Profile settings

Profile settings control detection behavior for an individual DLP profile. You configure these settings when you build a custom profile or edit an existing predefined or custom profile.

Profile settings are distinct from DLP settings, which are account-level settings that apply across all profiles and policies.

Edit profile settings

To edit profile settings for an existing predefined or custom DLP profile:

1. In the Cloudflare dashboard ↗, go to Zero Trust > Data loss prevention > Profiles.
2. Choose a profile, then select Edit.
3. In Settings, configure the settings for your profile.
4. Select Save profile.

Available settings

The following advanced detection settings are available for predefined and custom DLP profiles.

Match count

Match count sets a minimum threshold for the number of detections required to trigger an action. DLP does not block or log content until the detection count reaches this threshold.

For example, if you set a match count of 10, DLP takes action when it finds 10 or more matches in a single file or HTTP body. Matches do not have to be unique — the same credit card number appearing 10 times counts as 10 matches.

Optical Character Recognition (OCR)

Deprecation notice

Profile-level OCR settings will be deprecated in a future release. We recommend configuring OCR in DLP settings instead.

Optical Character Recognition (OCR) extracts and analyzes text within image files. When enabled, DLP can detect sensitive data within images that users upload or download.

OCR supports scanning .jpg/.jpeg and .png files between 4 KB and 1 MB in size. Text is encoded in UTF-8 format, including support for non-Latin characters.

For more information, refer to DLP settings.

AI context analysis

Deprecation notice

Profile-level AI context analysis settings will be deprecated in a future release. We recommend configuring AI context analysis in DLP settings instead.

Note

AI context analysis only supports Gateway HTTP and HTTPS traffic.

AI context analysis uses a machine learning model to evaluate the surrounding context of a detection and adjust its confidence level. The model examines nearby text to determine whether a pattern match is likely to be genuine sensitive data or a false positive.

For example, a 16-digit number that matches a credit card pattern may receive a lower confidence score if it appears in a context where credit card numbers are unlikely (such as a product SKU list). Conversely, the same number appearing near terms like "payment" or "billing" would receive a higher confidence score. DLP logs matches that meet or exceed your configured confidence threshold.

For full documentation on AI context analysis, refer to DLP settings.

Confidence thresholds

Confidence thresholds indicate how confident Cloudflare DLP is in a detection. DLP determines the confidence level by inspecting the content for proximity keywords — related terms that appear near the detected data. For example, the word "SSN" appearing near a 9-digit number increases confidence that the number is a Social Security number.

When you set a confidence threshold on a profile, DLP only triggers on detections at that level or higher:

• Low (default) — Based on regular expressions with few proximity keywords. This is the most inclusive setting, with high tolerance for false positives
• Medium — Applies additional validations, to filter out low confidence detections. This setting has a medium tolerance for false positives.
• Medium — Applies additional validations to filter out low confidence detections. This setting has a medium tolerance for false positives.

Confidence threshold is set on the DLP profile. Not all detection entries support confidence thresholds — when you select a threshold in the dashboard, entries that support confidence scoring display their current level. Entries without a displayed confidence level either do not support this feature or use detection methods (such as exact match) where confidence scoring does not apply.

To change the confidence threshold of a DLP profile:

1. In the Cloudflare dashboard ↗, go to Zero Trust > Data loss prevention > Profiles.
2. Select the profile, then select Edit.
3. In Settings > Confidence threshold, choose a new confidence threshold from the dropdown menu.
4. Select Save profile.

Gateway detections

For inline detections in Gateway, you can log lower-confidence matches while blocking only high-confidence detections. This approach requires two HTTP policies with different DLP profiles:

1. A Low or Medium confidence profile with an Allow action — logs the detection without blocking.
2. A High confidence profile with a Block action — blocks the request.

For example:

Selector	Operator	Value	Action
DLP Profile	in	Low Confidence Detections	Allow

Selector	Operator	Value	Action
DLP Profile	in	Medium Confidence Detections	Allow

Selector	Operator	Value	Action
DLP Profile	in	High Confidence Detections	Block