Create Your First Policy

Policies are the core of Noxys' data protection engine. They enforce rules about what data can be shared with AI platforms and what actions to take when violations are detected.

Prerequisites

• You have installed the Noxys browser extension (see Installation Guide)
• You have Admin role in your Noxys tenant
• The extension is configured with a valid API token and shows a green connection status

Understanding Policies

What Are Policy Actions?

Every policy has one of three actions that execute when a violation is detected:

Action	Behavior	Use Case
Block	Prevents the user from submitting the message to the AI platform	High-risk data (PII, secrets)
Coach	Warns the user with a banner, but allows submission if they confirm	Medium-risk data, educational nudge
Log	Records the interaction for audit purposes without blocking	Low-risk data, compliance tracking

Policy Evaluation

Policies are evaluated in order of priority (lower number = higher priority):

1. When a user submits content to an AI platform, Noxys checks all enabled policies
2. The first matching policy executes its action
3. Subsequent policies are skipped
4. If no policies match, the interaction is logged as normal

Example:

• Policy 1 (priority 1): Block all emails on ChatGPT
• Policy 2 (priority 2): Coach all phone numbers on any platform
• User tries to submit email to ChatGPT → Policy 1 matches → Block → Stop evaluation

Tier 1 vs. Tier 2 Detection

Noxys has two levels of PII detection:

• Tier 1 (Regex): Fast pattern matching on the device (< 10ms latency). Detects common patterns like emails, phone numbers, credit card numbers
• Tier 2 (Presidio + SLM): Backend-based detection using Presidio and custom recognizers (~ 30ms latency). Detects medical terms, legal references, API keys, IBAN numbers

Most policies use Tier 1 for speed. Enable Tier 2 in Settings if you need deeper detection.

Step 1: Navigate to Policies

1. From the Noxys Dashboard, click Policies in the left sidebar
2. You'll see your existing policies (if any)
3. Click + New Policy (top right)

Step 2: Configure the Policy

Fill in the policy form with the following fields:

Basic Information

Name (required)

• Clear, descriptive name: "Block PII on ChatGPT", "Coach Financial Data"
• Avoid generic names like "Policy 1"
• Include the platform and action for quick scanning

Description (optional but recommended)

• Explain why this policy exists
• Example: "Prevent users from sharing personal emails or phone numbers with ChatGPT to reduce exposure to LLM training data"
• This helps other admins understand the policy's purpose

Platform Configuration

Platform (required)

• Select the target AI platform:
  • Specific platform: "ChatGPT", "Claude", "Gemini", etc.
  • All platforms: Apply the policy to all detected AI services
  • Custom regex: Match platform URLs with a regex pattern

Example: Targeting Specific Platforms

• Create separate policies for high-risk platforms (ChatGPT, Claude)
• Create broader policies for less-critical platforms

Example: Using Custom Regex

.*internal-ai-tool\.example\.com.*

Risk Configuration

Risk Level (required)

• Select what this policy should detect:
  • PII - Low: Names, locations (less sensitive)
  • PII - Medium: Email addresses, phone numbers, employee IDs
  • PII - High: Credit card numbers, IBAN, NIR, API keys, passwords
  • Custom pattern: Define your own regex or keyword list

Data Types (depends on risk level)

• Emails: .*@.*\..*
• Phone numbers: Common formats (+1-555-1234, etc.)
• Credit cards: Visa, Mastercard, Amex patterns
• API keys: Keywords like api_key=, sk_live_, etc.
• Custom: Add your own patterns

Example: Blocking Financial Data

Risk Level: PII - High
Data Types: Credit card numbers, IBAN, Bank account numbers

Action Configuration

Action (required)

• Block: Prevents submission; user sees error message
• Coach: Shows warning banner; user can proceed by clicking "Continue"
• Log: Records interaction silently; no user-facing message

Recommended Actions by Risk Level:

• PII - High → Block
• PII - Medium → Coach
• PII - Low → Log
• Custom patterns → Block (if critical) or Coach (if important)

Priority (optional, defaults to lowest)

Priority (optional)

• Lower numbers = higher priority
• Policies are evaluated top-to-bottom
• First matching policy wins
• Defaults to lowest priority (executes last)

Example Priority Setup:

1. Block email addresses on ChatGPT (priority 1)
2. Coach email addresses on other platforms (priority 2)
3. Log all interactions (priority 100, always matches)

Step 3: Save and Test the Policy

1. Click Create Policy
2. The policy is created but disabled by default
3. You'll see a toggle next to your policy name
4. Click Enable to activate it

Before Enabling: Review the Configuration

1. Check the policy name is clear
2. Verify the platform matches your intent
3. Confirm the data types are correct
4. Review the action (Block / Coach / Log)
5. Verify priority doesn't conflict with other policies

Step 4: Test Your First Policy

Manual Testing

1. For Block policies:

   • Open ChatGPT (or your target platform)
   • Try submitting a message with the blocked data (e.g., an email address)
   • You should see a "Blocked by Noxys" message
   • The submission is prevented

2. For Coach policies:

   • Open the target platform
   • Submit a message with the flagged data
   • You should see a warning banner from Noxys
   • Click Continue to proceed or Cancel to abort

3. For Log policies:

   • Open the target platform
   • Submit a message with the data
   • Submission proceeds normally
   • Check the Dashboard → Alerts to verify it was logged

Real-World Testing

1. Go back to the Dashboard
2. Click Alerts in the left sidebar
3. You should see your test interactions listed
4. Click an alert to see the full details:
   • Platform used
   • Data detected
   • Action taken (Blocked / Coached / Logged)
   • Timestamp

Tip: Have a few team members test the policies before enforcing them across the entire organization. This helps catch unintended side effects.

