Data Routing Policy
data-routing-policy is a provider-selection guardrail. It does not inspect prompt text. Instead, it filters providers.targets[] by the data_policy metadata declared on each target before normal routing and fallback run.
Example configuration
pack:
name: regulated-routing
version: 1.0.0
enabled: true
providers:
targets:
- id: openai-zdr
provider: openai
model: gpt-5.4-mini
secret_key_ref:
env: KEEPTRUSTS_OPENAI_API_KEY
data_policy:
zero_data_retention: true
training_opt_out: true
retention_days: 0
- id: azure-standard
provider: azure
provider_type: azure-openai
format: openai
model: your-azure-openai-model
base_url: https://replace-with-resource-name.openai.azure.com
secret_key_ref:
env: KEEPTRUSTS_AZURE_OPENAI_API_KEY
azure_api_version: your-supported-api-version
azure_deployment: your-azure-deployment
data_policy:
zero_data_retention: false
training_opt_out: true
retention_days: 30
policies:
chain:
- data-routing-policy
policy:
data-routing-policy:
require_zero_data_retention: true
require_no_training: true
max_retention_days: 0
on_no_compliant_provider: block
log_provider_selection: true
Replace the model placeholders, Azure deployment, resource name, and API version with values currently enabled for each provider account before running the gateway.
Provider metadata checked by this policy
Each target can declare a data_policy block with the following fields:
| Field | Type | Meaning |
|---|---|---|
zero_data_retention | boolean | Provider declares no request/response retention. |
training_opt_out | boolean | Provider declares traffic is not used for training. |
retention_days | integer | Maximum declared retention period in days. |
Policy fields
| Field | Type | Notes |
|---|---|---|
require_zero_data_retention | boolean | Keep only targets with data_policy.zero_data_retention: true. |
require_no_training | boolean | Keep only targets with data_policy.training_opt_out: true. |
max_retention_days | integer | Exclude targets whose declared retention exceeds this value. |
on_no_compliant_provider | string | block or warn. |
log_provider_selection | boolean | Emit routing diagnostics for excluded targets. |
require_in_memory_only | boolean | Keep only targets with data_policy.in_memory_only: true. |
sanitize_before_provider | boolean | Keep only targets with data_policy.sanitized: true. |
tokenize_sensitive_fields | boolean | Keep only targets with data_policy.accepts_tokenized_input: true. |
allow_internet_egress | boolean | When false, exclude targets that allow internet egress. |
local_only_processing | boolean | Keep only targets with data_policy.local_only_processing: true. |
Advanced routing constraints
The regulated-routing fields above work only when provider targets declare matching data_policy metadata. Use them when you need to constrain routing to local-only, sanitized, tokenized-input-capable, or no-egress providers.
Best practices
- Add a
data_policyblock to every target you expect the selector to compare. - Keep
retention_daysexplicit so routing behavior stays predictable during reviews. - Use
warnfirst if you want visibility into exclusions before enforcing a hard block.