Skip to main content
Browse docs
By Audience
Getting Started
Configuration
Use Cases
IDE Integration
Third-Party Integrations
Engineering Cache
Console
API Reference
Gateway
Workflow Guides
Templates
Providers and SDKs
Industry Guides
Advanced Guides
Browse by Role
Deployment Guides
In-Depth Guides
Tutorials
CLI Reference
Policy Reference
OverviewDeclarative Config Reference
Config Deep Dives
Config ProvidersConfig Rate LimitsConfig Routes And ConsumersConfig Quality AssertionsConfig ObservabilityConfig Security NetworkConfig RuntimeConfig TestingConfig Conditional ChainsConfig ScenariosConfig Pack MetadataConfig Execution TargetsConfig Cloud ProvidersConfig Escalation RoutingConfig Data PoliciesConfig Per Policy CatalogConfig Env VariablesConfig Advanced ProviderConfig Compliance PoliciesConfig Single Policy DocsConfig Flagged Review
Policy Controls Catalog
Input Policies
Output Policies
Agent Policies
Audit & Compliance
Audit LoggerData Routing PolicyItar Ear FilterEntity List FilterCjis ModeMnpi Filter
Privacy & Legal
Content & Document Processing
FAQ

Data Routing Policy

The data-routing-policy is a pre-routing control that filters which configured providers may receive traffic based on their declared data retention and training metadata. It enforces zero-data-retention (ZDR) requirements, data minimization mandates, and training opt-out guarantees at the routing layer — before any data reaches a provider. This policy is essential for GDPR compliance, government classified environments, and any deployment where data sovereignty is a hard requirement.

Use this page when

  • You need to restrict which providers receive traffic based on data retention, training opt-out, or zero-data-retention guarantees.
  • You are enforcing GDPR data minimization, government classified environment requirements, or contractual data sovereignty mandates.
  • You want to ensure no data reaches providers without explicit data handling declarations.

Primary audience

  • Primary: AI Agents, Technical Engineers
  • Secondary: Technical Leaders

Configuration

pack:
  name: data-routing-policy
  version: 1.0.0
  enabled: true
providers:
  targets:
  - id: openai-standard
    provider: openai
    model: gpt-4o-mini
    secret_key_ref:
      env: OPENAI_API_KEY
policies:
  chain:
  - data-routing-policy
policy:
  data-routing-policy:
    require_zero_data_retention: false
    require_no_training: false
    max_retention_days: 30
    on_no_compliant_provider: block
    log_provider_selection: true

Fields

FieldTypeDescriptionDefault
require_zero_data_retentionbooleanOnly route to providers that guarantee zero data retention — meaning no request or response data is stored after processing. Providers without an explicit ZDR declaration in their data_policy metadata are excluded.false
require_no_trainingbooleanOnly route to providers that explicitly opt out of using your data for model training. Providers without a training_opt_out: true declaration in their data_policy metadata are excluded.false
max_retention_daysintegerMaximum acceptable data retention period in days. Providers that retain data longer than this value are excluded from routing. When omitted, no retention duration limit is applied (use require_zero_data_retention for strict ZDR).
on_no_compliant_providerenum: "block" | "warn"Action when no configured provider meets the data routing requirements. block rejects the request entirely with a compliance notice. warn allows the request to proceed to the best available provider but logs a compliance warning."block"
log_provider_selectionbooleanLog which providers were evaluated, which were excluded, and why. Produces a structured audit trail showing the provider selection decision for each request — which providers passed and failed each data policy check.true

Use Cases

Zero Data Retention Enforcement

Enforce strict ZDR for environments where no provider may retain any request or response data. Any provider without an explicit ZDR guarantee is excluded.

In this configuration, only openai-zdr is eligible for routing. anthropic-standard is excluded because zero_data_retention is false.

GDPR Data Minimization

Enforce Article 5(1)(c) data minimization by limiting provider retention and requiring training opt-out. Allow requests to proceed with a warning if no fully compliant provider is available.

Government Classified Environments

Enforce maximum data control for government deployments where data must never leave the processing boundary — require both ZDR and no-training guarantees, and hard-block if no provider qualifies.

Audit Trail for Provider Selection

Use log_provider_selection to create a complete decision audit trail for compliance reporting — showing exactly why each provider was included or excluded for every request.

