Luhn checksum validated (Visa, Mastercard, Amex, Discover, JCB) |
| IBAN | International bank account, country prefix validated |
| SWIFT / BIC | Bank identifier codes |
| US routing number | ABA routing |
| Bitcoin address | Legacy P2PKH and P2SH |
| Ethereum address | EOA and contract addresses |
Healthcare
| Pattern | Notes |
|---|---|
| US NPI | National Provider Identifier (10 digits) |
| US DEA Number | Drug Enforcement Administration registration |
Secrets and credentials
The detector catches accidental key leaks for cloud providers, AI services, version control, payments, observability, and infrastructure:
- Cloud: AWS Access Key, AWS Secret Key, GCP API Key, GCP Service Account Key, Azure Client Secret, Azure SAS Token
- AI providers: OpenAI, Anthropic, HuggingFace, Cohere
- Version control: GitHub PAT, GitLab PAT
- Payments: Stripe Publishable Key, Stripe Secret Key
- Communications: Slack Bot Token, Slack Webhook URL, SendGrid API Key
- Package registries: npm Token, PyPI Token
- Infrastructure: SSH Private Key, PEM Certificate, Vault Token, JWT Token, Bearer Token (Authorization header)
- Connection strings: PostgreSQL, MySQL, MongoDB, Redis, AMQP / RabbitMQ
- Observability: Datadog, Sentry DSN, New Relic, Linear
- Control Zero: Control Zero API keys (so you don't accidentally paste your own key into a chat)
Action per finding
Each pattern runs with one of three actions:
| Action | What happens to the call | Use when |
|---|---|---|
detect | Call proceeds. Finding is recorded in the audit log. | You want visibility without disrupting users |
mask | Matched string is replaced with a redaction token (e.g., [REDACTED:SSN]) before the call proceeds | You want users to keep working; the model just doesn't see the secret |
block | Call is denied. Agent receives a policy-denied error. | High-risk data: credentials, customer PII in code |
You can mix actions per pattern. For example: mask credit cards, block AWS keys, detect and audit phone numbers.
Adding custom regex rules
Real organizations have data shapes the built-in patterns won't cover: internal project codes, customer account IDs, proprietary identifiers. Add them via the DLP Rules Editor in the dashboard, or directly in your policy file:
dlp_rules:
- id: internal-project-code
pattern: 'PROJ-[A-Z]{3}-\d{6}'
category: custom
action: block
reason: 'Internal project codes must not leave the agent'
- id: customer-account-id
pattern: 'CUST_[0-9]{10}'
category: pii
action: mask
reason: 'Customer account IDs masked in audit'
- id: jira-ticket
pattern: '\bACME-\d{4,6}\b'
category: custom
action: detect
reason: 'Track which agents reference internal tickets'
Patterns use Python re syntax (a PCRE-compatible subset). Test patterns from the dashboard editor before publishing -- it runs them against sample text live so you can confirm matches and check for false positives.
Where DLP runs
DLP scanning is active by default at every surface:
| Surface | Direction | Where the scan happens |
|---|---|---|
| SDK | Tool call args | Before guard() returns |
| Gateway proxy | Both the prompt sent to the LLM and the response back | Bidirectional in the proxy |
| MCP server | Tool inputs and outputs | At the MCP server hop |
| Browser extension | Text typed or pasted into chat UIs | In the browser before the request leaves |
| Coding hooks | Tool call arguments before the AI assistant executes them | In the hook check |
What you see in the audit log
Every finding -- whether it triggered a block, mask, or just a detect -- is recorded with the rule id, the category, the action taken, and a count of matches. The original matched text is not logged unless you explicitly opt in to that. Audit answers "this happened" without itself becoming a sensitive data store.
Availability
Built-in DLP patterns are available on Free, Solo, and Teams tiers. Custom DLP rules and the dashboard rules editor are available on Solo and Teams. Approval workflows and DLP rule version history are available on Teams.
Next steps
- DLP Rules Editor -- add custom rules from the dashboard
- Gateway proxy -- enable DLP on existing agents with no code changes
- Coding assistant hooks -- DLP in Claude Code, Cursor, Gemini CLI, Codex CLI