Solo operators running Make or n8n workflows that touch client data face a hidden risk: PII and secrets leaking through LLM calls, API requests, and workflow logs. While vendors offer inconsistent protection—Vertex AI has non-configurable filters, Bedrock Guardrails cost per request, and Anthropic relies on prompt patterns—you need a solution that works everywhere and proves it's working.
This episode walks through building a detect-mask-log subflow that drops in before any external call. Using Microsoft Presidio or OpenAI's new Privacy Filter, you'll scan for emails, phone numbers, API keys, and other sensitive data, then mask or pseudonymize it based on rules you control. The real game-changer is the annotated log—a JSON object that records what was found, what was masked, and which detector version ran.
Jordan covers the cost math between self-hosted detection ($5-15/month in compute) versus managed services (AWS Comprehend's per-character billing, Google DLP's per-GB pricing), addresses the quality tradeoffs of masking versus pseudonymization, and shows how to fail closed when detection errors occur. You'll get the exact subflow templates for Make and n8n, plus the log schema that turns invisible security work into client-visible protection.