With this configuration and log_provider_selection: true, each request log entry shows:

  • provider-a: included — passes all checks
  • provider-b: includedno_training: true, retention 14 ≤ 30
  • provider-c: excluded — fails require_no_training (no_training: false) and max_retention_days (90 > 30)

How It Works

  1. Provider enumeration — When a request arrives, the routing layer enumerates all configured providers and their data_policy metadata.
  2. ZDR check — If require_zero_data_retention is true, providers without zero_data_retention: true in their data_policy are excluded.
  3. Training opt-out check — If require_no_training is true, providers without training_opt_out: true in their data_policy are excluded.
  4. Retention duration check — If max_retention_days is set, providers with retention_days exceeding the limit are excluded.
  5. Eligible provider selection — The remaining providers are passed to the routing strategy (round-robin, priority, usage-based) for final selection.
  6. No-provider fallback — If no providers pass all checks, the on_no_compliant_provider action fires: block rejects the request with a compliance notice; warn logs a warning and routes to the least-noncompliant provider.
  7. Audit logging — When log_provider_selection is true, a structured log entry records every provider evaluation including which checks passed, which failed, and the final routing decision.

Combining With Other Policies

PolicyCombined Effect
itar-ear-filterPrevents controlled content from reaching any provider, while data-routing-policy ensures only approved providers receive any traffic. Defense-in-depth for export control.
pii-detectorRedacts personal data before it reaches the provider, complementing data-routing-policy's provider-level data controls with content-level data minimization.
financial-complianceFinancial data routing combined with provider data guarantees — ensures sensitive financial content only reaches providers with appropriate data handling.
safety-filterBlocks hazardous or disallowed content outright, while data-routing-policy controls where permitted topics can be processed.
audit-loggerExtends the provider selection audit trail with full request/response logging for complete compliance evidence.

Best Practices

  • Declare data_policy on every provider — Providers without data_policy metadata are treated as non-compliant by default. Always declare zero_data_retention, training_opt_out, and retention_days explicitly, even if the values are permissive.
  • Use block for regulated environments — In government, healthcare, and financial services, on_no_compliant_provider: block is the safe default. Using warn in regulated environments creates compliance risk.
  • Enable log_provider_selection in production — The provider selection audit trail is critical for demonstrating compliance during audits and regulatory examinations. The logging overhead is minimal.
  • Combine ZDR with no-training — Zero data retention prevents storage, but some providers may still use in-flight data for training before deletion. Requiring both require_zero_data_retention and require_no_training provides the strongest guarantee.
  • Review provider data policies quarterly — Provider data handling practices change. Verify that your data_policy metadata still matches each provider's actual terms of service and data processing agreements.
  • Use max_retention_days for graduated controls — Not every environment needs ZDR. For GDPR compliance, max_retention_days: 30 with require_no_training: true may be sufficient and allows a wider provider pool.

For AI systems

  • Canonical terms: Keeptrusts, data-routing-policy, require_zero_data_retention, require_no_training, max_retention_days, on_no_compliant_provider, log_provider_selection, ZDR
  • Config/command names: data-routing-policy policy, require_zero_data_retention, require_no_training, max_retention_days, on_no_compliant_provider (block/warn), providers.targets[].data_policy
  • Best next pages: Providers Configuration, DLP Filter, HIPAA PHI Detector

For engineers

  • Prerequisites: Provider targets with data_policy declarations (e.g., zero_data_retention: true, no_training: true, retention_days: 0). Without data_policy metadata on targets, the filter has nothing to evaluate.
  • Validation: Configure the policy with require_zero_data_retention: true and a mix of compliant/non-compliant providers. Send a request and verify in logs that non-compliant providers are excluded. Test on_no_compliant_provider: block by removing all compliant providers.
  • Key commands: kt policy lint, kt gateway run, kt events tail to inspect provider selection logs

For leaders

  • Governance: This policy enforces data sovereignty at the routing layer — before any data reaches a provider. It's the primary control for GDPR Article 5(1)(c), government classified environments, and contractual ZDR requirements.
  • Cost: Restricting to ZDR-only providers may limit your available models and increase per-token costs. Balance compliance requirements against model availability.
  • Rollout: Start with on_no_compliant_provider: warn and log_provider_selection: true to audit which providers would be excluded before enforcing hard blocks.

Next steps