Data redaction (DLP)
Content-level redaction of sensitive data in agent tool inputs, tool outputs, and logs — non-bypassable, with offline-verifiable receipts.
Policies decide whether an action may run. Data redaction governs what data the agent sees and what you persist — it strips sensitive values out of tool inputs, tool outputs (before the agent or LLM ever reads them), and logs. It is enforced at the same execution chokepoint as policy, so an agent cannot bypass it.
How it works
- You define what is sensitive as a set of classes (e.g.
pci.pan,pii.email,secret.aws_key). - A ruleset maps each class to an action (redact / mask / drop / tokenize / fingerprint) and a mode (
off,monitor,enforce). - On every governed call, the engine detects sensitive spans, applies the per-class action, and writes a counts-only, signed receipt — no raw values are ever stored.
Built-in catalog
The engine ships ~60 built-in classes across 7 categories, each checksum-validated where a check digit exists (Luhn, IBAN mod-97, NHS mod-11, etc.) to keep false positives low:
| Category | Examples |
|---|---|
| Financial | Card number (PAN), card security data (CVV/PIN), IBAN, SWIFT/BIC, US routing/account |
| Government / National ID | US SSN/ITIN/EIN, UK NINO/NHS, Spain DNI, Poland PESEL, Netherlands BSN, Australia TFN/Medicare, Canada SIN, India Aadhaar/PAN, Singapore NRIC |
| Contact / PII | Email, phone, IP, date of birth |
| Health / PHI | US NPI, DEA, medical record number, Medicare beneficiary ID, ICD-10 |
| Credentials & secrets | AWS/GCP/GitHub/GitLab/Slack/Stripe/OpenAI/Anthropic keys, private keys, JWTs, DB connection strings, high-entropy secrets |
| Network / device | IPv6, MAC, IMEI, UUID |
| GDPR special | Biometric, genetic, nationality/religion/political (NRP) |
Every class has an enable/disable toggle (default on) — uncheck any you don't want redacted and it's skipped across all rulesets without losing its settings.
Operators (per-class actions)
| Action | Behavior | Typical use |
|---|---|---|
redact | Replace with [REDACTED] | Secrets, generic PII |
mask | Keep a safe prefix/suffix, e.g. card → 411111******1111 (BIN + last 4) | PAN, SSN |
drop | Remove the field entirely, never persisted | Card security data (CVV/PIN) — PCI 3.3.1 |
tokenize | Replace with a reversible <tok:…> placeholder; the original is held in a per-tenant encrypted vault and re-inserted on egress | Values the agent must act on but never see |
fingerprint | Replace with a keyed HMAC | Correlate without revealing |
Modes
off— not enforced.monitor— detect and record what would be redacted, without changing the payload. Always start here.enforce— redact in real time. A redaction error fails closed (the action is blocked).
Optional NER
Free-text person names and locations (which regex can't catch) are available through an optional Presidio NER layer. It is opt-in and off by default — enable a pii.person / pii.location / gdpr.nrp class on a ruleset and install the optional dependency to activate it.
Admin API
All routes are under /api/v1/redaction (JWT auth; canManagePolicies for writes).
| Method | Path | Purpose |
|---|---|---|
GET | /redaction/catalog | The built-in class catalog |
GET | /redaction/classes | Your account's classes (with enabled + category) |
POST | /redaction/classes/{class_uuid}/toggle | Enable/disable a class — body { "enabled": true } |
GET | /redaction/rulesets?environment_id= | List rulesets for an environment |
POST | /redaction/provision-default | Provision the recommended ruleset (monitor mode) |
POST | /redaction/rulesets/{ruleset_uuid}/mode | Set mode — body { "mode": "enforce" } |
POST | /redaction/rulesets/{ruleset_uuid}/activate | Activate a ruleset version |
POST | /redaction/preview | Dry-run against a sample payload — body { "payload": {…} } |
GET | /redaction/receipts?environment_id= | Export the signed redaction-event chain |
Dry-run a payload
The response lists each detected class, its action, and the redacted result — nothing is enforced or stored.
Verify it offline
Export the redaction-event chain and verify it without trusting Nolixan:
The export carries counts only (class, count, action, ruleset version, boundary) plus a per-environment hash chain and Ed25519 signatures — see Receipts. Standards crosswalk: PCI, HIPAA, GDPR, NIST, ISO 27001, SOC 2, OWASP — docs/REDACTION_COMPLIANCE.md.