Policy & DLP

To AI enforcement

Classification & enforcement for data heading OUT to AI tools. Powered by GCP Sensitive Data Protection. From-AI is monitor + warn + attest only — never configurable to block.

Detected infoTypes

Which GCP Cloud DLP detectors classify outgoing prompts. 8 of 14 enabled.

150+ detectors exist in GCP Cloud DLP. This is a representative set — full catalog selection ships later.

Confidence thresholds

Minimum DLP match likelihood before a detector fires. Higher = fewer false positives, lower recall.

us social security numberLIKELY

credit card numberLIKELY

gcp api keyPOSSIBLE

email addressVERY LIKELY

PossibleLikelyVery likely

Enforcement by categoryoutbound only

What happens when a category is detected in a prompt heading to an AI tool. Human review only — Zeflin never auto-disciplines.

Category	Monitor	Warn	Block
Financial
PII
Credentials & secrets
Health (PHI)
From AI destinationsmoat AI content pasted into Gmail / Docs / Slack / Jira

From-AI carries Attest instead of Block. A paste-anyway path always remains — it is structurally impossible to hard-block AI content landing in real work.

Allowlists

Contexts exempt from classification (e.g. public, non-sensitive sources).

status pagespublic press releasesopen-source license text

Per-tool outbound enforcement

How blocking actions resolve per AI tool. Default is WARN.

Hard-BLOCK is a deliberate opt-in. A false-positive block gets Zeflin uninstalled. We ship default-WARN; turn on hard-BLOCK only for tools and categories you trust the classifier on.

ChatGPTChatGPT

WARNBLOCK

ClaudeClaude

WARNBLOCK

GeminiGemini

WARNBLOCK

Copilot· M1.5Copilot

M1.5 · coming

Perplexity· M1.5Perplexity

M1.5 · coming

All tools warn-first — safest default.

Block failure behavior

What happens when the DLP classifier is slow or unreachable during a hard-BLOCK decision.

Block timeoutseconds (5–10s)

Redaction & retention

De-identification of captured content and how long it is retained.

Redaction (GCP DLP de-identification)

Store de-identified previews instead of raw matched values. Raw reveal stays privileged + audited.

Retention window

Captured content expires and is hard-deleted after this window. Set in org settings.

90 days

Coming later

Deferred capabilities — not configurable in this build.

Approved prompt library

Curated, safe prompt templates

Coming later

Role-based access

Fine-grained per-policy roles

Coming later

Policy-engine rule builder

Conditional, composable rules

Coming later

Classification runs on GCP Sensitive Data Protection. US companies only. Every change is recorded in the append-only audit log.