Profile settings
This page lists the profile settings available when configuring a predefined or custom DLP profile. You can configure profile settings when you create a custom profile or edit profile settings for an existing predefined or custom profile.
To edit profile settings for an existing predefined or custom DLP profile:
- In Zero Trust ↗, go to Data loss prevention > DLP profiles.
- Choose a profile, then select Edit.
- In Settings, configure the settings for your profile.
- Select Save profile.
The following advanced detection settings are available for predefined and custom DLP profiles.
Match count refers to the number of times that any enabled entry in the profile can be detected before an action is triggered, such as blocking or logging. For example, if you select a match count of 10, the scanned file or HTTP body must contain 11 or more matching strings. Detections do not have to be unique.
Optical Character Recognition (OCR) analyzes and interprets text within image files. When used with DLP profiles, OCR can detect sensitive data within images your users upload.
OCR supports scanning .jpg/.jpeg and .png files between 4 KB and 1 MB in size. Text is encoded in UTF-8 format, including support for non-Latin characters.
AI context analysis uses a pretrained model to analyze and adjust the confidence in a detection based on its surrounding context. DLP will log any matches that are above your confidence threshold.
DLP redacts any matched text, then submits the context as an AI text embedding vector to Cloudflare Workers AI. Vectors are stored in user-specific private namespaces for up to six months, along with hit count and the false positive/negative report.
To use AI context analysis:
- Turn on AI context analysis in a DLP profile.
- Add the profile to a DLP policy.
- When configuring the DLP policy, turn on payload logging.
AI context analysis results will appear in the payload section of your DLP logs. To improve future detections of sensitive data, you need to report false and true positives.
Confidence thresholds indicate how confident Cloudflare DLP is in a DLP detection. DLP determines the confidence by inspecting the content for proximity keywords around the detection.
Confidence threshold is set on the DLP profile. When you select a confidence threshold in Zero Trust, you will see which DLP entries will be affected by the confidence threshold. Entries that do not reflect a confidence threshold in Zero Trust are not yet supported or are not applicable.
DLP confidence detections consist of Low, Medium, and High confidence thresholds. DLP will default to Low confidence detections, which are based on regular expressions, require few keywords, and will trigger more often. Medium and High confidence detections require more keywords, will trigger less often, and have a higher likelihood of accuracy.
To change the confidence threshold of a DLP profile:
- In Zero Trust ↗, go to Data loss prevention > DLP profiles.
- Select the profile, then select Edit.
- In Settings > Confidence threshold, choose a new confidence threshold from the dropdown menu.
Setting the confidence to Low will also consider Medium and High confidence detections as matches. Setting the confidence to Medium or High will filter out lower confidence detections.
For inline detections in Gateway, to display Low and Medium confidence detections but block High confidence detections, Cloudflare recommends creating two HTTP policies. The first policy should use a Low confidence DLP profile with an Allow action. The second policy should use a High confidence DLP profile with a Block action. For example:
| Selector | Operator | Value | Action | 
|---|---|---|---|
| DLP Profile | in | Low Confidence Detections | Allow | 
| Selector | Operator | Value | Action | 
|---|---|---|---|
| DLP Profile | in | High Confidence Detections | Block | 
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Directory
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- © 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark