At the moment PII is detected by default in issue summary, description and comments. Users can enable monitoring for other fields of their choice. We are planning to expand coverage in any case, but please let us know if there is a specific field you'd want us to support.

The following types of personally identifiable information are currently detected.

• Credit card numbers
• US social security numbers (SSN)
• US phone numbers
• International phone numbers
• US, Canadian, British and Irish postal addresses
• Email addresses
• IP addresses
• IBAN numbers
• VAT numbers
• National Provider Identifier (NPI)
• Medical Record Number (MRN)
• Vehicle identification number (VIN)
• Swiss social security numbers
• Canadian social insurance numbers (SIN)
• French INSEE codes
• British national insurance numbers (NINO)
• Finnish personal identity codes (HETU)
• Swedish personal identity numbers
• Norwegian birth numbers
• Czechian birth numbers
• Polish identification numbers (PESEL)
• Danish personal identification numbers (CPR)
• Spanish national identification number (DNI)
• Netherlands identification number (BSN / Sofi)
• Israeli ID number (Mispar Zehut)

Please feel absolutely free to reach out to us if you'd like us to add support for a new PII type. This is something we are very much willing to do.

All found PII is displayed in PII Manager page that can be accessed via Administration / System / Security / PII Manager. This is the UI for browsing, searching and filtering PII (note the Filter button at the top right). This is also a place where administrators can perform manual actions on different PII items (using small gear buttons on the right of each line).

Every organization is different when it comes to PII treatment. That's why PII Protector is highly configurable and is able to adjust to your specific needs.

Here are a few things you can do:

• Select which PII types you care about (e.g. you may be OK with email addresses being globally visible but not credit card numbers)
• Choose the detection threshold for each PII type (you can err on the side of caution, which is the default, or be more lenient)
• Choose what to do with PII of each type automatically (just report, erase completely, or our favorite - hide and audit all read access)
• Select whom to notify when new PII is discovered (please choose wisely)
• Decide how exactly to substitute the sensitive data
• Decide how up-to-date you want your PII scans to be (a trade-off between recency and load)
• Choose for how long to keep records of PII after it got deleted from the source (retention period)
• Choose for how long to keep audit logs of PII-specific manual and automatic changes
• Choose how many results to show per page in reports
• Configure monitoring scope
• Configure PII access and management
• Configure encryption
• Tune resource consumption

We are always open to adding more flexibility, so any suggestions are welcome.

PII Protector is not just about detection of PII. We want to make it super-easy for you to act upon newly discovered PII. As briefly mentioned above, one thing you can do with PII is hide it from everybody and only make it available upon explicit request. That way only people who really need to see the sensitive data will see it. Moreover, every access to PII will be audited and logged, and you will be able to see this log in Administration / System / Security / PII Access Log page. This is an awesome way for you to have a perfect record of who exactly viewed the PII and when. Priceless for audit purposes.

Dealing with every new introduced PII item may be tedious, especially if you have many Jira users. PII Protector tries to help you here too with a unnique concept of automatic actions. In a nutshell, you are able to configure what to do with the new PII the moment it is discovered. The default is mere reporting, but you can also erase it comlpetely or hide and audit access to it. Of course, every action is reversible from the management UI. To configure automatic actions, go to add-on configuration, edit it, click Configure detection threshold and automatic actions... link to go into advanced configuration mode and set the automatic action for each PII type individually.

We know that PII stuff is sensitive, and we know you'd want to have full information about who changed what and when. With PII Protector this gets easy. Every time a change to the PII item display state is made, either manually by one of the Jira administrators or automatically by the configured automatic action, a new record in PII action log is added. At any time you can visit Administration / System / Security / PII Action Log page to see full history of these changes.