This article outlines DLP policies in Safetica and related rules for controlling various communication channels.
Safetica uses DLP policies for data protection on endpoints and for controlling application behavior. Every DLP policy consists of a policy type, policy mode and policy rules. DLP policies can be set in Safetica Management Console in Protection -> DLP policies.
Policy evaluation

How DLP policies are evaluated:
- Every policy contains one or more rules (e.g. for upload, email, external devices, etc.).
- Each rule is evaluated and applied separately.
- First match always applies.
- Actions which are not specified in a policy will be managed by other policies placed lower in the DLP policy list.
Policy types
- General policies – manage entire communication channels, e.g. all data sent via email, all uploaded data, all data copied to external devices, etc. General policies are great for setting general limitations of what is allowed and what is not.
- Data policies – manage and protect specific data categories and their combinations, e.g. credit card numbers, regular expressions, CRM exports, etc.
- Application policies – manage applications and their behavior. They are applied to application categories. To manage a single application, create a new application category for it and apply your policy to this category. Application policies are available in Safetica Enterprise only. Shadow copies are not supported for Application policies.
We recommend placing general and other less strict DLP policies into the lower part of the list. More specific and strict policies can be placed into the upper part.
Policy modes
Every DLP policy can be set to 4 different modes which affect how policy rules are applied:
- Disabled – the policy is defined but does not affect anything. This mode is useful when you prepare a policy which will only be applied later.
- Log only – the policy audits and logs both restricted and allowed actions.
- Log and notify – user is notified about performing restricted actions, which are also logged if performed. Allowed actions are only logged. Safetica does not log: Delete, Create, Rename, Copy/Move within one physical storage (exceptions: destination is a cloud folder; DLP rule is applied to the operation).
- Log and block – restricted actions are blocked altogether and logged. Allowed actions are only logged.
Policy rule overview
Policy rule |
Description |
Limitations |
Cloud drives |
File transfer from local computers to cloud drives via sync clients or web interface. Can be set either for cloud drives in general, or only for specified cloud drives (e.g. Dropbox, Google Drive, OneDrive, etc.). Available for all policies. |
|
Upload |
File uploads via web browser to all websites irrespective of their category. You can also choose more specific rules Upload to file share and Upload to web mail which are applied only to websites categorized as File hosting and Web mails respectively. Upload also affects sending files via instant messaging websites and uploading files to cloud drives in web browser. Available for general and data policies. |
|
|
Sending emails from desktop email clients. Available for general and data policies. |
Does not apply to web mail. |
Instant messaging |
Sending files via IM applications or websites categorized as Instant Messaging Web Applications. Available for general and data policies. |
Applies only to sent files, not to messages. |
External devices |
File transfer to external devices. Available for all policies. |
Applies only to devices connected as USB mass storage. |
Network file share |
File transfer to network file shares. Available for general and data policies. |
|
Remote transfer |
Remote file transfer and clipboard operations using these applications: Microsoft Remote Desktop and Team Viewer. Available for general and data policies. |
Does not block remote desktop connections in general. |
Other network connection |
All network traffic except for network file shares. Warning: By choosing the Log and block mode, it is possible to completely cut off an endpoint from the network. Extreme care should be taken not to set this rule incorrectly. Available for application policies and data policies of the context type. |
This is an expert setting, which might negatively affect connectivity. Shadow copies are not created for Other network connections. |
|
Printing in general, including virtual print. You can also choose the more specific rule Virtual print which applies only to virtual printing into files. Available for all policies. |
Shadow copies are not created for Print and Virtual print yet. |
Clipboard |
Copying text and images from restricted applications via clipboard. In the Log and block mode, clipboard operations are allowed within the application that owns the data, but transfers to other applications are blocked. Available for data and application policies. |
Shadow copies are not created for Clipboard operations. These operations are not logged. If you create a Log only policy, it will not perform any action. |
Screen capture |
Taking screenshots, screen sharing and screen recording. Available for data and application policies. |
Shadow copies are not created for Screen capture operations. These operations are not logged. If you create a Log only policy, it will not perform any action. |
Local paths |
Access to specified paths on local drives. Warning: By choosing the Log and block mode, it is possible to completely cut off a destination from all access. Extreme care should be taken not to set this rule incorrectly. Available for application policies and data policies of the context type. This rule is available in Safetica Enterprise only. |
This is an expert setting, which might negatively affect user workflow. Shadow copies are not created for Local paths. |
Exclusive access |
Application whitelisting or blacklisting for accessing sensitive data. Allows you to determine which applications can or cannot work with sensitive data. Warning: By choosing the Log and block mode, it is possible to completely cut off certain applications from the data they might need to work correctly. Extreme care should be taken not to set this rule incorrectly. To enable exclusive access for one specific application, create a new application category for it. Available for data policies of the context type. This rule is available in Safetica Enterprise only. |
This is an expert setting, which might negatively affect user workflow. Shadow copies are not created for Exclusive access. Can only be set for whole application categories. |