Sensitive Data Protection (DLP)

Name: Sensitive Data Protection (DLP) API
Brand: Sensitive Data Protection (DLP)
Availability: InStock

✓ Official Vendor SpecSecurityComplianceoauth232 EndpointsREST

For Agents

Detect, classify, and de-identify sensitive data across text, images, and structured stores for compliance and LLM safety.

Quickstart

Get started with Sensitive Data Protection (DLP) in minutes using your preferred integration method.

# Add to your MCP client config (Claude Desktop, Cursor, Windsurf)
{
  "jentic": {
    "url": "https://api.jentic.com/mcp",
    "auth": "oauth"
  }
}

# Then ask your agent:
"redact PII from text"

# → Jentic returns the GET /events tool with parameter schema, agent executes.

Capabilities

What an agent can do with Sensitive Data Protection (DLP) API.

Inspect content for sensitive infoTypes (PII, PHI, credentials) inline or via batch jobs

De-identify text by masking, tokenising, or format-preserving encryption

Re-identify previously tokenised data using stored crypto keys

Run hybrid inspection that streams from external agents back to DLP

GET STARTED

Start building with Sensitive Data Protection (DLP) API

Explore with Jentic

View OpenAPI Document

Use for: Inspect a block of text for credit card numbers and email addresses, De-identify a customer record before sending it to an LLM, List all built-in infoTypes available in DLP, Run a column data profile across a BigQuery dataset

Not supported: Does not encrypt files at rest, manage OAuth tokens, or block network traffic — use for content-level sensitive data inspection, redaction, and re-identification only.

Google Sensitive Data Protection (formerly Cloud DLP) is a fully managed service for discovering, classifying, and de-identifying sensitive data such as PII, PHI, and credentials inside text, images, and structured stores. The API supports built-in and custom infoTypes, inspection jobs, deidentify and reidentify operations, hybrid inspection from agents, and continuous data profiling across BigQuery and Cloud Storage. Teams use it for compliance (GDPR, HIPAA), tokenisation, and pre-prompt sanitisation of LLM inputs.

Use Cases

Patterns agents use Sensitive Data Protection (DLP) API for, with concrete tasks.

★ Pre-Prompt LLM Sanitisation

Before sending user content to an LLM, route it through DLP's deidentify endpoint to mask PII, replace names with surrogates, or tokenise account numbers. This keeps prompts compliant with data-handling policies and prevents leakage of customer data into model logs. The deidentify call returns transformed text in a single round-trip.

Call deidentify on the text 'Customer email is alice@example.com, card 4111-1111-1111-1111' with infoTypes EMAIL_ADDRESS and CREDIT_CARD_NUMBER, replacing matches with surrogate tokens.

Continuous Data Profiling

Use the column data profile endpoints to discover sensitive columns across a BigQuery estate continuously. DLP scans tables on a schedule, returns findings per column with confidence scores, and feeds tags back to the data catalogue. Compliance teams use the profiles to drive masking policies and access reviews.

List columnDataProfiles for a project's BigQuery scan, then return columns with infoType SOCIAL_SECURITY_NUMBER and confidence at least HIGH.

Hybrid Inspection from External Agents

When data lives outside Google Cloud, the hybridInspect endpoint lets external agents stream payloads to DLP for inspection without first staging them in GCS. Useful for on-premise applications or third-party SaaS connectors — DLP returns findings without persisting the inspected data.

Send a hybridInspect request with payload containing 200 chat-message records and infoTypes PERSON_NAME and PHONE_NUMBER, then aggregate the returned findings by infoType.

Agent-Driven Compliance Sweep

Through Jentic, an AI agent can run a compliance sweep on a content store before publishing — calling DLP inspect on each item, redacting matches via deidentify, and tagging items that need human review. Credentials are scoped per agent run by the MAXsystem vault.

Use Jentic to search 'inspect text for sensitive data', load the inspect schema, and execute it for each of 50 articles, returning the count of findings per article.

