Skip to main content

Privacera Documentation

Expunge policy

The Expunge policy removes sensitive information such as usernames and email addresses from your data. This information is moved into a quarantine folder.

The fields in the lookup file are compared to the records in the resource files. If the tag is found (the value in the lookup file matches the value in the resource file for the specified tag (Search for tags)), then the field value in the resource file will be deleted. Ensure that the header of the lookup file matches the header of the tag to be searched.

Note

The resource file should be scanned before applying the Expunge policy. The Expunge policy does not work on real-time or offline scans.

Expunge policy supported data sources

Thr Expunge policy supports the following data sources. Click the tab to display the data sources that are supported in the cloud.

  • AWS

    • S3

    • Snowflake

    • Redshift

    • AuroraDB Postgres

    • AuroraDB MySQL

    • PostgreSQL

  • Microsoft Azure

    • MSSQL Server Synapse

  • GCP

    • Google Cloud Storage

Expunge policy supported file formats

For a list of supported file formats that the Expunge policy can be applied to, see Supported file formats by workflow policy type

Expunge policy fields

The following fields are included in the Expunge policy:

  • Name: The name of the Expunge policy.

  • Type: The type of policy.

  • Alert Level: The level of alert: high, medium or low.

  • Description: The description of the Expunge policy.

  • Status: A toggle to enable or disable the policy. It is enabled by default.

  • Application: The data source from which the scanned resources can be accessed and where the Expunge policy will be applied.

  • Lookup Application: The name of the data source containing lookup file. The lookup file should be in .csv format, with tag names in the header columns.

  • Lookup File Location: The location of the lookup file.

  • Quarantine Location: The location of the data removed from the input file.

    Note

    Some applications such as Snowflake and Presto SQL follow the [Db].[Schema].[Table] hierarchy. You need to provide the Quarantine location in the correct format [Db].[Schema] for these applications.

  • Archive Location (Optional): The location of a copy of the original file.

    Note

    Some applications such as Snowflake and Presto SQL follow the [Db].[Schema].[Table] hierarchy. You need to provide the Archive location in the correct format [Db].[Schema] for these applications.

  • Search for tags: Tags that identify and classify the data to be removed.

  • Auto Run: If this feature is enabled, the Expunge policy is applied after a specified time interval.

Example 5. Expunge policy example
  • Lookup File Location: Add a .csv file to the Lookup File Location field, and it should specify which sensitive data needs to be removed from resources based on tags. For example: File name is input.csv file with EMAIL tag (sample@gmail.com).

  • When the file is being scanned, if “sample@gmail.com” tagged with EMAIL is matched, then this row will be removed.



Consider the following example:

  1. A file, test_file.csv, is added to a data zone. Search for as EMAIL tag is added.

  2. The scheduler is triggered and the system applies the Expunge policy to the resource (test_file.csv).

  3. After applying the Expunge policy, a row in test_file.csv that contains sensitive information is removed from the file and moved to the specified quarantine location.