GENAI118

Overview

As Lead AI Solutions Architect at Cymbal Bank, your task is to enforce strict data privacy for the Zermatt Holiday Helper agent, which is an app used by high-value customers. To comply with internal policies and industry regulations, you must ensure that personally identifiable information (PII) is not stored in logs, the conversation history, or exports.

This involves using Google Cloud’s Data Loss Prevention (DLP) API, Conversational Agents security settings, and BigQuery redaction to automatically detect and redact sensitive data such as credit card numbers.

Objectives

In this lab, you learn how to perform the following tasks:

• Create a DLP Inspect Template to detect credit card numbers, as an instance of PII that needs to be redacted.
• Apply redaction using Conversational Agents Security Settings.
• Simulate conversations with PII and confirm redaction.
• Verify redaction in Conversation History and BigQuery.

By the end of this lab, your Conversational Agents agent should be fully compliant with Cymbal Bank’s privacy and data retention standards to ensure sensitive information is redacted across all data flows.

Setup and requirements

Before you click the Start Lab button

Read these instructions. Labs are timed and you cannot pause them. The timer, which starts when you click Start Lab, shows how long Google Cloud resources will be made available to you.

This Qwiklabs hands-on lab lets you do the lab activities yourself in a real cloud environment, not in a simulation or demo environment. It does so by giving you new, temporary credentials that you use to sign in and access Google Cloud for the duration of the lab.

What you need

To complete this lab, you need:

• Access to a standard internet browser (Chrome browser recommended).
• Time to complete the lab.

Note: If you already have your own personal Google Cloud account or project, do not use it for this lab.

Note: If you are using a Pixelbook, open an Incognito window to run this lab.

How to start your lab and sign in to the Google Cloud console

1. Click the Start Lab button. If you need to pay for the lab, a dialog opens for you to select your payment method. On the left is the Lab Details pane with the following:

   • The Open Google Cloud console button
   • Time remaining
   • The temporary credentials that you must use for this lab
   • Other information, if needed, to step through this lab

2. Click Open Google Cloud console (or right-click and select Open Link in Incognito Window if you are running the Chrome browser).

   The lab spins up resources, and then opens another tab that shows the Sign in page.

   Tip: Arrange the tabs in separate windows, side-by-side.

   Note: If you see the Choose an account dialog, click Use Another Account.

3. If necessary, copy the Username below and paste it into the Sign in dialog.

   {{{user_0.username | "Username"}}}

   You can also find the Username in the Lab Details pane.

4. Click Next.

5. Copy the Password below and paste it into the Welcome dialog.

   {{{user_0.password | "Password"}}}

   You can also find the Password in the Lab Details pane.

6. Click Next.

   Important: You must use the credentials the lab provides you. Do not use your Google Cloud account credentials. Note: Using your own Google Cloud account for this lab may incur extra charges.

7. Click through the subsequent pages:

   • Accept the terms and conditions.
   • Do not add recovery options or two-factor authentication (because this is a temporary account).
   • Do not sign up for free trials.

After a few moments, the Google Cloud console opens in this tab.

Note: To access Google Cloud products and services, click the Navigation menu or type the service or product name in the Search field.

Task 1. Create a sensitive data protection Inspect template

In this task, you help to uphold Cymbal Bank's data security and privacy standards by ensuring that PII is stored only in specially managed environments. Specifically, you avoid storing sensitive data in the Conversational Agents conversation history, Conversational Agents log entries, or conversations exported into BigQuery.

Here is a breakdown of the test-related activities in this task:

1. Go to the Conversational Agents console and in the Select Project window, choose if prompted.

2. Under Agents, click Zermatt Holiday Helper.

3. Click the Toggle Simulator button at the top of the screen to close the Simulator window.

   
   

4. In the left-hand menu, select Tools, and select snow_conditions to edit the OpenAPI schema.

5. Scroll down to the Schema section and ensure YAML is selected. Replace the url under servers with , then click Save to save your changes.

