Skip to main content

Data Routing Policy

data-routing-policy is a provider-selection guardrail. It does not inspect prompt text. Instead, it filters providers.targets[] by the data_policy metadata declared on each target before normal routing and fallback run.

Example configuration

pack:
name: regulated-routing
version: 1.0.0
enabled: true
providers:
targets:
- id: openai-zdr
provider: openai
model: gpt-5.4-mini
secret_key_ref:
env: KEEPTRUSTS_OPENAI_API_KEY
data_policy:
zero_data_retention: true
training_opt_out: true
retention_days: 0
- id: azure-standard
provider: azure
provider_type: azure-openai
format: openai
model: your-azure-openai-model
base_url: https://replace-with-resource-name.openai.azure.com
secret_key_ref:
env: KEEPTRUSTS_AZURE_OPENAI_API_KEY
azure_api_version: your-supported-api-version
azure_deployment: your-azure-deployment
data_policy:
zero_data_retention: false
training_opt_out: true
retention_days: 30
policies:
chain:
- data-routing-policy
policy:
data-routing-policy:
require_zero_data_retention: true
require_no_training: true
max_retention_days: 0
on_no_compliant_provider: block
log_provider_selection: true

Replace the model placeholders, Azure deployment, resource name, and API version with values currently enabled for each provider account before running the gateway.

Provider metadata checked by this policy

Each target can declare a data_policy block with the following fields:

FieldTypeMeaning
zero_data_retentionbooleanProvider declares no request/response retention.
training_opt_outbooleanProvider declares traffic is not used for training.
retention_daysintegerMaximum declared retention period in days.

Policy fields

FieldTypeNotes
require_zero_data_retentionbooleanKeep only targets with data_policy.zero_data_retention: true.
require_no_trainingbooleanKeep only targets with data_policy.training_opt_out: true.
max_retention_daysintegerExclude targets whose declared retention exceeds this value.
on_no_compliant_providerstringblock or warn.
log_provider_selectionbooleanEmit routing diagnostics for excluded targets.
require_in_memory_onlybooleanKeep only targets with data_policy.in_memory_only: true.
sanitize_before_providerbooleanKeep only targets with data_policy.sanitized: true.
tokenize_sensitive_fieldsbooleanKeep only targets with data_policy.accepts_tokenized_input: true.
allow_internet_egressbooleanWhen false, exclude targets that allow internet egress.
local_only_processingbooleanKeep only targets with data_policy.local_only_processing: true.

Advanced routing constraints

The regulated-routing fields above work only when provider targets declare matching data_policy metadata. Use them when you need to constrain routing to local-only, sanitized, tokenized-input-capable, or no-egress providers.

Best practices

  • Add a data_policy block to every target you expect the selector to compare.
  • Keep retention_days explicit so routing behavior stays predictable during reviews.
  • Use warn first if you want visibility into exclusions before enforcing a hard block.

Next steps