Data loss prevention
Cloudflare Data Loss Prevention (DLP) allows you to scan your web traffic and SaaS applications for the presence of sensitive data such as social security numbers, financial information, secret keys, and source code.
DLP scans HTTP traffic, SaaS application files, and AI prompts for sensitive data such as credit card numbers, credentials, and personally identifiable information.
Cloudflare does not write scanned content to disk. DLP encrypts and temporarily stores content in memory only. To retain matched content for review, configure payload logging for encrypted payload copies or a Logpush destination to export full matching HTTP requests.
DLP uses profiles to define what to detect, detection entries to identify specific patterns and data, and optional Data Classification to organize and label findings at scale.
Data Loss Prevention complements Secure Web Gateway to detect sensitive data transferred in HTTP requests. DLP scans the HTTP body (excluding headers), which may include uploaded or downloaded files, chat messages, forms, and other web content.
DLP requires Gateway HTTP filtering with TLS decryption to read the contents of HTTPS traffic in transit. The depth of visibility varies for each site or application. DLP does not scan any traffic that bypasses Cloudflare Gateway (such as traffic that matches a Do Not Inspect policy).
To get started, refer to Scan HTTP traffic with DLP.
Data Loss Prevention complements Cloudflare CASB (Cloud Access Security Broker) to detect sensitive data stored in your SaaS applications. CASB connects directly to SaaS application APIs to retrieve and scan files, rather than reading files as they pass through Cloudflare Gateway. Because of this, Gateway and Cloudflare One Client settings (such as Do Not Inspect policies and Split Tunnel configurations) do not affect data at rest scans.
To get started, refer to Scan SaaS applications with DLP.
-
AI Gateway — Data Loss Prevention integrates with Cloudflare AI Gateway to scan AI prompts and responses for sensitive data. To enable this, refer to Set up DLP for AI Gateway. When enabled, DLP inspects the text content of requests sent to AI providers and responses returned from AI models, without requiring Gateway HTTP filtering or TLS decryption.
-
Gateway Application Granular Controls — Gateway Application Granular Controls let you control specific actions within AI applications without blocking the entire application. You can add the DLP Profile selector to the same HTTP policy to scan those operations for sensitive data, as described in Scan HTTP traffic with DLP.
-
AI Security for Apps — DLP complements AI Security for Apps by providing profile-based detection of sensitive data in AI traffic, while AI Security for Apps handles large language model (LLM)-specific threats such as prompt injection and unsafe topics. To detect sensitive data alongside AI Security for Apps, configure DLP profiles and apply them to your AI traffic policies.
Data Loss Prevention integrates with Cloudflare Email Security to scan outbound emails for sensitive data. Outbound DLP requires Microsoft 365 ↗ and uses a client-side Outlook add-in to inspect emails before they are sent.
To get started, refer to Outbound Data Loss Prevention (DLP).
For help resolving common issues with DLP, refer to Troubleshoot DLP.
DLP supports reporting and scanning the following file types:
- Text and CSV
- Microsoft Office 2007 and later (
.docx,.xlsx,.pptx), including Microsoft 365 - ZIP files containing the above
DLP will scan the text contained in text, Microsoft Office, and PDF files.
Refer to the OCR documentation for supported image format information.