logo
Use CasesAI Agent for CRM Support

AI Agent for CRM Support With PII Protection

Mask CRM fields before your AI support agent processes them, then unmask only in explicitly authorized workflows.

curl -X PUT https://protecto-trial.protecto.ai/api/vault/mask \
  -H "Authorization: Bearer YOUR_AUTH_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "mask": [
      { "value": "Jane Smith", "token_name": "Text Token" },
      { "value": "jane.smith@company.com", "token_name": "Text Token" },
      { "value": "15/8/2010", "token_name": "Numeric Token" }
    ]
  }'

{
  "data": [
    {
      "value": "Jane Smith",
      "token_name": "Text Token",
      "token_value": "t9Eyj"
    },
    {
      "value": "jane.smith@company.com",
      "token_name": "Text Token",
      "token_value": "874890078"
    },
    {
      "value": "15/8/2010",
      "token_name": "Numeric Token",
      "token_value": "fuot3"
    }
  ],
  "success": true,
  "error": {
    "message": ""
  }
}

curl -X PUT https://protecto-trial.protecto.ai/api/vault/unmask \
  -H "Authorization: Bearer YOUR_AUTH_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "policy_name": "Anonymization-policy-1",
    "unmask": [
      {
        "token_value": "<PER>hSw8kAEB10 ITItAd8FsN</PER> lives in <ADDRESS>748785848000</ADDRESS>"
      }
    ]
  }'

{
  "data": [
    {
      "token_value": "<PER>hSw8kAEB10 ITItAd8FsN</PER> lives in <ADDRESS>748785848000</ADDRESS>",
      "value": "George Williams lives in Washington",
      "toxicity_analysis": {
        "toxicity": 0.00088834815,
        "severe_toxicity": 0.000104515464,
        "obscene": 0.00018257574,
        "threat": 0.0001108902,
        "insult": 0.00017547917,
        "identity_attack": 0.00013806517
      }
    }
  ],
  "success": true,
  "error": {
    "message": ""
  }
}

What this solves

You want an AI agent to help support reps using CRM data — tickets, notes, and customer profile fields — but CRM records often include sensitive data: names, emails, dates, addresses.

This pattern shows you how to:

  • Mask CRM fields before sending them to the AI agent
  • Keep the AI agent working with useful context, without raw PII
  • Allow restricted, policy-based unmasking only when needed

How it works

StepWhat happensAPI
1Mask CRM fields used as agent contextMask API (token-based)
2Send masked CRM context to the AI agentExternal
3Unmask only for authorized workflows (optional)Unmask API (policy-based)

Mask CRM fields before the agent sees them

CRM data is typically structured — you know which fields are sensitive. Use token-based masking for known fields rather than auto-detection.

Use only the token_value outputs when constructing the agent's CRM context. The agent never sees the raw field values.

The AI agent works on masked CRM context

Pass the tokenized values to the AI agent. With masked context, the agent can:

  • Draft responses and replies
  • Suggest next actions
  • Summarize the customer's issue
  • Recommend knowledge base articles

The agent never has access to raw customer PII. Protecto is not involved in this step.

Policy-based unmasking for authorized workflows (optional)

If you need to reveal original values — for example, final email sending, identity verification, or escalation workflows — use policy-based unmasking.

Only unmask in explicitly authorized final steps. Do not unmask speculatively or as part of the agent's normal flow.

Decision guide for CRM AI agent tasks

CRM agent taskRecommended approach
Draft responses, summarize ticketsMask CRM fields first, send masked context to agent
Search similar tickets by customerStore tokens in CRM — joins and lookups work without raw PII
Send email or complete identity verificationUnmask with policy_name only in the final, authorized step

Key takeaways:

  • Use token-based masking for known CRM fields before the AI agent sees them
  • Use policy-based unmasking only when needed, and only for authorized workflows
Was this page helpful?

Last updated 3 weeks ago

Built with Documentation.AI