PII and Data Governance

Ema can detect personally identifiable information (PII) in the content it processes and apply a masking policy before that content is shown to a user or sent to an external model or integration. As a tenant admin you control two things: how detected data appears to people inside Ema, and what detected data is allowed to leave Ema for LLMs and third-party integrations.

These controls live on the PII Management tab at /admin/governance/pii, alongside the audit log.

Enabled per tenant. PII governance is gated by the pii_masking feature flag. When it is off, the PII Management tab is hidden and the Governance page shows only the audit log. If you don't see the tab, the feature isn't turned on for your tenant — contact your Ema representative.

Who can manage PII policy. PII governance is a system_admin surface. The PII access log is restricted to system_admin as well — see the audit log.

How detection works

Ema classifies detected data into a fixed taxonomy of entity types (for example EMAIL_ADDRESS, US_SOCIAL_SECURITY_NUMBER, CREDIT_CARD_NUMBER, PERSON_NAME). Each entity type belongs to one or more categories — financial, credentials, healthcare, personal, government, device, or protected. The taxonomy follows the Google Cloud DLP infoType naming convention (UPPER_SNAKE_CASE), which aligns with common compliance references.

When PII is detected, Ema can replace it with a stable pseudonym token (for example PERSON_48291037 or EMAIL_73920156) that can be reversed back to the original only where policy permits.

Display levels

Each entity type has a display level that determines how a detected value is shown to users inside Ema. There are four levels, from most to least restrictive:

LevelUI labelWhat the user seesExample
full_maskFully MaskedThe value is hidden entirely.
pseudonymPseudonym OnlyA stable, non-reversible token.SSN_61038472
partialPartial (last 4)A redacted form revealing only a tail or fragment.***-**-6789
originalShow OriginalThe cleartext value.123-45-6789

System ceilings

Every entity type has a system maximum — the most permissive display level you are allowed to choose. You can set a display level at or below the ceiling, never above it. The ceilings are fixed by the platform and reflect regulatory baselines (HIPAA Safe Harbor, PCI DSS, NIST SP 800-122, GDPR, CCPA). For example:

  • Secrets and credentials (passwords, API keys, JWTs, SSH keys) are capped at Fully Masked — even a system_admin cannot reveal any portion.
  • Financial and government identifiers (SSN, credit card number, passport) are capped at Partial — you may reveal the last few digits but never the full value.
  • Names and organization names allow Show Original because they are routinely needed in business context.

When an entity type's ceiling is Fully Masked, its display control is locked and cannot be changed.

Setting a display level

On the Display Policy card, each detected entity type has a dropdown listing only the levels allowed for it (up to its ceiling), each annotated with an example of what the result looks like. Choose a level and it saves immediately. The default display level for most sensitive types is Fully Masked.

Sharing policy (integration egress)

The Sharing Policy card controls what detected data is allowed to leave Ema in cleartext for external LLMs and integrations. Each entity type has one of three states:

  • Always sent. A small baseline set of business-context entities is always allowed to egress: PERSON_NAME, EMAIL_ADDRESS, ORGANIZATION_NAME, PHONE_NUMBER, STREET_ADDRESS, EMPLOYMENT_INFORMATION, and EDUCATION_INFORMATION. These show a green Always sent badge and cannot be toggled.
  • Never sent. Sensitive types — all credentials, financial identifiers, healthcare data, government IDs, device identifiers, and protected attributes — are hard-locked against cleartext egress. They show a red Never sent badge and cannot be toggled. When such a value must reach a model, it crosses the boundary as a pseudonym token, never as cleartext.
  • Configurable. Any remaining entity type defaults to not sent (tokenized) and can be switched on with a toggle. There is no implicit grant — you opt each one in deliberately.

Egress locks are absolute. Entity types marked Never sent must never cross an external LLM vendor boundary in cleartext, regardless of tenant configuration. This is a platform-level guarantee, not a tenant preference.

Reference

The PII service backs these surfaces. The display-policy dropdowns read and write per-entity overrides; the sharing toggles read and write the tenant egress policy.

ActionEndpoint
List per-entity display overridesGET /tenant-config
Set an entity's display levelPUT /tenant-config
List egress (sharing) policy rowsGET /tenant-egress-policy
Set an entity's egress allowancePUT /tenant-egress-policy
Revert an egress row to defaultDELETE /tenant-egress-policy

Every PII decision — what was tokenized, partially masked, redacted, or passed through, and at which boundary — is recorded for compliance. See the PII access log.

What's next

Last updated: Jul 3, 2026