Masking types
AgentLink provides a wide range of predefined data masking types categorized by regulatory frameworks.
Each type defines a specific pattern of information that will be automatically detected and masked in tool responses.
GDPR — General data protection regulation
Covers personal identifiers of EU citizens.
| Example Fields | Description |
|---|---|
| Email Address | Replaces local part of the email (e.g., a***@example.com). |
| Phone Number | Masks digits except for the country code (e.g., +44 ******123). |
| Passport / ID Number | Replaces all digits with *. |
| Address | Masks street names and house numbers. |
| Bank Number | Obscures all but the last four digits. |
PHI — Protected health information (HIPAA)
Applies to health-related data used in regulated contexts.
| Example Fields | Description |
|---|---|
| Medical License | Masks identifier fully. |
| Health Record ID | Partially masks unique record identifiers. |
| Insurance Number | Removes middle segment of the number. |
| Diagnosis Codes | Optionally replaces with “[REDACTED]”. |
PCI DSS — Payment card industry
Applies to payment and credit card data.
| Example Fields | Description |
|---|---|
| Credit Card Number | Masks all but the last four digits. |
| CVV / Security Code | Fully masked. |
| IBAN / Bank Account | Partially masked. |
| Cardholder Name | Replaced with generic placeholder. |
CCPA — California consumer privacy act
Targets U.S. consumer personal data.
| Example Fields | Description |
|---|---|
| SSN | Masks middle digits (e.g., ***-**-6789). |
| Driver License | Fully masked. |
| Home Address | Replaces street name with [REDACTED]. |
| Tax ID | Masks all characters except the last two. |
COPPA — Children's online privacy protection act
Used when child-related data is involved.
| Example Fields | Description |
|---|---|
| Child Name | Replaced with “Child”. |
| Birth Date | Replaced with “01/01/YYYY”. |
| School Name | Masked entirely. |
Masking behavior
- Masking occurs before any data is returned to AI agents.
- The original values are never stored or exposed in logs.
- When multiple policies apply to the same tool, masking is applied cumulatively.
- All matched values are replaced with deterministic redaction tokens in the form
REDACTED_<TYPE>.- Examples:
REDACTED_EMAIL_ADDRESS,REDACTED_CREDIT_CARD,REDACTED_US_SSN.
- Examples:
Example response
{
"email": "REDACTED_EMAIL_ADDRESS",
"creditCard": "REDACTED_CREDIT_CARD",
"patientId": "REDACTED_PATIENT_IDENTIFIER"
}