Skip to main content

Privacera Platform

Workflow Expunge Policy

The Workflow Expunge policy removes sensitive data from resources based on specified tags. This policy accepts only newline-delimited JSON records format. For nested files, the Workflow Expunge policy is not supported.

Workflow Expunge policy supported data sources

The Workflow Expunge policy can be applied to the following data sources:

  • AWS S3

  • Azure ADLS

Workflow Expunge policy supported file formats

For a list of supported file formats that the Workflow Expunge policy can be applied to, see Supported file formats by policy type

Workflow Expunge policy fields

The Workflow Expunge policy has the following fields:

  • Name: The name of the Workflow Expunge policy.

  • Type: The type of policy.


    The Workflow Expunge policy is not visible in the dropdown of policies by default. To configure it, see Workflow Expunge Policy Setup.

  • Alert Level: The level of alert: high, medium or low.

  • Description: A description of the Workflow Expunge policy.

  • Status: A toggle to enable or disable the Workflow Expunge policy. It is enabled by default.

  • Application: The data source from which the scanned resources can be accessed and where the Workflow Expunge policy will be applied.

  • Transfer Location: The location that the input file is transferred to if no tagged records match the tags specified in the policy.

  • Quarantine Location: The location to which the input file is moved after the sensitive data is removed.

  • Archive Location (Optional): The location of a copy of the original file.

  • Search for tags: Tags that help in identifying or classifying the data to be tagged and then expunged.

Add a resource to a data zone

To add a resource in the data zone, see Add resources.

If the policy conditions are met (matching sensitive tags, file size exceeds the maximum limit, or excluded data type) when you run a scan on a data zone, then sensitive data is deleted from the file and moved to a quarantine location. Non-sensitive data will be moved to a transfer location.