Key Endpoints

32 endpoints — google sensitive data protection (formerly cloud dlp) is a fully managed service for discovering, classifying, and de-identifying sensitive data such as pii, phi, and credentials inside text, images, and structured stores.

METHOD

PATH

DESCRIPTION

GET

/v2/infoTypes

List built-in DLP infoTypes

POST

/v2/{+name}:hybridInspect

Stream a hybrid inspection request from an external agent

POST

/v2/{+name}:cancel

Cancel a running DLP job

POST

/v2/{+name}:activate

Activate a job trigger

POST

/v2/{+name}:finish

Finish a hybrid job stream

GET

/v2/{+parent}/columnDataProfiles

List BigQuery column data profiles

GET

/v2/infoTypes

List built-in DLP infoTypes

POST

/v2/{+name}:hybridInspect

Stream a hybrid inspection request from an external agent

POST

/v2/{+name}:cancel

Cancel a running DLP job

POST

/v2/{+name}:activate

Activate a job trigger

POST

/v2/{+name}:finish

Finish a hybrid job stream

Why though Jentic?

Three things that make agents converge on Jentic-routed access.

Credential isolation

Google OAuth tokens for DLP are stored encrypted in the Jentic vault (MAXsystem). Agents receive scoped, short-lived tokens with cloud-platform scope only — service-account keys and any Cloud KMS keys used for tokenisation never enter the agent runtime.

Intent-based discovery

Agents search by intent (e.g., 'redact PII from text') and Jentic returns the matching deidentify operation with its parameter schema across the 32-endpoint surface.

Time to first call

Direct DLP integration: 2-4 days for OAuth, infoType configuration, transformation templates, and KMS wiring for reversible tokenisation. Through Jentic: under 1 hour — search, load schema, execute.

Related APIs

Alternatives and complements available in the Jentic catalogue.

Complementary

Cloud Key Management Service (KMS) API

Manages crypto keys used by DLP for tokenisation and re-identification

Use Cloud KMS to provision the keys; use DLP to apply them via cryptoReplaceFfxFpeConfig and reidentify.

Complementary

Secret Manager API

Stores credentials and tokens that DLP can scan for in code repositories

Use Secret Manager to manage secrets; use DLP to detect leaked secrets in text content.

Alternative

Cloud Asset Inventory API

Inventories Google Cloud resources — different from DLP's content-level inspection

Choose Cloud Asset Inventory for resource-level metadata; choose DLP for content-level sensitive data discovery and redaction.

FAQs

Specific to using Sensitive Data Protection (DLP) API through Jentic.

What authentication does the Sensitive Data Protection (DLP) API use?

OAuth 2.0 with the cloud-platform scope. Through Jentic, OAuth tokens are scoped per agent run and stored encrypted in the MAXsystem vault, so service-account JSON keys never enter the agent runtime.

Can I de-identify text with reversible tokenisation?

Yes. Use a deidentify config with cryptoReplaceFfxFpeConfig (format-preserving encryption) backed by a Cloud KMS key. The reidentify endpoint reverses the transformation when the same key and config are supplied.

What are the rate limits for the DLP API?

DLP enforces per-project quotas: a default of 600 inspect calls per minute, with separate budgets for deidentify, hybridInspect, and risk-analysis jobs. Long-running scans count against batch quotas. Check current limits in the Google Cloud Console.

How do I list all available infoTypes through Jentic?

Search 'list DLP infoTypes', load the schema for /v2/infoTypes, then execute it. Jentic returns the parsed list of every built-in infoType DLP recognises (PERSON_NAME, EMAIL_ADDRESS, CREDIT_CARD_NUMBER, and many more).

Does DLP support custom infoTypes?

Yes. You can define custom regular-expression dictionaries, word lists, or stored infoTypes (built from Cloud Storage manifest files), and reference them in inspect or deidentify configs alongside built-in infoTypes.

Is the Sensitive Data Protection API free?

No. Pricing is per gigabyte of inspected or de-identified content, with separate rates for hybrid inspection, BigQuery profiling, and image inspection. Check current pricing in the Google Cloud Console.