Custom Protection Rules: Protecting Your Proprietary Data from AI

Beyond Generic PII: The Enterprise Problem

Most AI privacy tools focus on obvious PII: emails, phone numbers, credit cards. But what about your company's proprietary data?

• Internal project codes like PROJ-1234 or ALPHA-2025
• Confidential keywords: SECRET, INTERNAL ONLY, NOT FOR PUBLIC
• Employee IDs, transaction codes, system identifiers
• Customer reference numbers, contract IDs, invoice numbers

Standard PII filters don't catch these. And if your employees are pasting internal documents into ChatGPT or Claude, you're leaking business-critical information.

The Solution: Custom Protection Rules

SafePipe's Custom Protection Rules (available on Business and Enterprise plans) let you define your own regex patterns to protect company-specific sensitive data.

How It Works

You define rules with two actions:

1. 1REDACT: Replace matched patterns with placeholders (e.g., PROJ-1234 → [REDACTED:PROJECT_CODE])
2. 2BLOCK: Immediately reject the entire request if pattern is found (returns HTTP 400)

Real-World Example: Automotive Manufacturer

A German car manufacturer uses SafePipe to allow engineers to use AI for documentation. Their custom rules:

{
  "rules": [
    {
      "name": "Project Codes",
      "pattern": "PROJ-\\d{4}",
      "action": "redact"
    },
    {
      "name": "Confidential Keywords",
      "pattern": "\\b(GEHEIM|STRENG VERTRAULICH|NUR FÜR INTERNEN GEBRAUCH)\\b",
      "action": "block"
    },
    {
      "name": "VIN Numbers",
      "pattern": "\\b[A-HJ-NPR-Z0-9]{17}\\b",
      "action": "redact"
    }
  ]
}

Result: Engineers can use OpenAI o3 for complex technical analysis, but company secrets never leave the EU.

REDACT vs. BLOCK: When to Use Each

Use REDACT When:

• The data is sensitive but not critical
• You want the AI to understand the structure (e.g., "There are 3 project codes here")
• The context is more important than the exact value

Example:

Input:  "Status update for PROJ-1234 and PROJ-5678"
Output: "Status update for [REDACTED:PROJECT_CODE] and [REDACTED:PROJECT_CODE]"

The AI can still help with the task, but your project codes are safe.

Use BLOCK When:

• The data is highly confidential (trade secrets, legal documents)
• Any leak could cause serious harm
• You want a hard stop, no exceptions

Example:

Input:  "Summarize this document marked GEHEIM"
Output: ❌ 400 Bad Request
        "Content blocked by custom rule: Confidential Keywords"

The request is killed before it reaches any AI provider.

Implementation: Adding Custom Rules

Method 1: Via Dashboard (Recommended)

1. 1Go to Dashboard → Settings → Protection Rules
2. 2Click "Add Custom Rule"
3. 3Enter:

- Name: "Project Codes"

- Pattern: PROJ-\\d{4}

- Action: Redact or Block

1. 1Test your regex with the built-in pattern tester
2. 2Save and enable

Method 2: Via Database (For DevOps)

Custom rules are stored in the user_configs table as JSONB:

-- Add a new rule
UPDATE user_configs 
SET custom_rules = custom_rules || '[{
  "id": "rule-xyz",
  "name": "Employee IDs",
  "pattern": "EMP-\\d{6}",
  "action": "redact"
}]'::jsonb
WHERE user_id = 'your-user-id';

Advanced: Multi-Stage Protection

Combine standard PII filters with custom rules for layered security:

Stage 1: Standard PII Detection
  ↓ Emails, phones, credit cards → [REDACTED]
  
Stage 2: Custom Rules
  ↓ Project codes, keywords → [REDACTED] or BLOCK
  
Stage 3: Forward to AI
  ↓ Only clean, anonymized data

ReDoS Protection

SafePipe validates all regex patterns to prevent Regular Expression Denial of Service (ReDoS) attacks. Patterns with excessive quantifiers or backtracking are rejected:

❌ Dangerous: (a+)+ 
✅ Safe: PROJ-\d{1,10}

Use Cases by Industry

Finance

• Block IBAN, SWIFT codes, account numbers
• Redact transaction IDs, customer reference numbers

Healthcare

• Redact patient IDs, case numbers
• Block mentions of specific drugs under development

Legal

• Block case file numbers, client codes
• Redact contract IDs, NDA reference numbers

Tech/SaaS

• Redact internal feature flags, experiment IDs
• Block mentions of unreleased product names

Testing Your Rules

Before going live, test your custom rules:

# Send a test prompt with sensitive data
curl https://api.safepipe.eu/v1/chat/completions \
  -H "Authorization: Bearer sp_live_xxx" \
  -H "Content-Type: application/json" \
  -d '{
    "model": "gpt-4o",
    "messages": [{
      "role": "user",
      "content": "Analyze project PROJ-1234 and GEHEIM data"
    }]
  }'

# Expected behavior:
# - PROJ-1234 is redacted
# - "GEHEIM" triggers a block (400 error)

Performance Impact

Custom rules are applied in real-time using optimized regex engines:

• Latency: < 5ms per rule
• Throughput: 10,000+ requests/second
• Memory: Negligible (compiled patterns cached)

Even with 50+ custom rules, you won't notice any slowdown.

Future: AI-Powered Rule Suggestions

Coming Q1 2026: SafePipe will analyze your prompts and suggest custom rules based on detected patterns. For example:

"We detected 47 instances of pattern ABC-\\d{3} in your requests. Would you like to create a rule?"

Conclusion

Generic PII filters are a good start, but they're not enough for enterprises with proprietary data. Custom Protection Rules give you surgical control over what AI providers can and cannot see.

Whether you're a startup protecting unreleased features or an enterprise safeguarding trade secrets, custom rules are your safety net.

Ready to implement Custom Protection Rules? Upgrade to Business Plan or contact sales for Enterprise.