> ## Documentation Index
> Fetch the complete documentation index at: https://docs.responsibleailabs.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# DPDP: Content Scan

> Scan AI outputs for Indian PII (Aadhaar, PAN, mobile, UPI, passport), child signals under S.9, and purpose drift under S.4. Supports detect, mask, and block modes.

<Info>
  **Overview:** [India DPDP](/api-reference/dpdp-overview) | **Concept:** [India DPDP guide](/concepts/india-dpdp) | **SDK:** [Python DPDP](/sdk/python/dpdp) | **Credits:** 0.5 per call
</Info>

Scans text for DPDP-relevant patterns and returns findings with optional masking. Designed to run inside middleware on every model output.

```mermaid theme={null}
flowchart TD
    In["content + config"] --> PII["Detect Indian PII<br/>Aadhaar, PAN, UPI, mobile, +6"]
    In --> Child["Detect child signals (S.9)"]
    In --> Drift["Detect purpose drift (S.4)"]
    PII --> Act{"pii_action?"}
    Act -- "detect" --> R1["Return findings"]
    Act -- "mask" --> R2["Return content_masked"]
    Act -- "block" --> R3["Replace PII with [BLOCKED]"]
    Child --> Verdict["compliant flag"]
    Drift --> Verdict
    R1 --> Verdict
    R2 --> Verdict
    R3 --> Verdict
```

## Parameters

<ParamField body="content" type="string" required>
  The text to scan. Must be 1-10,000 characters.
</ParamField>

<ParamField body="config.pii_action" type="string" default="detect">
  `"detect"` returns findings without modifying content. `"mask"` replaces PII with type-specific placeholders. `"block"` replaces all PII with `[BLOCKED]`.
</ParamField>

<ParamField body="config.child_detection" type="boolean" default="true">
  Scan for child signals (age mentions, grade references, parental references). Required for S.9 compliance.
</ParamField>

<ParamField body="config.purpose" type="string">
  Declared processing purpose (e.g., `"loan_advisory"`, `"marketing"`). Enables purpose-drift detection under S.4.
</ParamField>

<ParamField body="config.session_id" type="string">
  Links this scan to a [compliance session](/api-reference/dpdp-session) for stateful tracking.
</ParamField>

## Indian PII types detected

| Type              | Pattern                                      | Validation                                                   |
| ----------------- | -------------------------------------------- | ------------------------------------------------------------ |
| `aadhaar`         | 12-digit (XXXX XXXX XXXX)                    | Verhoeff checksum; must not start with 0 or 1                |
| `pan`             | 5 alpha + 4 digits + 1 alpha                 | Regex match                                                  |
| `mobile`          | +91 prefix or 10-digit starting with 6-9     | Regex match                                                  |
| `upi`             | username\@bankhandle                         | Validated against known bank handles                         |
| `passport`        | Letter + 7 digits                            | Active series only (J, K, L, M, R, S, T, U, V, Z)            |
| `voter_id`        | 3 alpha + 7 digits                           | Regex match                                                  |
| `driving_license` | State code + RTO + year + serial             | Regex match                                                  |
| `ifsc`            | 4 alpha + 0 + 6 alphanumeric                 | Regex match                                                  |
| `bank_account`    | 9-18 digits                                  | Context-aware: requires nearby keywords (account, a/c, acct) |
| `gstin`           | 2 digits + PAN + 1 alphanum + Z + 1 alphanum | Regex match                                                  |

## Masking behavior

| PII Type   | Mask Mode                         | Block Mode  |
| ---------- | --------------------------------- | ----------- |
| Aadhaar    | `XXXX XXXX 0123` (last 4 visible) | `[BLOCKED]` |
| PAN        | `XXXXX1234X` (digits visible)     | `[BLOCKED]` |
| Mobile     | `[MOBILE]`                        | `[BLOCKED]` |
| UPI        | `XXXX@bankhandle`                 | `[BLOCKED]` |
| All others | `[TYPE]` (e.g., `[PASSPORT]`)     | `[BLOCKED]` |

## Child signal types

| Signal               | Examples                    | Age Inference   |
| -------------------- | --------------------------- | --------------- |
| `age_mention`        | "I am 14", "my son is 12"   | Yes             |
| `grade_mention`      | "in 8th grade", "class 10"  | Yes (grade + 5) |
| `school_mention`     | "my school"                 | No              |
| `parental_reference` | "my parents", "my mom said" | No              |
| `minor_keyword`      | "I am a minor"              | No              |

