Cloud Data Loss Prevention (Cloud DLP) is now a part of Sensitive Data Protection. The API name remains the same: Cloud Data Loss Prevention API (DLP API). For information about the services that make up Sensitive Data Protection, see Sensitive Data Protection overview.

Method types

Sensitive Data Protection includes different types of methods that you can use to inspect or transform your data. Using these different methods, you can inspect data both on and off Google Cloud and optimize Sensitive Data Protection behavior for different types of workloads.

Sensitive Data Protection provides the following method types:

Content methods
Storage methods
Hybrid methods

Content methods

Content methods are synchronous, stateless methods. The data to be inspected or transformed is sent directly in the request to the DLP API. Sensitive Data Protection inspection findings or transformed data is returned in the API response. Request data is encrypted in transit and is not persisted.

Diagram of content methods dataflow, showing a client sending data via an
API request to Sensitive Data Protection, which can inspect and classify or
de-identify and transform the data, sending a synchronous API response to the
client.

To learn more, explore the REST API reference for content methods:

Storage methods

Storage methods are designed to inspect data stored on Google Cloud in systems like Cloud Storage, BigQuery, and Firestore in Datastore mode (Datastore). To enable storage inspection, you create a Sensitive Data Protection job using the dlpJobs resource. Each job runs as a managed service to inspect data and then perform Sensitive Data Protection actions such as save or publish findings. In addition to these optional actions, Sensitive Data Protection creates and persists details about the job including job status, bytes scanned, and summary findings per infoType. You can manage jobs using the DLP API or Sensitive Data Protection in the Google Cloud console.

Diagram of storage methods dataflow, showing Sensitive Data Protection inspecting
data on a Google Cloud storage repository, and then either saving or publishing
findings.

To learn more, explore the REST API reference for storage methods:

projects.dlpJobs resource

Hybrid methods

Hybrid methods are a set of asynchronous API methods that allow you to scan payloads of data sent from virtually any source for sensitive information and store the findings in Google Cloud. Hybrid methods are similar to content methods in that the data you want to inspect is included in one or more inspection requests; however, unlike content methods, hybrid methods do not return inspection results in the API response. Instead, inspection results are processed server-side asynchronously and results are tabulated and stored in a manner similar to storage methods.

To enable hybrid inspection, you create a Sensitive Data Protection job using the dlpJobs resource. Each hybrid job runs as a managed service to listen for inspection requests and performs Sensitive Data Protection actions such as save or publish findings. In addition to these optional actions, Sensitive Data Protection creates and persists details about the job including job status, bytes scanned, and summary findings per infoType. You can manage jobs using the DLP API or Sensitive Data Protection in the Google Cloud console.

Diagram of hybrid jobs dataflow, showing your application sending data from
an external source to Sensitive Data Protection, Sensitive Data Protection inspecting
the data, and then either saving or publishing
findings.

What's next

Read the how-to guides to get started with inspecting text and images for sensitive data, as well as redacting sensitive data from text and images:
For more information about inspecting storage and how to use actions, see Inspecting storage and databases for sensitive data.
Review pricing for content inspection and de-identification methods and storage inspection jobs.