Skip to main content
Policies are pre-configured detection rules that combine entity types and confidence thresholds into reusable configurations. They simplify PII detection and ensure consistency across your organization.
Why use policies? Instead of specifying entities and thresholds in every API call, use a policy name. This ensures consistent detection rules across your entire application and makes compliance easier.

Understanding Policies

A policy defines:
  • Entity Types: Which types of sensitive data to detect (e.g., person, email, SSN)
  • Detection Threshold: Minimum confidence level (0.0-1.0) for detections
  • Use Case: The compliance framework or business need it addresses

Policy Benefits

Consistency

Same detection rules across all applications and teams

Compliance

Pre-configured for GDPR, HIPAA, PCI DSS standards

Simplicity

One parameter instead of listing 15+ entity types

Maintainability

Update policy once, apply everywhere instantly

Global Policies

Blindfold provides 5 pre-configured global policies for common use cases and compliance frameworks.

Available Global Policies

Best for: General applications, basic privacy protectionThreshold: 0.30 (more permissive, catches more)Entity Types (3):
  • Person names
  • Email addresses
  • Phone numbers
Use when: You need simple, fast PII detection without regulatory requirements.
# Quick start with basic protection
result = client.tokenize(
    text="Contact John at john@example.com",
    policy="basic"
)
Best for: European data protection, Article 4(1) personal dataThreshold: 0.35 (balanced)Entity Types (15+):
  • Person, Email, Phone Number, Address
  • National ID Number, Passport Number
  • Tax ID, Bank Account, IBAN, Credit Card
  • Date of Birth, IP Address
  • Health Insurance Number, Medical Condition
Compliance: GDPR Article 4(1) - “Personal Data”Use when: Processing EU citizen data or operating in the European market.
# GDPR-compliant detection
result = client.tokenize(
    text="Customer: Maria Schmidt, Email: maria@example.de",
    policy="gdpr_eu"
)
Best for: US healthcare, HIPAA Protected Health Information (PHI)Threshold: 0.40 (stricter, fewer false positives)Entity Types (11+):
  • Person, Email, Phone Number
  • Social Security Number
  • Health Insurance Number, Medical Condition
  • Medication, Insurance Company
  • Date of Birth, Address
Compliance: HIPAA 45 CFR § 164.514(b) - “Protected Health Information”Use when: Handling patient data, healthcare records, or medical information.
# HIPAA-compliant detection
result = client.tokenize(
    text="Patient: John Doe, SSN: 123-45-6789, Diagnosis: Type 2 Diabetes",
    policy="hipaa_us"
)
Best for: Payment processing, cardholder data protectionThreshold: 0.45 (strict, high confidence)Entity Types (8+):
  • Credit Card Number, Credit Card Brand
  • Credit Card Expiration Date, CVV/CVC
  • Bank Account Number, IBAN
  • Person, Email
Compliance: PCI DSS Requirement 3 - “Protect Stored Cardholder Data”Use when: Processing payments, storing transaction data, or handling credit cards.
# PCI DSS-compliant detection
result = client.tokenize(
    text="Card: 4532-7562-9102-3456, CVV: 123, Exp: 12/25",
    policy="pci_dss"
)
Best for: High-security environments, comprehensive PII protectionThreshold: 0.25 (most permissive, maximum detection)Entity Types (60+):
  • All personal identifiers (Person, Email, Phone)
  • All government IDs (SSN, Passport, Driver’s License, National ID)
  • All financial data (Credit Cards, Bank Accounts, IBAN, Tax ID)
  • All healthcare data (Medical Conditions, Medications, Health Insurance)
  • All digital identifiers (IP Address, Username, Social Media)
  • All travel data (Flight Numbers, Reservation Numbers)
  • All additional types (License Plates, Student IDs, Serial Numbers)
Use when: Maximum security is required, regulatory compliance is critical, or handling highly sensitive data.
# Maximum protection
result = client.tokenize(
    text="Comprehensive data protection for all PII types",
    policy="strict"
)

Policy Comparison

PolicyEntitiesThresholdSpeedUse Case
basic30.30⚡⚡⚡ FastestGeneral apps
gdpr_eu15+0.35⚡⚡ FastEU data protection
hipaa_us11+0.40⚡⚡ FastUS healthcare
pci_dss8+0.45⚡⚡⚡ Very FastPayment processing
strict60+0.25⚡ ModerateMaximum security

Custom Policies

Create custom policies tailored to your specific business needs through the Blindfold Dashboard.

