Entity Tags

When Protecto masks sensitive data, it wraps the masked value in entity tags that indicate what kind of sensitive data the value represents.

What entity tags look like

<ENTITY_TYPE>masked_value</ENTITY_TYPE>

Example:

<EMAIL>0gN3SkjL@0ffM3CDS</EMAIL>

The tag name corresponds to the detected or configured entity type.

Why entity tags exist

Entity tags serve multiple purposes beyond readability:

• Preserve semantic meaning — even without original values, masked text remains understandable
• Enable downstream parsing — systems can programmatically identify and handle each entity type
• Support selective unmasking — policies can reference entity types in their rules
• Enable routing — data can be handled differently based on entity type

Example — Original:

Contact John Doe at john.doe@example.com

Masked:

Contact <PERSON>VJYe 03W</PERSON> at <EMAIL>0gN3SkjL@0ffM3CDS</EMAIL>

Even without the original values, the sentence still makes sense to both humans and machines.

Built-in vs custom entity tags

Once defined, custom tags behave exactly like built-in ones — same masking, same tags, same governance.

Entity tags apply to all masking modes

Entity tags are applied regardless of how masking is performed:

• Auto-Detect and Mask
• Explicit token-based masking
• Format-based masking
• Custom PII detection

The masking strategy determines how the value is replaced. The entity tag indicates what the value represents.