GPTfy Security Layers for Data Anonymization
GPTfy ensures that sensitive data is anonymized before it reaches AI models by using multi-layered security. These layers provide different strategies to mask personally identifiable information (PII) and maintain compliance with privacy standards.
What You Can Do:
- Identify and anonymize sensitive data using both prebuilt and custom rules.
- Apply anonymization strategies based on the field type (e.g., Email, Phone).
- Mask data dynamically using Regular Expressions (Regex), blocklists, field logic, or custom Apex classes.
- Audit and verify anonymization through Security Audit records.
GPTfy Security Layers:
| Layer | Description | Best Use |
|---|---|---|
| Layer 1: Field Value Based | Masks entire field values based on field mapping (e.g., Email, Phone, Name). | Email, Phone, Name fields |
| Layer 2: Format-Based (Regex) | Masks specific patterns within long text fields using Regex (e.g., Emails, Phones, SSNs inside notes). | Emails, Phones, SSNs inside long text |
| Layer 3: Blocklist-Based | Masks sensitive words or terms from long text using blocklists (e.g., Product names, Confidential IDs). | Unstructured text |
| Layer 4: Apex-Based | Executes custom Apex logic for complex or unmatched data patterns (e.g., custom rules for specialized data). | Complex data masking |
Note: Layers 2 and 3 operate on long text fields to mask specific strings within unstructured content.
Field-Level Controls for Regex Matching:
| Checkbox | Functionality | Benefits | Potential Drawbacks |
|---|---|---|---|
| Match Complete Word | Adds (?<=\s)(?=\s) to match whole words. | Prevents partial matches within other words (e.g., avoids matching "cat" in "category"). | Might miss matches not surrounded by whitespace. |
| Ignore Special Characters | Ignores special characters at the start or end of a match (e.g., ., : ; {}). | Allows flexible matching for inconsistently formatted data. | Could result in unintended matches if special characters are meaningful. |
Steps to Use Security Layers in Data Context Mapping:
-
Access the Field Mapping Window:
- Navigate to Data Context Mapping in the GPTfy Cockpit.
- Select an object and click Field Mappings.
-
Choose the Appropriate Security Layer:
- For regular fields (e.g., Email, Phone), select Entire Value (Layer 1).
- For long text fields, select Specific Patterns to activate Layers 2 and 3.
-
Save Your Field Mapping:
- After configuring masking layers and values, click Save.
-
Activate the Prompt:
- Apply the security layers by activating an existing prompt or creating a new one with the mapping.
- Run the Prompt:
- Execute the prompt on any Salesforce record to trigger anonymization.
- Verify Anonymization in the Security Audit Record:
- Open the linked Security Audit record to check:
- Data (Original): The original field value.
- Data (PII Removed): The masked value.
- Open the linked Security Audit record to check:
How Apex Security Layer Works:
The Apex Security Layer enables the creation of custom masking logic when other layers are insufficient. This is useful for complex data masking scenarios.
-
Create a New Apex Class:
Implement the interfaceAIApexSecurityLayerInterface. -
Define the Apex Security Layer:
- Add the Apex class name to the new security layer and activate it.
-
Activate the Layer in Data Context Mapping:
- Select the new Apex Security Layer in the Data Context Mapping settings.
How to Create a New Security Layer
There are 3 types of records to create security layers:
- Apex
- Blocklist
- Regex
Fields in Apex Record Type:
| Field | Description |
|---|---|
| Name | Provide the name of the security layer record |
| Type | Select the desired item from the picklist value related to the masking data by the apex class |
| Apex Class Name | Provide the name of the Apex class used for masking |
| Record Type | This field will be automatically populated after selecting the record type |
| Status | Provide the status of the security layer by selecting the value from the picklist. Only the active security layers will be shown in the apex security layer drop down in the advanced settings while creating the data context mapping |
| Comment | You can provide the definition or a brief description about the security layer and the purpose of its use here |
- Apex Class Example:
global class SampleApexSecurityLayerClass implements ccai.AIApexSecurityLayerInterface {
global ccai.AIApexSecurityLayerDataWrapper getExtractData(ccai.AIApexSecurityLayerDataWrapper wrapper) {
Map<String, String> pIIKey = (Map<String, String>)JSON.deserialize(wrapper.response.ccai__Data_PII_Key__c, Map<String, String>.class);
pIIKey.put('489-36-83535566u', 'AP-0874-001');
wrapper.response.ccai__Data_PII_Key__c = JSON.serialize(pIIKey);
return wrapper;
}
}
Sample Example:
| Original Value | Masked By | Security Layer |
|---|---|---|
| 34e | SF-0179-022 | Layer 2 – Regex |
| 12321 | SF-0174-001 | Layer 2 – Regex |
GPTfy applies rules in a top-down approach. Larger values are prioritized before submatches.
Field Name: Description
| Original Value | Masked By | Security Layer |
|---|---|---|
| Contact at 489-36-83525566u | AP-0874-001 | Layer 4 – Apex |
Description 1: Includes sensitive text (489-36-83525566u) — masked by Apex layer.
Description 2: Regular masking (using Layer 2 or 3) applies first.
Name field: (Entire Value masking by Layer 1.)
Important: Apex logic is triggered after Layer 1, 2, and 3 if masking is still required.
Fields in Blocklist Record Type:
When the record type is Blocklist, the field Apex Class Name will not be there in the UI, and the other 5 fields will be there and serve the same purpose as in the Apex record type.
There is an additional section in the Blocklist record type with two fields:
| Field | Description |
|---|---|
| Blocklist | You can paste the values which need to be masked when contained in the data. |
| Replacement Value | This is the place where we can provide the value which is used as a key to mask the values which are populated in the Blocklist field. |
Example Blocklist Values:
62GBA41;79lrr;38BEE27;USPOLO;1234567890;Google;Philips;alkd%aks;alice.johnson@example.com; Iphone 13; 1!2@3#4$%; Samsung S23; lifeboy; life; boy;
Example Replacement Value:
SF-0052
Fields in Regex Record Type:
When the record type is Regex, the field Apex Class Name will not be there in the UI, and the other 5 fields will be there and serve the same purpose as in the Apex record type.
There is an additional section in the Regex record type with two fields:
| Field | Description |
|---|---|
| Search Pattern | This is the place where you can give the regex pattern to tell the system to identify the values which need to be masked. |
| Replacement Value | This is the place where we can provide the value which is used as a key to mask the values in the data which are fetched according to the regex pattern's logic. |
Example Search Pattern:
[\\[\:\"\'\\]\;\,\{\}\(\)\.]?\+?\d(?:-?\d){9,}[\\[\:\"\'\\]\;\,\{\}\(\)\.]??
Example Replacement Value:
SF-0132
Validation of Regex:
The validation of the regex pattern happens while saving the record irrespective of its status.
Summary:
- Use Layer 1 for complete field-level anonymization.
- Use Layers 2 and 3 for inline masking within long text.
- Use Layer 4 (Apex) when custom, complex masking is needed.
- Customize Regex behavior using checkboxes to improve accuracy.
- View and audit anonymization results directly in GPTfy’s security logs.
This multi-layered approach helps you stay compliant and confident in how your data is handled.