When to Create Custom Policies

Industry-Specific Needs

Your industry requires specific entity types not covered by global policies

Custom Thresholds

You need different confidence levels than global policies

Subset Detection

Only need a few specific entity types from a larger policy

Team Standards

Enforce consistent detection rules across development teams

Creating a Custom Policy

Custom policies are created and managed through the Blindfold Dashboard:
1

Access Dashboard

Navigate to app.blindfold.dev and sign in
2

Go to Policies

Click on “Policy Configuration” in the left sidebar
3

Create Policy

Click “Create Custom Policy” button
4

Configure Settings

  • Name: Choose a unique policy name (e.g., internal_hr_policy)
  • Description: Optional description of the policy’s purpose
  • Entity Types: Select which PII types to detect
  • Threshold: Set confidence level (0.0-1.0)
5

Save and Use

Save the policy and use it immediately in your API calls

Custom Policy Examples

# Custom policy for employee data
result = client.tokenize(
    text="Employee: John Doe, SSN: 123-45-6789, DOB: 1990-05-15",
    policy="internal_hr_policy"  # Custom policy created in dashboard
)

Using Policies in API Calls

With SDKs

Policies work seamlessly with all Blindfold SDKs: 
from blindfold import Blindfold

client = Blindfold(api_key="your-api-key")

# Use global policy
result = client.tokenize(
    text="Patient data...",
    policy="hipaa_us"
)

# Use custom policy
result = client.tokenize(
    text="Employee data...",
    policy="my_custom_policy"
)

With REST API

Policies work with all privacy method endpoints: 
curl -X POST https://api.blindfold.dev/api/public/v1/tokenize \
  -H "X-API-Key: your-api-key" \
  -H "Content-Type: application/json" \
  -d '{
    "text": "Contact John at john@example.com",
    "policy": "gdpr_eu"
  }'

Best Practices

1. Choose the Right Policy

1

Identify Requirements

Determine compliance needs (GDPR, HIPAA, PCI DSS) and data types
2

Start with Global

Use global policies when they match your requirements
3

Customize When Needed

Create custom policies for specific business needs

2. Policy Naming Conventions

For custom policies, use clear, descriptive names: 
internal_hr_policy
customer_support_pii
finance_reporting_data
marketing_contact_info
legal_document_redaction

3. Document Your Policies

For each custom policy, document:
  • Purpose: Why the policy exists
  • Entity Types: What it detects
  • Threshold: Confidence level and reasoning
  • Use Cases: Where it should be used
  • Owner: Team or person responsible

4. Regular Review

Policy Maintenance Checklist

  • Quarterly: Review policy effectiveness
  • After incidents: Update based on false positives/negatives
  • Compliance changes: Adjust when regulations update
  • New features: Update when new entity types are available

Policy vs. Manual Configuration

When to Use Policies

Use policies when:
  • You need consistent detection across multiple applications
  • You’re subject to compliance regulations (GDPR, HIPAA, PCI DSS)
  • Multiple teams use the same detection rules
  • You want simplified API calls
  • You need centralized management

When to Use Manual Configuration

Use manual configuration (entities + score_threshold) when:
  • One-off or experimental detection
  • Testing different entity combinations
  • Highly specialized single-use cases
  • You need maximum flexibility
# Consistent, maintainable, compliant
result = client.tokenize(
    text="Your text",
    policy="gdpr_eu"  # One parameter, 15+ entities
)

Compliance Mapping

GDPR (General Data Protection Regulation)

Policy: gdpr_eu Article 4(1) - Personal Data: Any information relating to an identified or identifiable natural person. Covered by Blindfold:
  • Names, contact details (email, phone, address)
  • Identification numbers (national ID, passport, tax ID)
  • Financial data (bank accounts, credit cards)
  • Health data (medical conditions, health insurance)
  • Online identifiers (IP addresses)

HIPAA (Health Insurance Portability and Accountability Act)

Policy: hipaa_us 45 CFR § 164.514(b) - Protected Health Information (PHI): 18 HIPAA Identifiers Covered:
  1. Names ✅
  2. Geographic subdivisions ✅ (Address)
  3. Dates (birth) ✅
  4. Phone numbers ✅
  5. Email addresses ✅
  6. Social Security Numbers ✅
  7. Medical record numbers ✅
  8. Health plan numbers ✅ (Health Insurance Number)
  9. Account numbers ✅ (Bank Account)
  10. Certificate/license numbers ✅ 11-18. Additional identifiers ✅

PCI DSS (Payment Card Industry Data Security Standard)

Policy: pci_dss Requirement 3 - Protect Stored Cardholder Data: Primary Account Number (PAN) Protection:
  • Credit card numbers ✅
  • CVV/CVC codes ✅
  • Expiration dates ✅
  • Cardholder names ✅
  • Bank account numbers ✅

FAQ

No, global policies are fixed to ensure compliance standards. However, you can create a custom policy based on a global policy and modify it to your needs.
No limit. Create as many custom policies as your organization needs.
No, custom policies are tenant-specific. Each organization manages their own policies. Global policies are available to all tenants.
API calls using the deleted policy will fail with a 404 error. Ensure you update your applications before deleting a policy.
Not directly, but you can create new policies with version numbers in the name (e.g., hr_policy_v1, hr_policy_v2) and migrate gradually.
  • GDPR compliance?gdpr_eu
  • Healthcare data?hipaa_us
  • Payment processing?pci_dss
  • General apps?basic
  • Maximum security?strict
  • Custom needs? → Create custom policy

Next Steps

Create Your First Policy

Sign in to the dashboard and create a custom policy

View All Entity Types

Browse 60+ entity types available for policies

API Reference

Learn how to use policies in API calls

Best Practices

Policy optimization and security tips