Skip to main content
Browse docs
By Audience
Getting Started
Configuration
Use Cases
IDE Integration
Third-Party Integrations
Engineering Cache
Console
API Reference
Gateway
Workflow Guides
Templates
Providers and SDKs
Industry Guides
Advanced Guides
Browse by Role
Deployment Guides
In-Depth Guides
Tutorials
CLI Reference
Policy Reference
OverviewDeclarative Config Reference
Config Deep Dives
Config ProvidersConfig Rate LimitsConfig Routes And ConsumersConfig Quality AssertionsConfig ObservabilityConfig Security NetworkConfig RuntimeConfig TestingConfig Conditional ChainsConfig ScenariosConfig Pack MetadataConfig Execution TargetsConfig Cloud ProvidersConfig Escalation RoutingConfig Data PoliciesConfig Per Policy CatalogConfig Env VariablesConfig Advanced ProviderConfig Compliance PoliciesConfig Single Policy DocsConfig Flagged Review
Policy Controls Catalog
Input Policies
Output Policies
Agent Policies
Audit & Compliance
Privacy & Legal
Content & Document Processing
FAQ

Data Policies and Data Routing

Control how upstream providers handle your data with per-provider data_policy: declarations and the data-routing-policy chain policy that enforces data handling requirements at request time.

Use this page when

  • You need the exact command, config, API, or integration details for Data Policies and Data Routing.
  • You are wiring automation or AI retrieval and need canonical names, examples, and constraints.
  • If you want a guided rollout instead of a reference page, use the linked workflow pages in Next steps.

Primary audience

  • Primary: AI Agents, Technical Engineers
  • Secondary: Technical Leaders

Provider data policy

Attach a data_policy: block to any provider target to declare its data handling commitments:

pack:
  name: config-data-policies-providers-1
  version: 1.0.0
  enabled: true
providers:
  targets:
  - id: openai-zdr
    provider: openai
    model: gpt-4o
    secret_key_ref:
      env: OPENAI_API_KEY
policies:
  chain:
  - audit-logger
policy:
  audit-logger:
    immutable: true
    retention_days: 365
    log_all_access: true

Data policy fields

FieldTypeDefaultDescription
zero_data_retentionbooleanfalseProvider does not store request/response data
training_opt_outbooleanfalseProvider does not use data for model training
retention_daysintegerMaximum days the provider retains data (0 = none)

zdr shorthand

The zdr field is a shorthand for data_policy.zero_data_retention: true:

- id: "openai-zdr"
  provider: "openai"
  model: "gpt-4o"
  secret_key_ref:
    env: "OPENAI_API_KEY"
  zdr: true                         # equivalent to data_policy.zero_data_retention: true

data_collection field

Control whether the provider may collect analytics:

- id: "openai-no-analytics"
  provider: "openai"
  model: "gpt-4o"
  secret_key_ref:
    env: "OPENAI_API_KEY"
  data_collection: "deny"           # "allow" or "deny"

Data routing policy

The data-routing-policy is a chain policy that selects providers based on data handling compliance. Add it to your chain and configure requirements:

policies:
  chain:
    - "data-routing-policy"
    - "audit-logger"

policy:
  data-routing-policy:
    require_zero_data_retention: true
    require_no_training: true
    on_no_compliant_provider: "block"
    log_provider_selection: true

Data routing policy fields

FieldTypeDefaultDescription
require_zero_data_retentionbooleanfalseOnly route to providers with zero_data_retention: true
require_no_trainingbooleanfalseOnly route to providers with training_opt_out: true
max_retention_daysintegerOnly route to providers with retention_days ≤ this value
on_no_compliant_providerstring"block"block (return 409) or warn (log and proceed)
log_provider_selectionbooleantrueLog which provider was selected and why

How data routing works

  1. The data-routing-policy runs in the pre-request phase
  2. It evaluates each provider target's data_policy against the requirements
  3. Non-compliant providers are excluded from the routing pool
  4. If no providers remain and on_no_compliant_provider: "block", the request is rejected with 409
  5. If warn, the gateway logs a warning and routes to the best available provider

Zero data retention scenario

pack:
  name: zero-retention
  version: 1.0.0
  enabled: true
providers:
  targets:
  - id: openai-zdr
    provider: openai
    model: gpt-4o
    secret_key_ref:
      env: OPENAI_API_KEY
  - id: anthropic-zdr
    provider: anthropic
    model: claude-sonnet-4-20250514
    secret_key_ref:
      env: ANTHROPIC_API_KEY
  - id: openai-standard
    provider: openai
    model: gpt-4o-mini
    secret_key_ref:
      env: OPENAI_API_KEY
  routing:
    strategy: ordered
  fallback:
    triggers:
    - rate_limit
    - server_error
    - timeout
    max_fallback_attempts: 2
policies:
  chain:
  - data-routing-policy
  - audit-logger
policy:
  data-routing-policy:
    require_zero_data_retention: true
    require_no_training: true
    on_no_compliant_provider: block
    log_provider_selection: true
  audit-logger:
    retention_days: 365

In this example, openai-standard is excluded from routing because it doesn't meet the zero-retention requirement. Only openai-zdr and anthropic-zdr are eligible.

Retention limit scenario

Allow providers that retain data for up to 30 days:

policy:
  data-routing-policy:
    require_zero_data_retention: false
    require_no_training: false
    on_no_compliant_provider: warn
    log_provider_selection: true
pack:
  name: config-data-policies-example-6
  version: 1.0.0
  enabled: true
policies:
  chain:
  - data-routing-policy

Combining with provider logging

Data policies pair with the providers.logging section for local data control:

providers:
  targets:
  - id: openai-prod
    provider: openai
    model: gpt-4o
    secret_key_ref:
      env: OPENAI_API_KEY
  logging:
    redact_message_bodies: true
    redact_api_keys: true
history:
  enabled: false
cache:
  enabled: false
policies:
  chain:
  - data-routing-policy
policy:
  data-routing-policy:
    require_zero_data_retention: true
    require_no_training: true
    on_no_compliant_provider: block

For AI systems

  • Canonical terms: Keeptrusts, policy-config.yaml, data_policy, zero_data_retention, training_opt_out, retention_days, data_collection, data-routing-policy, require_zero_data_retention, require_no_training, max_retention_days, on_no_compliant_provider, zdr shorthand.
  • data_policy is a per-target declaration; data-routing-policy is a chain policy that enforces those declarations at request time.
  • Best next pages: Zero Data Retention template, Providers Configuration, End-to-End Scenarios.

For engineers

  • Attach data_policy: blocks to each provider target declaring its data handling commitments (ZDR, training opt-out, retention days).
  • The data-routing-policy chain policy filters the routing pool to only compliant providers before dispatching.
  • Use on_no_compliant_provider: "block" in production to hard-fail rather than routing to a non-compliant provider.
  • The zdr: true shorthand on a target is equivalent to data_policy.zero_data_retention: true.
  • Combine with providers.logging.redact_message_bodies: true for local data minimization alongside provider-side ZDR.

For leaders

  • Data routing policies enforce data-handling requirements at the infrastructure level, guaranteeing that sensitive data only reaches providers with verified zero-retention or no-training commitments.
  • This simplifies DPA (Data Processing Agreement) compliance by ensuring routing decisions are automated and auditable.
  • The log_provider_selection: true setting creates an evidence trail showing exactly which provider was chosen and why, supporting GDPR/CCPA audit requirements.
  • Multi-provider fallback with ZDR constraints maintains availability without compromising data-retention commitments.

Next steps