Not all sensitive data is the same. Credit card numbers, API keys, and passwords should be stripped entirely — there's no scenario where Claude needs to see them. Personal information like names, email addresses, and phone numbers might need to be masked (replaced with placeholders) rather than stripped, because Claude may need to reference the entity without knowing the actual value. Internal identifiers, proprietary data, and trade secrets require a case-by-case assessment.
A practical classification
- Strip entirely: credit card numbers, CVVs, API keys, passwords, private keys, tokens
- Mask with placeholders: names, email addresses, phone numbers, physical addresses
- Block or review: proprietary source code, trade secrets, internal financial data
- Allow with logging: general business context, process descriptions, public information
Automated detection handles the first two categories reliably. Regex patterns catch structured data like card numbers and API keys. Entity recognition models identify PII in unstructured text. The third category — proprietary and sensitive business data — requires custom rules that reflect the specific business context. This is another area where consulting expertise makes the difference between a secure deployment and one with hidden exposure.