PII Detection

Cencori Scan automatically detects sensitive data in both prompts (uploaded to AI) and responses (returned to users).

Supported Entities

We currently detect 25+ types of PII and secrets with high-precision models.

Redaction Modes

You can configure how Cencori handles detected PII via the Dashboard or cencorirc.

Configuration

To configure PII rules programmatically (e.g., for Cencori Scan CLI):

{
  "error": "Request blocked due to PII detection",
  "code": "PII_DETECTED",
  "status": 403,
  "details": {
    "patterns_detected": ["EMAIL", "PHONE_NUMBER"],
    "incident_id": "inc_abc123"
    
// .cencorirc
{
  "pii": {
    "email": "mask",
    "credit_card": "block",
    "ssn": "redact",
    "phone": "off"
  }
}

The request never reaches the AI provider, protecting your users' data.

Handling PII Detection in Your Code

try {
  const response = await cencori.ai.chat({
    model: 'gpt-4o',
    messages: [{ 
      role: 'user', 
      content: userInput // May contain PII
    }],
  });
  
  return response.content;
} catch (error: any) {
  if (error.code === 'PII_DETECTED') {
    // Handle PII detection gracefully
    return {
      error: 'Your message contains sensitive information. Please remove personal details.',
      pii_types: error.details.patterns_detected
    };
  }
  
  throw error;
}

Redaction Mode (Coming Soon)

Instead of blocking, you can enable automatic redaction. Cencori will replace PII with placeholders:

Original:
"My email is john@example.com and my phone is 555-1234"
 
Redacted:
"My email is [EMAIL_REDACTED] and my phone is [PHONE_REDACTED]"

This allows the request to proceed while protecting sensitive data.

Viewing PII Incidents in Dashboard

All PII detection events are logged as security incidents. To view:

1. Navigate to your project dashboard
2. Click "Security" in the sidebar
3. Filter by "PII Detection" incident type
4. View details including:
   • Which PII types were detected
   • Timestamp and user info
   • The triggering request (PII redacted)

Custom Patterns (Enterprise)

Enterprise customers can add custom PII patterns specific to their business:

• Employee IDs (e.g., EMP-12345)
• Internal project codes
• Customer reference numbers
• Industry-specific identifiers (medical record numbers, account IDs)

Contact sales to configure custom patterns for your organization.

Handling False Positives

Sometimes legitimate content is flagged as PII:

[!TIP] Example: Fictional Data "Create a sample user profile with email test@example.com" might be flagged, even though it's fictional.

[!NOTE] Solution: Whitelist Domains Configure Cencori to allow specific domains or patterns in your project settings.

Best Practices

• Enable PII detection for all production projects
• Educate users to avoid sharing personal information in prompts
• Review PII incidents weekly to identify patterns
• Use redaction mode for non-critical PII (e.g., names in support tickets)
• Block mode for strict compliance (healthcare, finance)
• Monitor false positive rates and adjust sensitivity

Compliance Benefits

PII detection helps you comply with:

• GDPR: Prevent unauthorized processing of personal data
• HIPAA: Protect patient health information
• SOC 2: Demonstrate data protection controls
• CCPA: California Consumer Privacy Act compliance

Custom Regex Rules

You can add custom detectors for business-specific data (e.g., User IDs, Order Numbers).

// .cencorirc
{
  "custom_rules": [
    {
      "name": "internal_order_id",
      "regex": "ORD-\\d{6}",
      "action": "redact"
    }
  ]
}

False Positives

If legitimate data is being flagged, you can whitelist specific values or contexts in the Dashboard > Security > Whitelist.