How to create data policies

Protect your data from leaking out of your company. Learn how to set up data policies and configure additional sections, including data classifications, actions, and options for clipboard and screen capture.

Introduction

Creating data policies is a bit more advanced than creating policies for applications or websites. They work in a similar manner but have more sections that need to be configured. Before creating a data policy, have a look at setting up policies for applications and websites.

Creating a data policy

Data policies follow the same evaluation system as application, web, and auditing policies.

To create a new data policy, navigate to Policies > Data and Add policy. Data policies have the following extra sections:

Data classifications
More advanced Actions
Destination types
Options for clipboard and screen capture

1. Data classifications

Here you can specify the data that the policy will target.

By default, All data is selected, applying the policy to all files transferred to specified destination types (e.g. to all data sent via email, all data uploaded to the web, all data copied to external devices, etc).
To modify that, click Browse and select one or more data classifications (learn how to create data classifications here). Only files classified with selected data classification(s) will be affected by the policy.

The policy will apply to files that match ANY of the selected data classifications (OR relationship)

Disabled data classifications do not show up in policies.

2. More advanced Actions

You can choose what action should happen when the policy is applied (i.e. the user transfers files to a selected destination):

Allow: The file operation is allowed, and no logs are created about the activity.
Log: The file operation is silently logged without the user being notified. The policy silently logs both allowed activities and activities that violate the policy.
Notify: The user is shown a notification that their activities violate a policy, and they can decide whether to continue or abort the operation. If they perform the activity, it is logged. Allowed activities are also logged. Safetica does not log: Delete, Create, Rename, Copy/Move within one physical storage (exceptions: destination is a cloud folder).
Block: Activities that violate a policy are completely blocked and logged. Allowed activities are only logged.
Block (with override): Certain users are allowed to override a blocking policy, if they provide a reason for performing the file operation. The reasoning is linked to the record about the file operation. If they choose to override the policy, the operation proceeds and is logged; otherwise, it’s blocked and logged. This action is not supported on macOS devices.

What destinations does this policy apply to?

In the drop-down below, you can also select to which destinations and destination groups from your Data destinations the policy will apply. This allows the policy to be specifically applied to files transferred to chosen destinations:

All destinations: The policy will apply to all data destinations.
All except safe destinations: The policy will apply to destinations in the Unassigned and Untrusted columns.
Only safe destinations
Only unassigned destinations
Other...: You can choose specific destination groups to which the policy will apply.

Example: In a company, uploads to all file shares are blocked. The only exception is upload to a file share that is part of the company’s intranet and is considered a safe destination.

By clicking Advanced control of individual destination types, you can configure distinct settings (both action and destination) for each destination type.

3. Destination types

The core of each data policy is selecting destination types, such as Email, Web upload, Removable storage, etc.

Learn more details about individual destination types:

Cloud drive upload	Safetica supports six cloud drives: Box, Dropbox, Google Drive, M365 OneDrive Business, M365 SharePoint, and OneDrive Personal. Both file transfers to locally synchronized folders and uploads to corresponding websites can be controlled by the policy.
Email	The policy applies only to emails sent from supported desktop email clients. Does not apply to webmails. Email attachments sent via webmail can be controlled by the Web upload destination type and audited by Safetica Cloud Protection. Safetica Client analyzes the email body for sensitive content. Supported email clients: Windows devices: Outlook (using MAPI or SMTP/POP3/IMAP protocols) and all other email clients using SMTP/POP3/IMAP protocols. macOS devices: only Apple Mail app is supported. If you have Safetica Cloud Protection, you can also audit and protect outgoing emails in Outlook on the web.
M365 file sharing	Available only as part of Safetica Cloud Protection. You can audit and cancel file sharing within Microsoft 365.
Git	Performing git push (i.e. data upload from local directories into remote Git repositories). Not supported for macOS devices.
Instant messaging	Applies to files sent via supported instant messaging applications. Applications must be categorized as Instant messaging and VOIP software. The content of messages is not analyzed. Supported instant messaging apps: Windows devices: MS Teams, Slack, WhatsApp, Microsoft Skype, Microsoft Skype for Business (only desktop app), Telegram, Viber, Facebook Messenger macOS devices: MS Teams, Slack, WhatsApp, Microsoft Skype, Facebook Messenger, iMessage
Network file share (SMB etc.)	File transfer to network file shares. macOS devices: supported, but without advanced control of individual destination types.
Print	Printing in general.
Remote file transfer (RDP)	Applies to remote file transfers over RDP and TeamViewer (on Windows devices only). The policy must be active for the Safetica Client running on the host device. Not supported for macOS devices.
Removable storage (USB, memory cards, etc.)	File transfer to removable storage devices. Applies only to devices connected as USB mass storage or Windows Portable Device.
Virtual print	Applies only to virtual printing into files. Not supported for macOS devices.
Web upload	File uploads via web browser to all websites irrespective of their category. Web upload also affects: sending files via instant messaging websites, email attachments sent via webmails, and uploading files to cloud drives in web browser.

4. Options for clipboard and screen capture

These options are available only when a data classification is selected.

Extend your data protection by blocking copying to the clipboard (up to 160 symbols without sensitive content are allowed, more than 160 symbols are always blocked) or block screen capture.

These options are not supported on macOS devices.

A newly created policy is disabled by default. You can enable it:

in the policy detail by changing the policy status on the right side or
by toggling the button in the list of policies in the Data tab of the Policies section