How a Mid-Market Fintech Blocked 200+ Sensitive Pastes in 30 Days

Composite case study based on a representative mid-market deployment. Company details are anonymised and figures are illustrative of typical first-month results.

The starting point

The company (call it Northwind Pay) runs payments and lending for SMBs, with around 600 employees across product, engineering, operations, and customer support. Like most fintechs, it had the paperwork: an acceptable-use policy, an approved enterprise AI plan, and a line in onboarding about “don't paste customer data into ChatGPT.”

What it didn't have was visibility. When the DPO asked a simple question before a supervisory review: “how often does customer or cardholder data actually reach an AI tool, and can we prove we stop it?” The honest answer was a shrug. Network DLP saw encrypted traffic to sanctioned-looking domains. Nothing watched the paste itself.

The rollout

Northwind pushed AIovert Guard to every browser through Google Workspace in a single afternoon. There was no proxy, no certificate, no network change, and nothing for employees to configure: the extension self-registered from each signed-in work account. Detection runs on-device, so there was no privacy trade-off to negotiate: the security team would see classifications, never the content.

What the first 30 days showed

By day 30, the dashboard had logged 213 blocked pastes. The breakdown was sobering:

• Cardholder data (PCI): 71 pastes of PANs and account numbers dropped into chatbots to reconcile or explain transactions.
• Customer records: 88 pastes of names, emails, and balances, mostly from support drafting replies.
• API keys & secrets: 34 pastes of live credentials inside stack traces and config, from engineering.
• Other PII: 20 pastes of phone numbers, addresses, and the occasional SSN.

The tool distribution was equally telling: most went to personal ChatGPT tabs, not the sanctioned enterprise plan. The policy was being followed in spirit by people who simply reached for the fastest tab, exactly the gap a document can't close.

“We assumed our enterprise plan meant the problem was handled. The first week showed us how much was going to the consumer tools instead. None of it was malicious. It was people trying to do their jobs faster.” Head of Security (representative)

Behaviour changed, not just blocks

Because Guard explains why a paste was blocked in the moment, and offers a masked copy so work continues, the weekly block count fell after the first fortnight. People learned where the line was without a single disciplinary conversation. The numbers told a prevention story, not just a detection one.

The outcome that mattered

When the supervisory review came, the DPO didn't bring a policy PDF. They brought an exportable log: every attempt, classified by severity, user, and tool, with the safeguard demonstrably working. That is the difference between asserting a control and evidencing one, the standard CNIL, the ICO, and the EDPB increasingly expect.

• 213 sensitive pastes prevented from reaching AI tools.
• 0 raw records stored by the security tool: classifications only.
• 1 afternoon to deploy, company-wide.
• An audit trail ready for the regulator and the board.