Find PII in any CSV or Excel file before you share it.
Spreadsheets are one of the most common ways personal data accidentally leaks — an export meant for internal analysis gets emailed, uploaded to a shared drive, or pasted into a support ticket, and nobody double-checked which columns actually contained emails, phone numbers, or national ID numbers. Sohovi's PII detection scans every column of a file and tells you exactly what's sensitive, before you send it anywhere.
What it detects
The detector combines pattern matching with statistical entropy analysis to catch both obvious and obscure sensitive data: email addresses, phone numbers, Social Security numbers, credit card numbers, street addresses, and secrets like API keys, AWS access keys, and JWTs. High-entropy tokens that don't match a known secret format — the kind of opaque string that's often an internal auth token — are flagged separately using Shannon entropy, so unusual-looking values don't slip through just because they don't match a regex.
Built into every profiling run
PII detection isn't a separate step you have to remember to run — it's part of Sohovi's data profiling pass on every upload, and it also powers our free, standalone PII Audit tool for a quick one-off check with no account required. Either way, flagged columns show sample matches and counts so you can decide whether to redact, mask, or exclude them before exporting.
Nothing you scan ever leaves your browser
This is precisely the kind of feature where privacy architecture matters most — you shouldn't have to upload a file full of unredacted personal data to a third-party server just to find out it contains personal data. Sohovi's detection runs entirely client-side in a Web Worker; the file you're scanning for sensitive information never touches our infrastructure. Full details are on our security architecture page.
For research and compliance teams
Teams preparing datasets for open access or third-party sharing can go further with our de-identification tool, which detects direct and quasi-identifiers, applies masking or generalization, and checks k-anonymity before export — all in the browser, with a methods log for your compliance records.