6. In the Google Cloud console, search for Data Loss Prevention, and select Data Loss Prevention in the search results.

7. On the Sensitive Data Protection page that opens, click the Configuration tab, and select Templates > Inspect. Click on Create Template and configure a template with the following settings:

   Setting	Value
   Template type	Inspect (find sensitive data)
   Template ID	zhh-pii-template-lab
   Display name	Lab Agent PII
   Region

8. Click Continue.

9. Under Configure detection, in the InfoTypes field, click Manage Infotypes.

10. In the Filter field where it says Enter property name or value, search for CREDIT_CARD_NUMBER.

11. Select the relevant result in the Value dropdown list, and click Done.

12. In the Confidence threshold ("minimum likelihood") section, in the Minimum likelihood dropdown list, select Very unlikely.

13. Click Create.

Task 2. Configure security settings with redaction

1. Navigate to the Zermatt Holiday Helper agent page in the Conversational Agents console.

2. Click the Settings () icon in the toolbar.

3. On the General tab, scroll down to Logging settings, and select the Enable conversation history checkbox.

4. In the BigQuery export section, select the Enable BigQuery export checkbox.

5. Configure the BigQuery export settings as follows:

   Setting	Value
   Project name
   BigQuery dataset	agent_exports
   BigQuery table	dialogflow_bigquery_export_data

6. Click Save on the toolbar.

7. Switch to the Security tab. In the Data security section, click on Manage Security Settings.

8. In the new CES (it might still say CCAI but it's being rebranded to CES) browser tab that opens, click Create Security Settings, and configure it as follows:

   Setting	Value
   Display Name	zhh-pii-security-lab-settings
   Location
   Redaction Strategy	REDACT_WITH_SERVICE
   Redaction Scope	REDACT_DISK_STORAGE
   Purge Data Type	DIALOGFLOW_HISTORY
   Inspect template
   Select how to retain data	Use a retention window
   Retention Window Days	365

9. Click Create.

10. Return to the Security tab in the Conversational Agents console. Refresh the page, and in the Security settings dropdown list, select zhh-pii-security-lab-settings.

11. Click Save on the toolbar.

Task 3. Verify redaction

1. Click on Toggle Simulator in the toolbar to enable the Preview: Zermatt Holiday Helper.

2. In the prompt field where it says Enter text (@ for other options), enter inputs as per the following sample conversation to test your redaction setup against the Draft environment:

   User Input	Agent Response
   Hi
   	Hi! How can I help you today?
   Can you check if my credit card is locked? The number is 4111-1111-1111-1111
   	I'm sorry, but I can't help you with that. I am a virtual assistant for Zermatt and am not able to provide credit card information.
   OK, bye
   	Have a great day!

3. Click Conversation history in the left-hand menu.

4. In the Session Id section, choose the most recent interaction listed in the Conversation History, and verify that the credit card number shows in the conversation preview as [redacted].

5. In the Google Cloud console, go to Logs Explorer, search for redacted against Project logs, and click Run query.

6. In the results, click on Expand nested fields to expand each query to view the full results.

7. Verify that the sensitive data was [redacted].

8. From the Navigation menu (☰), go to BigQuery. In the BigQuery console, in the Untitled query tab, run the following query and confirm that the number was redacted:

   WITH queries AS ( SELECT JSON_VALUE(request, "$.queryInput.text.text") AS query_text FROM `agent_exports.dialogflow_bigquery_export_data`) SELECT * FROM queries WHERE query_text LIKE "%redacted%"

In the result, the query_text value should read: Can you check if my credit card is locked? The number is [redacted].

Congratulations

In this lab, you explored how to safeguard personally identifiable information for conversational agents, which includes the detection of sensitive data using a DLP Inspect template, applying redaction policies across Conversational Agents, and protecting PII in conversation history, logs, and BigQuery exports.

End your lab

When you have completed your lab, click End Lab. Qwiklabs removes the resources you’ve used and cleans the account for you.

You will be given an opportunity to rate the lab experience. Select the applicable number of stars, type a comment, and then click Submit.

The number of stars indicates the following:

• 1 star = Very dissatisfied
• 2 stars = Dissatisfied
• 3 stars = Neutral
• 4 stars = Satisfied
• 5 stars = Very satisfied

You can close the dialog box if you don't want to provide feedback.

For feedback, suggestions, or corrections, please use the Support tab.

Manual last updated September 17, 2025

Lab last tested September 17, 2025

Copyright 2023 Google LLC All rights reserved. Google and the Google logo are trademarks of Google LLC. All other company and product names may be trademarks of the respective companies with which they are associated.