Policy Templates

Industry-specific policy templates give you a compliant enforcement baseline out of the box. Apply a template, then customize specific rules for your organization's needs.

Available Templates

Select a template in Settings > Policies > Template. Each template pre-configures default actions across all detection types for the relevant regulatory environment.

DEFAULT

General-purpose security and compliance baseline. Suitable for most organizations that don't have a specific regulatory framework. Blocks critical security threats, redacts the most sensitive PII/PHI, and logs everything else for visibility.

HEALTHCARE

Configured for HIPAA compliance. Enforces strict controls on PHI (Protected Health Information) — medical records, diagnoses, prescriptions, insurance IDs. Blocks PHI in egress by default, with aggressive redaction at ingress. Also addresses HIPAA's requirements around credential handling and access logging.

FINANCIAL

Configured for PCI DSS and financial services compliance. Blocks financial data (bank accounts, routing numbers, card numbers) in both ingress and egress. Strict controls on credentials and API keys. Covers GDPR overlap for organizations operating in the EU.

GOVERNMENT

Configured for government and public sector environments. Strict controls across all data classifications. Aggressive prompt injection and jailbreak blocking. Comprehensive audit logging for all detections regardless of action.

EDUCATION

Configured for FERPA compliance. Protects student records and educational data. Balanced approach to content safety. Moderate PII controls tuned for academic environments.

How Templates Work

A template defines a default action for every detection type across every lifecycle stage. When a detection occurs and there's no custom rule matching it, the template default applies.

Templates do not lock you in — every default can be overridden.

Rule Override Hierarchy

When a detection occurs, Rivaro resolves the action using this priority order (most specific wins):

AppContext-specific rule — a custom rule scoped to a specific agent/AppContext. Highest priority. Use this for agent-specific exceptions (e.g. a medical agent that should be allowed to discuss diagnoses).
Organization-wide custom rule — a custom rule that applies to all traffic in your organization. Use this to override a template default across the board.
Template default — the action defined by your active template for this detection type and lifecycle stage.
Fallback — if no rule or template default matches, the action is LOG (observe and record, never block).

Creating Custom Rules

Organization-wide rule

Overrides the template default for all agents in your organization:

POST /api/policy/organizations/rules

{
  "detectionType": "PII_EMAIL",
  "lifecycle": "EGRESS",
  "action": "REDACT"
}

AppContext-specific rule

Overrides the template default for a single agent or AppContext:

POST /api/policy/app-context/{appContextId}/rules

{
  "detectionType": "PHI_DIAGNOSIS",
  "lifecycle": "EGRESS",
  "action": "ALLOW"
}

Connector rule (training stage)

For training data connectors — overrides for the TRAINING lifecycle stage:

POST /api/policy/connectors/{connectorId}/rules

{
  "detectionType": "CREDENTIALS_API_KEY",
  "lifecycle": "TRAINING",
  "action": "BLOCK"
}

Rule Fields

Field	Required	Description
`detectionType`	Yes*	Specific detection to match (e.g. `PII_SSN`). See Understanding Detections for all types.
`riskCategory`	Yes*	Broader match — applies to all detection types in this category. Use instead of `detectionType` for category-wide rules.
`lifecycle`	Yes	`INGRESS`, `EGRESS`, `TRAINING`, or `DEPLOYMENT`
`action`	Yes	`BLOCK`, `REDACT`, `LOG`, `ALLOW`, `REMEDIATE`, or `AUTO_REMEDIATE`
`enabled`	No	Toggle the rule without deleting it (default: `true`)
`notificationInstanceId`	No	Link a notification channel to fire when this rule matches

*Either detectionType or riskCategory is required, not both.

Switching Templates

You can switch your active template at any time. Custom overrides are preserved when switching templates — they continue to take priority over the new template's defaults.

PUT /api/policy/organizations/template

{
  "templateName": "HEALTHCARE"
}

Viewing Your Current Policy

Get a full view of all active rules, showing both template defaults and custom overrides:

# View all rules for runtime enforcement stage
GET /api/policy/templates/{templateType}/rules?stage=EXECUTION

# View organization-wide custom rules
GET /api/policy/organizations/rules

# View rules for a specific AppContext
GET /api/policy/app-context/{appContextId}/rules

In the dashboard, go to Settings > Policies to see a visual breakdown — template defaults side-by-side with any custom overrides, grouped by risk category and lifecycle.

Next steps

Enforcement & Policies — How rules are evaluated at request time
Understanding Detections — Full list of detection types you can create rules for
Notifications & Integrations — Fire notifications when specific rules match
Compliance Reporting — Map policy rules to compliance frameworks

Available Templates​

DEFAULT​

HEALTHCARE​

FINANCIAL​

GOVERNMENT​

EDUCATION​

How Templates Work​

Rule Override Hierarchy​

Creating Custom Rules​

Organization-wide rule​

AppContext-specific rule​

Connector rule (training stage)​

Rule Fields​

Switching Templates​

Viewing Your Current Policy​

Next steps​