{"templateId":"markdown","sharedDataIds":{"sidebar":"sidebar-agen-for-work/sidebars.yaml"},"props":{"metadata":{"markdoc":{"tagList":["LightboxImage"]},"type":"markdown"},"seo":{"title":"Data protection","siteUrl":"https://developers.frontegg.com/","llmstxt":{"hide":false,"sections":[{"title":"Table of contents","includeFiles":["**/*"],"excludeFiles":[]}],"excludeFiles":[]}},"dynamicMarkdocComponents":[],"compilationErrors":[],"ast":{"$$mdtype":"Tag","name":"article","attributes":{},"children":[{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"data-protection","__idx":0},"children":["Data protection"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Data protection in Agen for Work lets you mask sensitive information in tool responses before they reach AI agents. By creating data protection policies, you ensure that regulated data — such as health records, payment card numbers, and personal identifiers — is automatically redacted at the governance layer, regardless of which AI agent or client is making the request."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["This helps your organization meet compliance requirements under GDPR, HIPAA, CCPA, PCI DSS, and other regulatory frameworks without modifying the underlying SaaS tools or the AI agents themselves."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["To access the Data protection page, navigate to ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Governance → Data protection"]}," in the left sidebar."]},{"$$mdtype":"Tag","name":"LightboxImage","attributes":{"isLightbox":true},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"img","attributes":{"src":"/assets/agen-for-work-data-protection.25b511190b4ec9acdd93a3553b6302ed426534c57223a5aba08bd68b7f7c32df.1d3e9401.png","alt":"Data protection page"},"children":[]}]}]},{"$$mdtype":"Tag","name":"br","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The page displays all configured data protection policies in a table, along with a search bar and a ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Create"]}," button."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"data-protection-policy-table","__idx":1},"children":["Data protection policy table"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Column"},"children":["Column"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Description"},"children":["Description"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Status"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["A toggle to activate or deactivate the policy without deleting it"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Policy name"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["The name of the policy (e.g., \"Mask PII\")"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Protection types"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Badges showing the compliance categories applied (e.g., ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["GDPR"]}," +3)"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Tools"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["The connector tools this policy applies to (e.g., ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["List_all_expenses"]},")"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Policy targeting"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["The condition that determines when the policy is applied (e.g., ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["country in_list US"]},")"]}]}]}]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Each row has a three-dot menu for editing or deleting the policy."]},{"$$mdtype":"Tag","name":"hr","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"how-data-protection-works","__idx":2},"children":["How data protection works"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Data protection policies intercept tool responses after the connected SaaS tool returns its data, but before the response reaches the AI agent. The sequence is:"]},{"$$mdtype":"Tag","name":"ol","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["An AI agent invokes a tool through the MCP Gateway."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["The request passes through authentication, access control, and policies as normal."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["The request is forwarded to the tool's API endpoint."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["The API response is intercepted by the data protection layer."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["If the policy's targeting conditions match the request context, Agen for Work scans the response for the configured data types."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Any matching sensitive data is masked before the response is returned to the AI agent."]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The original unmasked data is never exposed to the AI agent or the AI platform. The agent receives a complete response — with sensitive values replaced by masked equivalents (for example, ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["***-**-1234"]}," for a Social Security number)."]},{"$$mdtype":"Tag","name":"hr","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"creating-a-data-protection-policy","__idx":3},"children":["Creating a data protection policy"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Click ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Create"]}," to open the policy creation dialog. Fill in the following fields:"]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":4,"id":"policy-name","__idx":4},"children":["Policy name"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["A descriptive name for the policy (e.g., \"Mask PII\", \"HIPAA compliance\"). Choose a name that makes the policy's purpose clear at a glance."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":4,"id":"description","__idx":5},"children":["Description"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["An optional description of what the policy protects. Maximum 180 characters."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":4,"id":"data-types-to-protect","__idx":6},"children":["Data types to protect"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["A multi-select dropdown where you choose which categories of sensitive data to detect and mask. Data types are organized by regulatory framework, with a ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Select all"]}," option per category:"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Category"},"children":["Category"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Framework"},"children":["Framework"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"What it covers"},"children":["What it covers"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["PHI"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["HIPAA"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["39 predefined health-related identifiers: medical record numbers, insurance IDs, health service numbers, and international variants"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["PII"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["General"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Personally identifiable information: social security numbers, passport numbers, driver's license numbers, financial account numbers"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["GDPR"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["EU regulation"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Names, addresses, national IDs, and other personal data relevant to EU data subjects"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["PCI DSS"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Payment Card Industry"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Credit card numbers, CVV codes, and cardholder names"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["CCPA"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["California law"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Data types specific to California residents' privacy rights"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["COPPA"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["US federal law"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Personal information related to children"]}]}]}]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["You can select types from multiple categories in a single policy. See ",{"$$mdtype":"Tag","name":"a","attributes":{"href":"/agen-for-work/data-protection/masking-types"},"children":["Masking types"]}," for the complete list of identifiers within each category."