Proxy

Data loss prevention

How RenLayer's DLP detectors find PII, secrets, source code, and custom-defined sensitive data in agent prompts and responses, and what the proxy does when they fire.

Agents move data. They paste customer records into prompts, embed support tickets, send tool arguments to third-party APIs. RenLayer’s data-loss prevention (DLP) layer scans both prompts and responses before the proxy forwards them, and decides whether to allow, warn, or block based on what it finds.

Built-in detectors

The proxy ships with detectors for common sensitive data classes:

PII: email addresses, phone numbers, IP addresses, postal addresses, names paired with identifiers.
Government identifiers: SSN, EU national IDs, passport numbers, IBAN, tax IDs.
Payment data: credit card numbers (Luhn-validated), CVV-like patterns.
Credentials and secrets: API keys for major providers (AWS, GCP, Stripe, Slack, GitHub), private SSH keys, JWT tokens.
Source code: heuristic detection of code blocks; useful for stopping leaks of proprietary internals.

Each detector returns a finding with:

Class (e.g. pii.email, secret.aws_access_key).
Severity: CRITICAL, HIGH, MEDIUM, LOW.
Location: byte range in the request or response.
Confidence: heuristic score where applicable.

Custom patterns

You can extend the detector set per tenant with custom patterns:

Regex patterns: for structured internal identifiers (e.g. an internal employee ID format).
Keyword lists: for project codenames, customer names, or other terms that must not leave the boundary.
Allow lists: exemptions to suppress noisy false positives on specific test data.

Custom patterns are authored in the console under DLP and take effect on the next request, the same way policies do.

What happens when a detector fires

Each finding has a severity. The proxy maps severity to action:

CRITICAL: request is blocked. Trace is recorded as DLP_BLOCKED. The agent receives a structured 403 with a redacted explanation.
HIGH / MEDIUM: by default, request is forwarded but trace is marked DLP_WARNED. You can override per-pattern to escalate to a block.
LOW: recorded on the trace for visibility. The request proceeds.

Mapping is configurable per tenant. A bank may treat any payment-data finding as CRITICAL; a SaaS company may treat the same finding as HIGH and let the request through with a warning.

Redaction

When configured, the proxy can redact matched spans before forwarding rather than blocking outright. The downstream provider sees [REDACTED:secret.aws_access_key] in place of the original value. This is useful for letting agents continue working with sanitized inputs.

Performance

Pattern-based detectors run in microseconds. Heavier detectors (e.g. classifier-based PII detection on long bodies) can add a few milliseconds. Detector cost is reported per-trace in the console so you can see what’s expensive.

Where to go next

Policies: policies and DLP work together; either can block a request.
Console: DLP: managing detectors and reviewing findings.
Action statuses: DLP_BLOCKED vs DLP_WARNED.

Last updated: April 16, 2026