REFERENCE

Dashboard Methodology

How Sonomos calculates every metric in the Dashboard.

1. How Detection Works

Sonomos identifies sensitive data using two local-only methods:

Pattern matching with structural validation — for data types that have verifiable formats, such as checksums or digit structure.
Contextual pattern matching — for data types identified by proximity to relevant keywords.

Sonomos also uses named entity recognition to identify person names, organizations, and locations.

Detection confidence varies by type. Some types can be mathematically validated; others are inferred from context and carry a higher false positive rate.

A detection means Sonomos identified a pattern consistent with sensitive data. It does not confirm that the data is real, belongs to a third party, or is subject to any regulation.

2. Event Types

Flagged

A pattern consistent with sensitive data was identified in page content. No transmission occurred. No action was taken.

Unprotected

Flagged data was present in an outbound transmission that Sonomos observed but did not intercept. This may mean the user chose to send it, masking was not enabled for that type, or the data type was not configured for interception.

Blocked

Sonomos prevented a transmission containing flagged data.

Remediated

Flagged data was removed after detection, either by the user or by Sonomos's masking features.

User Overridden

The user was alerted and chose to proceed with the transmission.

3. Protection Rate

(Blocked + Remediated) / (Flagged + Unprotected + Blocked + Remediated) × 100

If no events exist, the rate is 100%.

This metric only reflects data types that Sonomos is configured to detect. Data types that are disabled are invisible to this metric. False positives in the Flagged count can suppress this rate; Sonomos accounts for this through internal quality tracking.

4. Remediation Posture

Remediation posture is reported as one of three tiers: Strong, Moderate, or Needs Review.

Posture is determined by a combination of the protection rate and whether any unprotected transmissions fell within the scope of a regulatory framework (see Section 6). Specific thresholds are calibrated internally and may be adjusted as Sonomos refines its scoring model.

This is a descriptive summary of what Sonomos observed. A "Strong" posture does not mean you are compliant with any regulation. A "Needs Review" posture does not mean you have violated any regulation.

5. Risk Score

The risk score is a 0–100 index reflecting recent detection activity. It weights more recent detections more heavily and accounts for both the severity of detected data types and the volume of detections. The score decays over time if no new detections occur.

The risk score reflects detection volume and severity over a recent window. It does not account for whether detections were accurate, whether data was authorized, or whether any regulation applies.

6. Regulatory Relevance

Sonomos maps unprotected transmissions to potentially applicable regulatory frameworks based on two factors: the category of data that was flagged (financial, medical, legal, personal, etc.) and the classification of the destination (AI tool, financial service, healthcare provider, external service, etc.).

Signal Requirements

A regulatory relevance signal requires all of the following:

Data in a specific category was flagged.
That data was transmitted unprotected.
The destination matches a relevant classification.

Detections that were blocked or remediated do not trigger relevance signals because no transmission occurred.

Mapped Frameworks

GLBA — Financial-category data transmitted to a third-party AI tool.

HIPAA — Data matching medical-record patterns transmitted to an AI tool or unrecognized external service. Whether data constitutes Protected Health Information under HIPAA requires that it both identifies an individual and relates to a health condition. Sonomos identifies pattern matches, not PHI status.

Attorney-Client Privilege — Certain legal identifiers transmitted to an AI tool. Not all legal data types trigger this signal; only types associated with litigation, case management, and witness identification are included. Public-record identifiers (patents, trademarks) are excluded. See United States v. Heppner (No. 3:23-cr-00044, W.D. Va. 2024), in which the court found that voluntary submission of privileged material to a generative AI service may constitute waiver. Applicability depends on the specific facts.

CCPA — Personal or government-issued identifiers transmitted to a third-party AI tool.

PCI-DSS — Payment card data transmitted to a third-party AI tool.

FinCEN / Travel Rule — Blockchain wallet or transaction data transmitted to a third-party AI tool.

Destination Classification

Destination classification — which domains are AI tools, financial services, or healthcare providers — is based on curated domain lists that users can customize. Sonomos cannot determine whether a Data Processing Agreement, BAA, or other contractual safeguard is in place for a given destination unless the user configures this in their profile.

Confidence Indicator

Relevance signals include a confidence indicator based on factors including whether the underlying detection type uses structural validation, the severity classification of the data, and internal quality metrics.

Incident Deduplication

Raw event counts are deduplicated into "incidents" representing distinct transmission patterns. Repeated detections of the same data on the same site in a single day are counted once. The dashboard shows incident counts as the primary metric.

User Compliance Profile

Users can optionally indicate their industry, whether their organization is a covered entity, and which AI service providers they have data protection agreements with. This context adjusts the relevance descriptions and confidence weighting but does not suppress signals entirely.

Limitations

Sonomos identifies data patterns, not data meaning. A pattern match may be a test value, public example, or user-owned data.
Regulatory applicability depends on the user's role, industry, jurisdiction, and contractual relationships — none of which Sonomos can verify.
Transmission context is inferred from domain classification only. Sonomos cannot detect contractual safeguards unless configured by the user.
Domain classification is based on a configurable list and may not reflect the user's service tier or API configuration.
Detection accuracy varies by data type. Sonomos tracks internal quality signals and adjusts confidence accordingly, but some flagged items may not be actual sensitive data.
Event data is stored locally in the browser with a rolling retention window. This is not a complete audit trail. PDF report exports are recommended for recordkeeping.

7. Data Retention and Storage

All detection data is processed and stored locally in the browser using Chrome extension storage APIs. No detection data is transmitted to Sonomos servers.

Aggregate statistics are synced across devices via the user's Google account (chrome.storage.sync) to survive reinstalls. Individual events are stored locally only and are subject to a rolling retention window.

Clearing browser data will remove local events. The dashboard displays the date range of available data. PDF report export is the recommended method for preserving snapshots.

8. What Sonomos Does Not Do

Sonomos does not determine whether you have violated any law or regulation.
Sonomos does not provide legal advice.
Sonomos does not verify the identity of data subjects.
Sonomos does not assess whether data handling is authorized.
Sonomos does not replace a compliance program, legal counsel, or data protection officer.
Sonomos does not transmit your data to external servers. All processing is local to your browser.