Nolixan

Data redaction (DLP)

Content-level redaction of sensitive data in agent tool inputs, tool outputs, and logs — non-bypassable, with offline-verifiable receipts.

Policies decide whether an action may run. Data redaction governs what data the agent sees and what you persist — it strips sensitive values out of tool inputs, tool outputs (before the agent or LLM ever reads them), and logs. It is enforced at the same execution chokepoint as policy, so an agent cannot bypass it.

How it works

  1. You define what is sensitive as a set of classes (e.g. pci.pan, pii.email, secret.aws_key).
  2. A ruleset maps each class to an action (redact / mask / drop / tokenize / fingerprint) and a mode (off, monitor, enforce).
  3. On every governed call, the engine detects sensitive spans, applies the per-class action, and writes a counts-only, signed receipt — no raw values are ever stored.

Built-in catalog

The engine ships ~60 built-in classes across 7 categories, each checksum-validated where a check digit exists (Luhn, IBAN mod-97, NHS mod-11, etc.) to keep false positives low:

CategoryExamples
FinancialCard number (PAN), card security data (CVV/PIN), IBAN, SWIFT/BIC, US routing/account
Government / National IDUS SSN/ITIN/EIN, UK NINO/NHS, Spain DNI, Poland PESEL, Netherlands BSN, Australia TFN/Medicare, Canada SIN, India Aadhaar/PAN, Singapore NRIC
Contact / PIIEmail, phone, IP, date of birth
Health / PHIUS NPI, DEA, medical record number, Medicare beneficiary ID, ICD-10
Credentials & secretsAWS/GCP/GitHub/GitLab/Slack/Stripe/OpenAI/Anthropic keys, private keys, JWTs, DB connection strings, high-entropy secrets
Network / deviceIPv6, MAC, IMEI, UUID
GDPR specialBiometric, genetic, nationality/religion/political (NRP)

Every class has an enable/disable toggle (default on) — uncheck any you don't want redacted and it's skipped across all rulesets without losing its settings.

Operators (per-class actions)

ActionBehaviorTypical use
redactReplace with [REDACTED]Secrets, generic PII
maskKeep a safe prefix/suffix, e.g. card → 411111******1111 (BIN + last 4)PAN, SSN
dropRemove the field entirely, never persistedCard security data (CVV/PIN) — PCI 3.3.1
tokenizeReplace with a reversible <tok:…> placeholder; the original is held in a per-tenant encrypted vault and re-inserted on egressValues the agent must act on but never see
fingerprintReplace with a keyed HMACCorrelate without revealing

Modes

  • off — not enforced.
  • monitor — detect and record what would be redacted, without changing the payload. Always start here.
  • enforce — redact in real time. A redaction error fails closed (the action is blocked).

Optional NER

Free-text person names and locations (which regex can't catch) are available through an optional Presidio NER layer. It is opt-in and off by default — enable a pii.person / pii.location / gdpr.nrp class on a ruleset and install the optional dependency to activate it.

Admin API

All routes are under /api/v1/redaction (JWT auth; canManagePolicies for writes).

MethodPathPurpose
GET/redaction/catalogThe built-in class catalog
GET/redaction/classesYour account's classes (with enabled + category)
POST/redaction/classes/{class_uuid}/toggleEnable/disable a class — body { "enabled": true }
GET/redaction/rulesets?environment_id=List rulesets for an environment
POST/redaction/provision-defaultProvision the recommended ruleset (monitor mode)
POST/redaction/rulesets/{ruleset_uuid}/modeSet mode — body { "mode": "enforce" }
POST/redaction/rulesets/{ruleset_uuid}/activateActivate a ruleset version
POST/redaction/previewDry-run against a sample payload — body { "payload": {…} }
GET/redaction/receipts?environment_id=Export the signed redaction-event chain

Dry-run a payload

curl -X POST https://your-host/api/v1/redaction/preview \
  -H "Authorization: Bearer <JWT>" \
  -H "Environment-Id: 1" \
  -H "Content-Type: application/json" \
  -d '{ "payload": { "card": "4111 1111 1111 1111", "email": "a@b.com" } }'

The response lists each detected class, its action, and the redacted result — nothing is enforced or stored.

Verify it offline

Export the redaction-event chain and verify it without trusting Nolixan:

curl -s "https://your-host/api/v1/redaction/receipts?environment_id=1" \
  -H "Authorization: Bearer <JWT>" > redaction-export.json
python scripts/verify_redaction.py redaction-export.json

The export carries counts only (class, count, action, ruleset version, boundary) plus a per-environment hash chain and Ed25519 signatures — see Receipts. Standards crosswalk: PCI, HIPAA, GDPR, NIST, ISO 27001, SOC 2, OWASP — docs/REDACTION_COMPLIANCE.md.

On this page