Skip to main content

Compliance Policies Configuration

This page covers the validated YAML shapes and the enforcement each compliance-oriented policy actually performs.

GDPR compliance

gdpr-compliance is an input-phase policy. The runtime reads these fields from policy.gdpr-compliance:

policies:
chain:
- gdpr-compliance
- pii-detector
- audit-logger

policy:
gdpr-compliance:
consent_required: true
consent_header: X-User-Consent-Token
consent_verification_endpoint: https://consent.example.com/verify
erasure_webhook: https://privacy.example.com/erase
data_categories:
- personal
- sensitive
- biometric
retention_days: 30

pii-detector:
action: redact

audit-logger: {}
FieldTypeDefaultNotes
consent_requiredbooleanfalse at runtime when omittedBlocks when the configured consent header is missing or empty
consent_headerstringX-User-Consent-Token at runtime when omittedHeader-name matching is case-insensitive
consent_verification_endpointstringValidated configuration field; the inline evaluator does not call it
erasure_webhookstringValidated configuration field; the inline evaluator records an X-Erasure-Request header but does not call the webhook
data_categoriesstring[][] at runtime when omittedReported in policy details
retention_daysintegerunset at runtime when omittedReported in policy details; it does not schedule deletion

EU AI Act

eu-ai-act supplies settings for the on-demand compliance report at POST /keeptrusts/compliance/report. The report checks whether the active chain covers the requested article set. Inline request evaluation records the policy but does not block or escalate traffic.

policies:
chain:
- prompt-injection
- gdpr-compliance
- audit-logger
- human-oversight
- quality-scorer
- eu-ai-act

policy:
eu-ai-act:
risk_class: high
articles: [9, 10, 12, 13, 14, 15]
FieldTypeDefaultNotes
risk_classstringhighIncluded in the compliance report
articlesinteger[][9,10,11,12,13,14,15]Article set included in the report
actionblock | warn | auditwarnAccepted by the schema; it does not change inline enforcement or report generation

Use the report's fully_covered and gap_count fields in your rollout review. Do not rely on eu-ai-act alone as a request gate.

CJIS mode

cjis-mode is an input-phase policy. It treats either an Authorization header or X-User-ID header as satisfying the auth requirement.

policies:
chain:
- cjis-mode
- case-privacy
- audit-logger

policy:
cjis-mode:
require_auth: true
access_logging: true
FieldTypeDefaultNotes
require_authbooleantrueBlocks when neither Authorization nor X-User-ID is present
access_loggingbooleantrueEmits a structured CJIS access log entry
encryption_at_restbooleantrueValidated declaration; it does not change the policy verdict
session_timeout_minutesinteger30Validated declaration; the policy does not manage sessions

Common output-side compliance compositions

These policy kinds are supported and can be combined in the same chain:

Finance

policies:
chain:
- mnpi-filter
- financial-compliance
- audit-logger

policy:
mnpi-filter:
detect_patterns:
- earnings before announcement
- merger not public

financial-compliance:
blocked_patterns:
- guaranteed returns
- insider information
required_disclaimers:
- This is not financial advice.

Healthcare

policies:
chain:
- hipaa-phi-detector
- pii-detector
- healthcare-compliance
- audit-logger

policy:
hipaa-phi-detector:
action: redact

healthcare-compliance:
blocked_patterns:
- specific diagnosis
- treatment recommendation
required_disclaimers:
- This content is informational only and not medical advice.
fda_class: II
policies:
chain:
- legal-privilege
- upl-filter
- audit-logger

policy:
legal-privilege:
privilege_markers:
- attorney-client privileged
- work product

upl-filter:
blocked_patterns:
- draft a court filing for me
- give me binding legal advice

Export controls

policies:
chain:
- itar-ear-filter
- entity-list-filter
- dual-use-filter
- audit-logger

Chain guidance

  • A policy.<kind> block does not execute unless that kind also appears in policies.chain.
  • gdpr-compliance, eu-ai-act, and cjis-mode are input-side checks.
  • financial-compliance, healthcare-compliance, legal-privilege, upl-filter, and mnpi-filter are output-side checks.
  • Use Conditional Chains if only some routes, models, or tenants need the compliance control.

Next steps