Configuring Redactify#

Redactify’s power lies in its flexible configuration. You decide exactly what sensitive data to detect and how the system responds when it finds a match.

Recommended Pattern Library#

Redactify ships with no active patterns. A freshly installed portal redacts nothing until you add rules. To get protection on day one, copy the recommended pattern library below into the Redactify settings page during install — these are the patterns we’ve found cover the most common PII cases across HubSpot engagement data.

Government & Identity#

• US SSN (recommended) — \b\d{3}-\d{2}-\d{4}\b — matches only the dashed format (XXX-XX-XXXX). Low false-positive risk; this is the default for new portals.
• US SSN (loose) (opt-in) — \b(?:\d{3}-\d{2}-\d{4}|\d{9})\b — matches both dashed and bare 9-digit SSNs. Higher false-positive risk: 9-digit strings collide with zip codes, routing numbers, and phone digit runs. Enable only if your portal receives SSNs in both formats and you have reviewed the tradeoff.
• US EIN — \b\d{2}-\d{7}\b
• US Driver’s License — \b(?:[A-Z]{2})[0-9]{5,8}\b
• US Passport — \b[A-Z0-9]{9}\b

Payment & Financial#

• Credit Card (4 blocks) — \b\d{4}[-\s]?\d{4}[-\s]?\d{4}[-\s]?\d{4}\b
• Credit Card (no separator) — \b\d{16}\b
• Routing Number — \b\d{9}\b (overlaps with SSN)
• Bank Account — \b\d{8,17}\b

Contact & Auth#

• Phone (US) — \b(?:\+?1[-.\s]?)?\(?[0-9]{3}\)?[-.\s]?[0-9]{3}[-.\s]?[0-9]{4}\b
• Phone (International) — \b\+[0-9]{1,3}[-.\s]?[0-9]{6,14}\b

API Keys & Secrets#

• Generic API Key — (?i)(api[_-]?key|apikey)\s*[:=]\s*[a-zA-Z0-9_\-]{20,}
• Bearer Token — (?i)bearer\s+[a-zA-Z0-9_\-\.]+
• Basic Auth — (?i)basic\s+[a-zA-Z0-9+/]+={0,2}
• AWS Access Key — AKIA[0-9A-Z]{16}

Healthcare#

• HIPAA NPI — \b[0-9]{10}\b
• Medicare ID — \b[0-9]{11}[A-Z]\b

Keyword Heuristics#

• PII Keywords — (?i)(ssn|social\s+security|tax\s+id|password|secret|token|apikey|api_key)
• Payment Keywords — (?i)(credit\s+card|card\s+number|cvv|cvc|expir|routing|account\s+number)

Custom Regex Patterns#

If you have proprietary data formats, internal codes, or industry-specific identifiers, add your own detection patterns. Redactify accepts any standard regular expression, and each custom rule can be assigned its own action independently of the recommended library.

Per-Pattern Actions#

When Redactify detects a match, it applies the action configured for that specific pattern. Three actions are available:

1. Redact — replaces the matched sensitive substring with [REDACTED]. The rest of the field remains intact.
2. Clear — empties the entire contents of the field where the match was found.
3. Delete — archives the entire engagement record.

Action Priority Escalation#

When one engagement contains matches from multiple patterns with different actions, Redactify uses the most aggressive action across all matches:

Delete > Clear > Redact

For example: if a note contains a phone number (configured to Redact) and an API key (configured to Delete), the whole note engagement is deleted.

Configurable Field Selection#

Redactify scans text fields on engagement records. By default the following fields are scanned:

• Emails — hs_email_text (body) and hs_email_subject
• Calls — hs_call_body
• Meetings — hs_meeting_body
• Notes — hs_note_body
• Tasks — hs_task_body

You can narrow this list in settings — for example, scan only notes and email bodies if those are the only channels where free-text PII tends to appear in your portal.