DATA OPS
Pre-share PII gate: block presigned-URL requests for exposed files
A webhook fires before a presigned download URL is issued; it scans the requested S3 object for PII, blocks the share and archives evidence to Dropbox if found.
How it runs
The automated pipeline, trigger to output.
- TriggerWebhook requests presigned URL for an objectHTTP webhook
- ActionFetch and scan object for PIIAWS S3
- LogicBranch: allow share or block?
- ActionArchive evidence copy to Dropbox on blockDropbox
- ActionAlert blocked share to SlackSlack
- OutputRespond with presigned URL or denialHTTP webhook
What it does
Inserts a PII check directly into your file-sharing path. When your app requests a presigned URL for an S3 object, this webhook scans the file first. If it contains PII, the share is denied, an evidence copy is archived for compliance, and the requester is notified — clean files get their signed URL with no friction.
When to use it
Use this when external sharing is the leak vector you most need to control, such as a customer portal or support tool that hands out download links. It stops the leak at the moment of sharing rather than after.
How it works
- 1An inbound webhook arrives requesting a download link for an S3 object key.
- 2The object is fetched from S3 and scanned by OpenAI for PII.
- 3A logic branch decides allow versus block based on the findings.
- 4If blocked, an evidence copy is archived to Dropbox for the compliance record.
- 5A Slack alert notes the blocked share, requester, and reason.
- 6The webhook responds with either the presigned URL (clean) or a denial (blocked).
Set it up
What you configure once, before turning it on.
- 1Connect AWS S3Buckets, objects, signed URLs.
- 2Connect OpenAIModels, embeddings, files.
- 3Connect DropboxFiles and folders.
- 4Connect SlackChannels, DMs, threads, mentions.
- 5Connect HTTP webhookTrigger any URL on agent actions.
- 6Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
- 7Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
- 8Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.
More Data Ops workflows
Snowflake column type-drift sentinel with Linear fix ticket
Snapshots the data types of every column in your tracked Snowflake schemas on a schedule, diffs against the last snapshot.
Daily BigQuery Scheduled-Query Cost Attribution to Owners
Each morning, totals the prior day's on-demand bytes-billed per scheduled query, maps each query to its owner from a label, and posts a per-owner cost leaderboard to Slack.
BigQuery dropped/renamed column sentinel with PagerDuty incident
Detects when a column is dropped or renamed in your governed BigQuery datasets and, because that breaks downstream queries hard, pages the on-call via PagerDuty and posts…
PR-time Snowflake schema contract check on dbt model changes
When a pull request changes a dbt model, it compares the model's declared output columns against the live Snowflake table it will replace and blocks the merge with a GitHub check…
Agent-triaged warehouse drift with impact analysis and runbook update
On a webhook from your warehouse audit log, an agent investigates the changed column, traces which downstream models and dashboards depend on it.
Cross-warehouse replication schema mismatch reconciler
Compares the column shape of mirrored tables between BigQuery and Snowflake and, when a replicated table has drifted out of sync between the two, opens an Asana task for the data…
Run it inside a business
This workflow drops into a full company template. Import the org, and this is one of the playbooks its agents run.
Run this workflow in your colony.
14-day trial. No DevOps. No Sales call. Provisioned in under a minute.