MCP Personally Identifiable Information (PII) Detector Policy

Policy Name

MCP PII Detector Policy

Summary

Blocks elicitation responses containing personally identifiable information (PII) from reaching MCP servers

Category

MCP

First Flex Gateway version available

v1.9.3

Returned Status Codes

No return codes exist for this policy. The policy reports a policy violation when PII is detected.

Summary

The MCP PII Detector policy blocks elicitation responses containing personally identifiable information (PII) from reaching MCP servers.

When PII is detected in the elicitation response result field, the policy:

Reports a policy violation.
Sends a modified response to the MCP server that the request was declined and includes the message PII data requested or found in user response.

The policy doesn’t send a response to the client when PII is detected.

The policy only scans JSON-RPC responses that contain a result field. JSON-RPC requests with a method field are ignored.

Configuring Policy Parameters

Flex Gateway Local Mode

The MCP PII Detector policy isn’t supported in Local Mode.

Managed Flex Gateway and Flex Gateway Connected Mode

When you apply the policy from the UI, the following parameters are displayed:

Element Description

Element	Description
Entities	Array that defines the types of PII to detect. You can select multiple PII types. Supported values are `Email`, `US SSN`, `Credit Card`, `Phone Number`. For more information, see PII Types.

Entities

Array that defines the types of PII to detect. You can select multiple PII types. Supported values are Email, US SSN, Credit Card, Phone Number.
For more information, see PII Types.

PII Types

When you configure an MCP PII Detector policy, you can choose which types of PII to detect:

PII Type Description

PII Type	Description
Email	Standard email addresses such as `User.Name+tag@example.com`.
US SSN	United States Social Security Numbers (SSNs) in the standard format: `XXX-XX-XXXX` where each `X` is a digit. For example, `123-45-6789`.
Credit Card	Credit card numbers in the form of four groups of four digits, separated by optional spaces or hyphens. For example,`1234-5678-9012-3456`, `1234 5678 9012 3456`, or `1234567890123456`.
Phone Number	United States phone numbers in various formats, with or without country code, parentheses, spaces, hyphens, or dots. For example, `123-456-7890`, `(123) 456-7890`, `123.456.7890`, `+1 123 456 7890`, or `1234567890`.

Standard email addresses such as User.Name+tag@example.com.

US SSN

United States Social Security Numbers (SSNs) in the standard format: XXX-XX-XXXX where each X is a digit. For example, 123-45-6789.

Credit Card

Credit card numbers in the form of four groups of four digits, separated by optional spaces or hyphens. For example,1234-5678-9012-3456, 1234 5678 9012 3456, or 1234567890123456.

Phone Number

United States phone numbers in various formats, with or without country code, parentheses, spaces, hyphens, or dots. For example, 123-456-7890, (123) 456-7890, 123.456.7890, +1 123 456 7890, or 1234567890.