Data loss prevention

Availability

Available as an add-on to Zero Trust Enterprise plans.

Users on Zero Trust Free and Pay-as-you-go plans can use the Financial Information and Social Security, Insurance, Tax, and Identifier Numbers predefined profiles, payload logging, and false positive reporting.

Cloudflare Data Loss Prevention (DLP) allows you to scan your web traffic and SaaS applications for the presence of sensitive data such as social security numbers, financial information, secret keys, and source code.

DLP scans HTTP traffic, SaaS application files, and AI prompts for sensitive data such as credit card numbers, credentials, and personally identifiable information.

Cloudflare does not write scanned content to disk. DLP encrypts and temporarily stores content in memory only. To retain matched content for review, configure payload logging for encrypted payload copies or a Logpush destination to export full matching HTTP requests.

Data in transit

Data Loss Prevention complements Secure Web Gateway to detect sensitive data transferred in HTTP requests. DLP scans the HTTP body (excluding headers), which may include uploaded or downloaded files, chat messages, forms, and other web content. You can also use DLP with Email security to scan outbound emails.

DLP requires Gateway HTTP filtering with TLS decryption to read the contents of HTTPS traffic in transit. The depth of visibility varies for each site or application. DLP does not scan any traffic that bypasses Cloudflare Gateway (such as traffic that matches a Do Not Inspect policy).

To get started, refer to Scan HTTP traffic with DLP.

Data at rest

Data Loss Prevention complements Cloudflare CASB (Cloud Access Security Broker) to detect sensitive data stored in your SaaS applications. CASB connects directly to SaaS application APIs to retrieve and scan files, rather than reading files as they pass through Cloudflare Gateway. Because of this, Gateway and Cloudflare One Client settings (such as Do Not Inspect policies and Split Tunnel configurations) do not affect data at rest scans.

To get started, refer to Scan SaaS applications with DLP.

AI traffic

Data Loss Prevention integrates with Cloudflare AI Gateway to scan AI prompts and responses for sensitive data. When DLP is enabled on an AI Gateway, it inspects the text content of requests sent to AI providers and responses returned from AI models, without requiring Gateway HTTP filtering or TLS decryption.

To get started, refer to Set up DLP for AI Gateway.

Troubleshooting

For help resolving common issues with DLP, refer to Troubleshoot DLP.

Supported file types

Formats

DLP supports reporting and scanning the following file types:

• Text and CSV
• Microsoft Office 2007 and later (.docx, .xlsx, .pptx), including Microsoft 365
• PDF
• ZIP files containing the above

DLP will scan the text contained in text, Microsoft Office, and PDF files.

Size

DLP can scan files less than or equal to 100 MB in size. ZIP files can be recursively compressed a maximum of 10 times, and each content file within the ZIP file must be less than or equal to 200 MB in uncompressed size.