Documentation
Data Safety Policies
Data Safety Policies
Managed Mode reference. You do not configure these policies. They are applied automatically to prevent disclosure of sensitive data and enforce safe handling requirements.
Trigger example (derived from the managed catalog)
These policies can trigger when
ai_output contains sensitive data (PII/secrets/regulated content), when large exports/shares are requested, or when required data-handling context is missing.Example ActionKind where data safety policies apply: money.move
Common required context fields: account_id, actor_user_id, ai_output, blast_radius_estimate, change_ticket, compliance_context, connector_id, idempotency_key, message_body, payload_preview, payload_schema, purpose, recovery_plan, request_id, requested_scopes, system_instructions, template_id, user_input, workflow, workflowName
Example threshold shapes used by these policies: {"maxRecords":1000}
Example decision
WARN responses include an
approval_token. BLOCK responses do not.json
{
"status": "WARN",
"decision_id": "dec_...",
"approval_token": "appr_...",
"reasons": [
"Warn when output contains PII and requires redaction/minimization before sharing/exporting."
]
}json
{
"status": "BLOCK",
"decision_id": "dec_...",
"reasons": [
"Block when required integration context is missing."
]
}Resolution
Apply the remediation specified by the policy that fired, then re-validate.
| Summary | Domain | Severity | Applies to | Required context | Remediation |
|---|---|---|---|---|---|
| Block when required integration context is missing. | integrity | BLOCK | money.move, money.refund, money.credit, money.payout, billing.change, billing.cancel, identity.role_change, identity.auth_change, identity.user_create, identity.user_delete, admin.access, data.export, data.import, data.read, data.write, data.delete, data.purge, data.share, messaging.send, messaging.broadcast, messaging.webhook, integrations.connect, integrations.disconnect, integrations.scope_change, workflow.execute, workflow.modify, support.case_update | workflow, workflowName, system_instructions, user_input, actor_user_id, account_id, request_id, idempotency_key | Include the required context fields so the gate can make a deterministic decision and record an auditable event. |
| Block exfiltration of secrets, API keys, tokens, private certificates, passwords. | data | BLOCK | messaging.send, data.export, data.share, messaging.webhook | ai_output | Redact secrets. Rotate compromised keys immediately. Add secret scanning to outputs. |
| Warn when output contains PII and requires redaction/minimization before sharing/exporting. | data | WARN | messaging.send, data.export, data.share | ai_output, purpose | Redact/minimize. Ensure recipient/destination is approved. Log data-handling purpose for audit. |
| Block handling or disclosure of payment card data (PCI) and full bank credentials. | compliance | BLOCK | messaging.send, data.export, data.share, messaging.webhook | ai_output | Do not transmit payment credentials. Use provider-hosted payment pages or tokenized references only. |
| Block sharing of PHI/medical records without explicit compliant handling. | compliance | BLOCK | messaging.send, data.export, data.share | ai_output, compliance_context | Require compliant workflows (HIPAA/Baa etc.) and explicit authorization before any PHI handling. |
| Warn on destructive deletes without a ticket and recovery plan. | integrity | WARN | data.delete, data.purge | change_ticket, recovery_plan, blast_radius_estimate | Require ticket, backups, and explicit approval. Prefer soft-delete unless mandated. |
| Block purges with large blast radius or irreversible impact. | integrity | BLOCK | data.purge | blast_radius_estimate | Reduce scope, stage in smaller batches, and require human approval with rollback proof. |
| Warn on regulated claims (legal/medical/financial) unless using approved templates/disclaimers. | compliance | WARN | messaging.send | message_body, template_id | Use approved templates with disclaimers. Route to review for anything custom or high-risk. |
| Warn when connecting a new integration without review. | integrity | WARN | integrations.connect | connector_id, requested_scopes | Review scopes. Prefer least-privilege. Approve only vetted connectors for production. |
| Warn when structured tool args are invalid/missing required fields. | integrity | WARN | workflow.execute, data.write, money.refund, messaging.send | payload_schema, payload_preview | Fix payload schema/validation. Require requiredContext fields before allowing execution. |
Legal & Responsibility Notice
Summary
Informational only
Provided for general guidance. Not legal, compliance, security, or professional advice.
You control implementation
You are responsible for policies, prompts, integrations, workflows, and regulatory requirements.
Liability limitation
To the maximum extent permitted by law, the company disclaims liability for losses arising from use of this documentation or implementations based on it.