Compliance Policies Configuration
This page covers the validated YAML shapes and the enforcement each compliance-oriented policy actually performs.
GDPR compliance
gdpr-compliance is an input-phase policy. The runtime reads these fields from policy.gdpr-compliance:
policies:
chain:
- gdpr-compliance
- pii-detector
- audit-logger
policy:
gdpr-compliance:
consent_required: true
consent_header: X-User-Consent-Token
consent_verification_endpoint: https://consent.example.com/verify
erasure_webhook: https://privacy.example.com/erase
data_categories:
- personal
- sensitive
- biometric
retention_days: 30
pii-detector:
action: redact
audit-logger: {}
| Field | Type | Default | Notes |
|---|---|---|---|
consent_required | boolean | false at runtime when omitted | Blocks when the configured consent header is missing or empty |
consent_header | string | X-User-Consent-Token at runtime when omitted | Header-name matching is case-insensitive |
consent_verification_endpoint | string | — | Validated configuration field; the inline evaluator does not call it |
erasure_webhook | string | — | Validated configuration field; the inline evaluator records an X-Erasure-Request header but does not call the webhook |
data_categories | string[] | [] at runtime when omitted | Reported in policy details |
retention_days | integer | unset at runtime when omitted | Reported in policy details; it does not schedule deletion |
EU AI Act
eu-ai-act supplies settings for the on-demand compliance report at POST /keeptrusts/compliance/report. The report checks whether the active chain covers the requested article set. Inline request evaluation records the policy but does not block or escalate traffic.
policies:
chain:
- prompt-injection
- gdpr-compliance
- audit-logger
- human-oversight
- quality-scorer
- eu-ai-act
policy:
eu-ai-act:
risk_class: high
articles: [9, 10, 12, 13, 14, 15]
| Field | Type | Default | Notes |
|---|---|---|---|
risk_class | string | high | Included in the compliance report |
articles | integer[] | [9,10,11,12,13,14,15] | Article set included in the report |
action | block | warn | audit | warn | Accepted by the schema; it does not change inline enforcement or report generation |
Use the report's fully_covered and gap_count fields in your rollout review. Do not rely on eu-ai-act alone as a request gate.
CJIS mode
cjis-mode is an input-phase policy. It treats either an Authorization header or X-User-ID header as satisfying the auth requirement.
policies:
chain:
- cjis-mode
- case-privacy
- audit-logger
policy:
cjis-mode:
require_auth: true
access_logging: true
| Field | Type | Default | Notes |
|---|---|---|---|
require_auth | boolean | true | Blocks when neither Authorization nor X-User-ID is present |
access_logging | boolean | true | Emits a structured CJIS access log entry |
encryption_at_rest | boolean | true | Validated declaration; it does not change the policy verdict |
session_timeout_minutes | integer | 30 | Validated declaration; the policy does not manage sessions |
Common output-side compliance compositions
These policy kinds are supported and can be combined in the same chain:
Finance
policies:
chain:
- mnpi-filter
- financial-compliance
- audit-logger
policy:
mnpi-filter:
detect_patterns:
- earnings before announcement
- merger not public
financial-compliance:
blocked_patterns:
- guaranteed returns
- insider information
required_disclaimers:
- This is not financial advice.
Healthcare
policies:
chain:
- hipaa-phi-detector
- pii-detector
- healthcare-compliance
- audit-logger
policy:
hipaa-phi-detector:
action: redact
healthcare-compliance:
blocked_patterns:
- specific diagnosis
- treatment recommendation
required_disclaimers:
- This content is informational only and not medical advice.
fda_class: II
Legal / professional practice
policies:
chain:
- legal-privilege
- upl-filter
- audit-logger
policy:
legal-privilege:
privilege_markers:
- attorney-client privileged
- work product
upl-filter:
blocked_patterns:
- draft a court filing for me
- give me binding legal advice
Export controls
policies:
chain:
- itar-ear-filter
- entity-list-filter
- dual-use-filter
- audit-logger
Chain guidance
- A
policy.<kind>block does not execute unless that kind also appears inpolicies.chain. gdpr-compliance,eu-ai-act, andcjis-modeare input-side checks.financial-compliance,healthcare-compliance,legal-privilege,upl-filter, andmnpi-filterare output-side checks.- Use Conditional Chains if only some routes, models, or tenants need the compliance control.