# Enforce Policies & Guardrails

Policies are company-wide safety rules that protect your organization by filtering harmful content, guarding personal information, and preventing data leaks across all employees.

## TL;DR

Five policy types in three groups: Data Protection (Data Leakage Prevention), Safety Filters (Input Safety, Output Safety), and Content Controls (PII Protection, Topic Control). Each policy has a simple on/off toggle, configurable settings, and a "blocked" counter showing how many violations it caught. Find them in the **Policies** tab on your company dashboard.

## Where to Find It

1. Click your organization name in the sidebar to open the company dashboard
2. Click the **Policies** tab in the tab bar

You will see five policy cards organized into three sections. Each card shows its name, a description, an on/off toggle, and a blocked count showing how many violations were caught in the selected time period.

## The Three Policy Groups

### Data Protection

| Policy | What It Does | Settings |
|--------|-------------|----------|
| **Data Leakage Prevention** | Stops employees from revealing internal system details, prompts, or configuration when asked | Toggle on/off only, no extra settings |

### Safety Filters

| Policy | What It Does | Settings |
|--------|-------------|----------|
| **Input Safety** | Catches prompt injection and jailbreak attempts before they reach your employees | Sensitivity: Low, Medium, or High |
| **Output Safety** | Filters toxic or harmful content from employee responses | Sensitivity: Low, Medium, or High |

### Content Controls

| Policy | What It Does | Settings |
|--------|-------------|----------|
| **PII Protection** | Detects and redacts personal information like emails, phone numbers, credit card numbers, and social security numbers | Choose which types of information to protect: Email, Phone, Name, Credit Card, SSN, IP Address, Address |
| **Topic Control** | Restricts employees to specific conversation topics and blocks off-limits ones | Add allowed topics (what employees can discuss) and blocked topics (what they cannot) |

## How Sensitivity Levels Work

Input Safety and Output Safety both offer three sensitivity levels:

| Level | Behavior | Best For |
|-------|----------|----------|
| **Low** | Catches only the most obvious violations. Fewer false positives, but may miss subtle attempts | Teams where false positives disrupt work and security risk is low |
| **Medium** | Balanced detection. Good starting point for most organizations | Most companies, recommended default |
| **High** | Aggressive filtering. Catches more violations but may occasionally flag legitimate messages | Industries with strict compliance needs or sensitive data |

## What You Can Do

| Action | How |
|--------|-----|
| **Toggle a policy on or off** | Click the toggle switch on any policy card |
| **Set sensitivity** | Expand the Input Safety or Output Safety card and click Low, Medium, or High |
| **Choose protected data types** | Expand the PII Protection card and click the entity buttons (Email, Phone, Name, Credit Card, SSN, IP Address, Address) to toggle each one |
| **Add allowed topics** | Expand the Topic Control card, click "+ Add" under Allowed topics, type a topic name, and press Enter |
| **Add blocked topics** | Expand the Topic Control card, click "+ Add" under Blocked topics, type a topic name, and press Enter |
| **Remove a topic** | Click the X button next to any topic tag |
| **View violation stats** | Each policy card shows a "blocked" count. Expand the card to see a breakdown chart and the most recent violations |
| **Change the time period** | Click the time period button in the top-right corner (Last 7 days, Last 30 days, or All time) to filter violation stats |

## How to Set It Up

1. Open the company dashboard and click the **Policies** tab
2. Toggle on the policies you want to enable
3. For Input Safety and Output Safety, set the sensitivity level (start with Medium)
4. For PII Protection, select which types of personal information to detect
5. For Topic Control, add your allowed and blocked topics
6. Done. Policies take effect immediately for all employees

## Tips and Tricks

- **Start with PII Protection.** It is the most universally useful policy. Enable it for any company handling customer data like emails, phone numbers, or payment info
- **Use Medium sensitivity first.** Low may miss things, High may over-filter. Start in the middle and adjust based on what the violation stats show you
- **Topic Control keeps employees focused.** For example, restrict a customer support employee to topics like "product help," "billing," and "refunds" while blocking "politics" or "personal advice"
- **Check the violation breakdown.** Expand any policy card to see a bar chart showing which specific types of violations are being caught most often
- **Watch the summary line.** At the top of the Policies tab, you will see the total violations blocked and a percentage change compared to the previous period, giving you a quick health check

## Good to Know

- **Company-wide only.** Policies apply to every employee across all teams. You cannot set different policies for different teams or individual employees
- **Silent operation.** Employees do not see an error when a policy triggers. Content is filtered or redacted transparently in the background
- **Minimal cost.** Policy checks use a separate, lightweight AI model (not your employee's main model). The cost is very small and tracked separately in your credit breakdown
- **Policies vs. Duties.** Policies are automated safety rules enforced by the platform on every message. Duties are behavioral instructions written into the employee's persona. Both can work together
- **Always-on design.** If the safety checking system has a temporary issue, your employees keep working. Messages pass through rather than getting blocked, so work is never interrupted by a safety system outage
- **Instant updates.** When you change a policy setting, it takes effect immediately on the next message

## Frequently Asked Questions

**Q: Do policies apply to all employees automatically?**
A: Yes. Every policy is organization-wide. When you enable a policy, it covers every employee across every team instantly.

**Q: Can I set different policies for different teams or employees?**
A: Not currently. Policies apply uniformly across the entire company. Use Duties on individual employees if you need per-employee behavioral rules.

**Q: What happens when a policy blocks something?**
A: The content is filtered or redacted silently. The violation is recorded and shows up in the policy card's "blocked" count and recent violations list. The employee continues working normally.

**Q: How do I know if a policy is too aggressive?**
A: Check the violation stats. If you see many violations and your employees seem to struggle with legitimate requests, try lowering the sensitivity from High to Medium. The "Recent" section under each policy card shows the last few violations with details.

**Q: Do policies slow down responses?**
A: No noticeable difference. Policy checks run on a separate, fast model and process in parallel with normal work. Results are cached for performance.

**Q: What PII types should I enable?**
A: At minimum, enable Credit Card and SSN. These are the most sensitive. Add Email and Phone if your employees handle customer communications. The Name and Address types are useful for industries with strict privacy requirements.