# Session Detection: Corporate and Personal Account Filtering By default, with no session detection enabled, Nightfall monitors all uploads and paste events across all account types on all configured domains - it does not distinguish whether a user is in a personal Google account or a corporate Workspace account. Session detection lets you scope monitoring to an account context. There are **two independent toggles**, each controlling a different axis: | Toggle | What it does | When to use it | | ---------------------------------------- | ---------------------------------------------------------------------------------------- | ------------------------------------- | | **Corporate accounts only** (source) | Only tracks events where the file or content originated from a corporate account session | You care about where data *came from* | | **Personal accounts only** (destination) | Only tracks events where the upload destination is a personal account session | You care about where data *is going* | These toggles are independent - enabling one does not affect the other. **Behavior by state**
Source toggleDestination toggleWhat is monitored
OffOffAll events on all domains, no account-type distinction
OffOnOnly uploads/pastes into personal account sessions
OnOffOnly uploads/pastes from corporate account sessions, regardless of destination
OnOnBoth constraints apply independently
> **Session detection coverage is domain-dependent.** Not all domains in a collection support session detection. The UI shows how many domains in your selected collection are covered (e.g., "3 of 12 domains across 2 collections support session detection"). Domains outside coverage are always monitored for all account types, regardless of toggle state. If *none* of the selected domains support session detection, the toggle has no effect and all domains are monitored for all account types. *** **Destination toggle - personal account monitoring** The most common pattern. Enable this when your primary concern is data ending up in a personal account on a domain your organization also uses corporately. *Common policies seen in practice:* * "Block Uploads to Personal Storage Accounts" * "PII to Personal Accounts" * "ChatGPT/Claude/Dropbox - Uploads to Personal Accounts" * "PHI Upload to Personal Account" *Why this matters:* On domains like `drive.google.com`, `dropbox.com`, or `chatgpt.com`, the same domain hosts both corporate and personal accounts. Without session detection, a policy scoped to these domains fires on *all* uploads - including uploads from an employee using their company-issued Google Workspace account, which is typically approved. Enabling the destination toggle narrows the policy to only fire when the upload goes into a *personal* session, eliminating noise from legitimate corporate activity. ***Recommended use:*** * Cloud storage: Separate a policy for `drive.google.com` personal from corporate Workspace. Enable destination toggle; scope collection to personal Google accounts. * AI tools: Most AI tools (ChatGPT, Claude) don't have a corporate/personal domain split - `chatgpt.com` is used by both. If your organization has a corporate ChatGPT Enterprise deployment on a subdomain, use the destination toggle on the public domain to filter for personal sessions only. * Sanctioned vs. unsanctioned: Some organizations run two policies on the same domain - one with session detection (alert-only for personal account use) and one without (broader coverage for truly unsanctioned destinations). *** **Source toggle — corporate account monitoring** Enable this when you want to track data that originated from a corporate account, regardless of where it ends up - including destinations that don't support session detection. *Common policies seen in practice:* * "Personal Account Upload From Corporate Account" * "Block Uploads of Corporate Docs to Unsanctioned Apps" * "Monitor Uploads of Customer Lists to Unsanctioned Cloud Storage" * "Departing Users - Block Google Workspace" *Why this matters:* The destination toggle only catches events where the *destination* domain supports session detection. If an employee copies a file from their corporate Google Drive and uploads it to a small SaaS tool or a domain that Nightfall can't distinguish account types on, the destination toggle misses it. The source toggle catches it because it evaluates account context at the *point of copy*, not the point of upload. This is also the appropriate pattern for **departing user policies**, where the goal is to track all outbound movement from corporate accounts during an offboarding window - regardless of destination. ***Recommended use:*** * Departing users: Enable source toggle scoped to all corporate domain collections. Apply to a user group or device scope targeting the departing user. * Broad corporate data egress: When you want to monitor "anything that left a corporate account session today" as an audit trail, source-only gives you the widest coverage without depending on destination session support. > **Important:** Source-only policies deliberately monitor destinations outside Nightfall's session detection coverage. This is by design, not a misconfiguration. Do not add a destination toggle to these policies expecting it to refine them - it will instead restrict coverage and may miss the exfiltration paths the policy was built to catch. *** **Applies to: Browser Uploads and Clipboard Paste** Session detection works identically for both triggers. For clipboard paste, the source toggle checks which account session the copied content came from; the destination toggle checks where the paste event lands. Given that clipboard events often land on domains with limited session detection support (note-taking apps, internal tools, miscellaneous SaaS), source-only session detection is generally more effective for clipboard monitoring than destination-only. ***