Common Policy Recipes

Recipe 1: Block High-Risk Data on ChatGPT

Prevent users from sharing PII with ChatGPT.

• Name: Block PII on ChatGPT
• Platform: ChatGPT
• Risk Level: PII - High
• Data Types: Credit cards, IBAN, NIR, API keys
• Action: Block
• Priority: 1

Recipe 2: Coach Emails on All Platforms

Warn users before they share their email with any AI service.

• Name: Coach email addresses
• Platform: All platforms
• Risk Level: PII - Medium
• Data Types: Email addresses
• Action: Coach
• Priority: 10

Recipe 3: Block Internal API Keys

Prevent exposure of your organization's API keys.

• Name: Block internal API keys
• Platform: All platforms
• Risk Level: Custom pattern
• Custom Pattern: sk_live_|api_key=|NOXYS_SECRET
• Action: Block
• Priority: 1

Recipe 4: Log All Interactions

Create a catch-all policy for compliance and auditing.

• Name: Log all interactions (compliance audit)
• Platform: All platforms
• Risk Level: Custom pattern (match everything)
• Custom Pattern: .* (matches all content)
• Action: Log
• Priority: 999 (lowest priority, always matches)

Managing Policies

Edit a Policy

1. From Policies, click the three-dot menu next to your policy
2. Click Edit
3. Modify the settings
4. Click Save

Changes take effect immediately on all devices.

Disable a Policy Temporarily

1. Click the toggle next to the policy name
2. It turns gray and is disabled
3. Click again to re-enable

Disabled policies don't execute, allowing you to test or troubleshoot safely.

Delete a Policy

1. Click the three-dot menu next to your policy
2. Click Delete
3. Confirm deletion

Deleting is permanent. Consider disabling instead if you might need it later.

View Policy Metrics

For each policy, you can see:

• Violations (24h): Number of times this policy was triggered in the last day
• Blocked: How many times the action was "Block"
• Coached: How many times the action was "Coach"
• Platforms: Which AI platforms triggered this policy
• Top users: Users with the most violations

Use this data to:

• Identify patterns in your organization's AI usage
• Refine policies based on false positives
• Educate users who frequently violate policies

Troubleshooting

Policy Not Blocking as Expected

Problem: A policy is enabled, but content that should be blocked is being submitted.

Solution:

1. Verify the policy is enabled (toggle should be on)
2. Check the priority: Is a higher-priority policy matching first and allowing it?
3. Verify the risk level and data types match your test data:
   • If using regex, test it at regex101.com
   • If using predefined data types, verify the format matches
4. Check that the platform matches where you're testing
5. Verify the extension is showing green icon (connected)
6. Force extension to re-sync policies:
   • Click Noxys icon → Settings → Sync Policies Now
7. Refresh the AI platform page

False Positives (Blocking Legitimate Content)

Problem: Policy is blocking content that should be allowed.

Solution:

1. Review the policy's data types or regex pattern:
   • The pattern may be too broad
   • Example: Regex \w+ matches everything
2. Consider changing the action from Block to Coach
   • This warns users but allows override
3. Adjust the priority to allow a different policy to match first
4. Add exceptions for specific users or platforms
5. Test your regex pattern at regex101.com before deploying

Policy Changes Not Applying

Problem: You updated a policy, but the extension doesn't reflect the change.

Solution:

1. Policies sync to devices within 30 seconds
2. Force manual sync:
   • Click Noxys icon → Settings → Sync Policies Now
3. Refresh the AI platform page
4. If still not working, restart your browser
5. Check that extension is connected (green icon)

Can't Create Policy Due to Validation Error

Problem: Form shows validation errors when you try to save.

Solution:

• Name required: Fill in a name for your policy
• Platform required: Select a platform (specific, all, or custom regex)
• Action required: Choose Block, Coach, or Log
• Invalid regex: If using custom patterns, verify syntax at regex101.com
• Conflicting priority: Priority must be unique; change the number if duplicate

Advanced: Policy Logic

Combining Multiple Policies

Policies are evaluated in order of priority. Design your policies to work together:

Example: Multi-tier approach

Priority 1: Block credit card numbers on ChatGPT (Block)
Priority 2: Block passwords on all platforms (Block)
Priority 3: Coach emails on all platforms (Coach)
Priority 4: Log all interactions (Log)

When a user submits content:

1. Check priority 1 (does it contain a credit card + platform is ChatGPT?) → If yes, Block and stop
2. Check priority 2 (does it contain a password?) → If yes, Block and stop
3. Check priority 3 (does it contain an email?) → If yes, Coach and stop
4. Check priority 4 (always matches) → Log and stop

Using Risk Levels vs. Custom Patterns

Risk Levels (predefined):

• Faster to set up
• Pre-configured for common PII types
• Limited customization

Custom Patterns (regex):

• Maximum flexibility
• Requires regex knowledge
• Can target specific company policies

Choose Risk Levels for standard cases; use Custom Patterns for organization-specific rules.

Next Steps

• Invite team members to use Noxys
• Enable Tier 2 classification for deeper PII detection
• View Dashboard alerts to monitor policy effectiveness
• Admin Console for advanced policy management
• API Reference to manage policies programmatically

Need Help?

• Email: support@noxys.eu
• Security Issues: security@noxys.eu