Scan for sensitive data
You can use Cloudflare Data Loss Prevention (DLP) to discover if files stored in a SaaS application contains sensitive data. To perform DLP scans in a SaaS app, first configure a DLP profile with the data patterns you want to detect, then add the profile to a CASB integration.
- Amazon Web Services (AWS) S3
- Box
- Dropbox
- Google Cloud Platform (GCP) Cloud Storage
- Google Drive
- Microsoft OneDrive
- Microsoft SharePoint
You may either use DLP profiles predefined by Cloudflare, or create your own custom profiles based on regex, predefined detection entries, datasets, and document fingerprints.
- In Zero Trust ↗, go to Data loss prevention > DLP profiles.
- Choose a predefined profile and select Configure.
- Enable one or more Detection entries according to your preferences. The DLP Profile matches using the OR logical operator — if multiple entries are enabled, your data needs to match only one of the entries.
- Select Save profile.
Your DLP profile is now ready to use with CASB.
- 
In Zero Trust ↗, go to Data loss prevention > DLP profiles. 
- 
Select Create profile. 
- 
Enter a name and optional description for the profile. 
- 
Add custom or existing detection entries. Add a custom entry - 
Select Add custom entry and give it a name. 
- 
In Value, enter a regular expression (or regex) that defines the text pattern you want to detect. For example, test\d\dwill detect the wordtestfollowed by two digits.- Regular expressions are written in Rust. We recommend validating your regex with Rustexp ↗.
- DLP detects UTF-8 characters, which can be up to 4 bytes each. Custom text pattern detections are limited to 1024 bytes in length.
- DLP does not support regular expressions with +or*operators because they are prone to exceeding the length limit. For example, the regex patterna+can detect an infinite number ofacharacters. We recommend usinga{min,max}instead, such asa{1,1024}.
 
- 
To save the detection entry, select Done. 
 Add existing entries Existing entries include predefined and user-defined detection entries. - Select Add existing entries.
- Choose which entries you want to add, then select Confirm.
- To save the detection entry, select Done.
 
- 
- 
(Optional) Configure profile settings for the profile. 
- 
Select Save profile. 
Your DLP profile is now ready to use with CASB.
For more information, refer to Configure a DLP profile.
- In Zero Trust ↗, go to CASB > Integrations.
- Select Add integration and choose a supported integration.
- During the setup process, you will be prompted to select DLP profiles for the integration.
- Select Save integration.
CASB will scan every publicly accessible file in the integration for text that matches the DLP profile. The initial scan may take up to a few hours to complete.
- In Zero Trust ↗, go to CASB > Integrations.
- Choose a supported integration and select Configure.
- Under DLP profiles, select the profiles that you want the integration to scan for.
- Select Save integration.
If you enable a DLP profile from the Manage integrations page, CASB will only scan publicly accessible files that have had a modification event since enabling the DLP profile. Modification events include changes to the following attributes:
- Contents of the file
- Name of the file
- Visibility of the file (only if changed to publicly accessible)
- Owner of the file
- Location of the file (for example, moved to a different folder)
In order to scan historical data, you must enable the DLP profile during the integration setup flow.
DLP in CASB will only scan:
- Text-based files such as documents, spreadsheets, and PDFs. Images are not supported.
- Files less than or equal 100 MB in size.
- Source code with a minimum size of 5 KB for Java and R.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Directory
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- © 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark
-