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":4,"id":"policy-tools","__idx":7},"children":["Policy tools"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Select which connector tools this policy applies to. Masking is only applied to responses from the tools you select here. Leave this field empty to apply the policy to all tools."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":4,"id":"policy-targeting","__idx":8},"children":["Policy targeting"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Define a conditional expression that determines ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["when"]}," the policy is applied. If no condition is set, the policy applies to all matching tool calls unconditionally."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Targeting uses an attribute-based expression builder:"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["IF"]}," ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["[Attribute]"]}," ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["[Operator]"]}," ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["[Value]"]}]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Component"},"children":["Component"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Description"},"children":["Description"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Example"},"children":["Example"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Attribute"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["The request attribute to evaluate"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["Country"]}]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Operator"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["The comparison operator"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["In"]}]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Value"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["The value(s) to compare against"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["United States"]}]}]}]}]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Click ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["+ and"]}," to add additional conditions. All conditions must be true for the policy to apply. Click the minus icon to remove a condition."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Click ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Create"]}," to save the policy."]},{"$$mdtype":"Tag","name":"hr","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"activating-and-deactivating-policies","__idx":9},"children":["Activating and deactivating policies"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Each policy has a toggle in the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Status"]}," column:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Active"]}," (toggle on) — The policy is enforced on all matching tool responses."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Inactive"]}," (toggle off) — The policy is preserved in your configuration but not enforced."]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Use the inactive state to temporarily suspend a policy during testing or maintenance without losing its configuration."]},{"$$mdtype":"Tag","name":"hr","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"example-mask-pii-for-us-based-requests","__idx":10},"children":["Example: mask PII for US-based requests"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Scenario:"]}," Mask all PII and GDPR-regulated data in tool responses when the requesting user is based in the United States."]},{"$$mdtype":"Tag","name":"ol","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Click ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Create"]},"."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Set ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Policy name"]}," to \"Mask PII — US\"."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Under ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Data types to protect"]},", select ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["PII"]}," and ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["GDPR"]},". Use ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Select all"]}," within each category."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Under ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Policy tools"]},", select the tools that handle personal data (e.g., ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["List_all_expenses"]},", ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["Get_user_profile"]},")."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Under ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Policy targeting"]},", set: IF ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["Country"]}," ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["In"]}," ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["United States"]},"."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Click ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Create"]},"."]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Result: When a US-based user's AI agent calls any of the selected tools, fields matching PII and GDPR data types are automatically masked in the response before the agent receives it."]},{"$$mdtype":"Tag","name":"hr","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"next-steps","__idx":11},"children":["Next steps"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"a","attributes":{"href":"/agen-for-work/data-protection/masking-types"},"children":["Masking types"]}," — Full reference of all predefined data identifiers by compliance category"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"a","attributes":{"href":"/agen-for-work/policies/overview"},"children":["Policies"]}," — Control who can use which tools and under what conditions"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"a","attributes":{"href":"/agen-for-work/monitoring/overview"},"children":["Monitoring"]}," — Audit tool calls and verify masking is applied as expected"]}]}]},"headings":[{"value":"Data protection","id":"data-protection","depth":2},{"value":"Data protection policy table","id":"data-protection-policy-table","depth":3},{"value":"How data protection works","id":"how-data-protection-works","depth":3},{"value":"Creating a data protection policy","id":"creating-a-data-protection-policy","depth":3},{"value":"Policy name","id":"policy-name","depth":4},{"value":"Description","id":"description","depth":4},{"value":"Data types to protect","id":"data-types-to-protect","depth":4},{"value":"Policy tools","id":"policy-tools","depth":4},{"value":"Policy targeting","id":"policy-targeting","depth":4},{"value":"Activating and deactivating policies","id":"activating-and-deactivating-policies","depth":3},{"value":"Example: mask PII for US-based requests","id":"example-mask-pii-for-us-based-requests","depth":3},{"value":"Next steps","id":"next-steps","depth":3}],"frontmatter":{"title":"Data protection","seo":{"title":"Data protection"}},"lastModified":"2026-06-11T01:51:15.000Z","pagePropGetterError":{"message":"","name":""}},"slug":"/agen-for-work/data-protection/overview","userData":{"isAuthenticated":false,"teams":["anonymous"]},"isPublic":true}