## Request

```bash theme={null}
curl -X POST https://api.responsibleailabs.ai/railscore/v1/compliance/dpdp/scan \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer YOUR_RAIL_API_KEY" \
  -d '{
    "content": "Your loan is approved. Aadhaar: 2345 6789 0123, PAN: ABCDE1234F.",
    "config": {
      "pii_action": "mask",
      "child_detection": true,
      "purpose": "loan_advisory"
    }
  }'
```

## Response

```json theme={null}
{
  "result": {
    "compliant": false,
    "content_masked": "Your loan is approved. Aadhaar: XXXX XXXX 0123, PAN: XXXXX1234X.",
    "pii_found": [
      {
        "type": "aadhaar",
        "original": "2345 6789 0123",
        "masked": "XXXX XXXX 0123",
        "position": { "start": 34, "end": 48 },
        "severity": "critical",
        "section": "S.8(5)",
        "penalty_crore": 250
      },
      {
        "type": "pan",
        "original": "ABCDE1234F",
        "masked": "XXXXX1234X",
        "position": { "start": 55, "end": 65 },
        "severity": "high",
        "section": "S.8(5)",
        "penalty_crore": 250
      }
    ],
    "child_signals": [],
    "child_session": false,
    "child_actions_required": [],
    "purpose_drift": false,
    "purpose_drift_details": {},
    "checks_run": ["indian_pii_scan", "child_signal_detection", "purpose_drift_detection"],
    "latency_ms": 12.5
  },
  "credits_consumed": 0.5
}
```

<ResponseField name="result.compliant" type="boolean">
  `true` if no PII, child signals, or purpose drift were detected.
</ResponseField>

<ResponseField name="result.content_masked" type="string">
  The input text with PII replaced by type-specific masks. Only present when `pii_action` is `"mask"` or `"block"`.
</ResponseField>

<ResponseField name="result.pii_found" type="array">
  Array of detected PII items. Each entry includes `type`, `original` value, `masked` replacement, character `position`, `severity` (critical/high/medium), DPDP `section`, and maximum `penalty_crore`.
</ResponseField>

<ResponseField name="result.child_signals" type="array">
  Detected child indicators. Each entry has `type`, matched `text`, `inferred_age` (if available), and DPDP `section` (S.9).
</ResponseField>

<ResponseField name="result.child_session" type="boolean">
  `true` if child signals were detected, indicating S.9 protections must be applied.
</ResponseField>

<ResponseField name="result.child_actions_required" type="string[]">
  Specific actions required when a child is detected: parental consent, no targeted ads, no tracking, no harmful processing, age-gating.
</ResponseField>

<ResponseField name="result.purpose_drift" type="boolean">
  `true` if the content contains indicators inconsistent with the declared purpose (S.4 violation).
</ResponseField>

<ResponseField name="result.purpose_drift_details" type="object">
  When drift is detected: `declared_purpose`, `drift_indicators` (keywords found), DPDP `section`, and `penalty_crore`.
</ResponseField>

## Response: child detected

When child signals are found, the response includes required actions under S.9:

```json theme={null}
{
  "result": {
    "compliant": false,
    "pii_found": [],
    "child_signals": [
      {
        "type": "age_mention",
        "text": "my son is 14",
        "inferred_age": 14,
        "section": "S.9"
      }
    ],
    "child_session": true,
    "child_actions_required": [
      "Obtain verifiable parental consent before processing (DPDP S.9)",
      "Do not serve targeted advertisements to the child",
      "Do not perform tracking or behavioral monitoring",
      "Do not process data likely to cause harm to the child",
      "Implement age-gating mechanism"
    ],
    "checks_run": ["indian_pii_scan", "child_signal_detection"],
    "latency_ms": 8.3
  },
  "credits_consumed": 0.5
}
```

## Response: purpose drift

When the content contains keywords inconsistent with the declared purpose:

```json theme={null}
{
  "result": {
    "compliant": false,
    "pii_found": [],
    "purpose_drift": true,
    "purpose_drift_details": {
      "drift_detected": true,
      "declared_purpose": "loan_advisory",
      "drift_indicators": ["advertising", "retarget", "tracking"],
      "section": "S.6",
      "penalty_crore": 250
    },
    "checks_run": ["indian_pii_scan", "child_signal_detection", "purpose_drift_detection"],
    "latency_ms": 5.1
  },
  "credits_consumed": 0.5
}
```