Policy Settings Guide

What Are Policies?

Organization policies let you define rules that automatically classify vendors into one of three decisions:

  • Allow — The vendor meets your organization's requirements and can be used.
  • Deny — The vendor does not meet your requirements and should not be used.
  • Review — The vendor requires manual review before a decision is made.

Only org_admin users can create and edit policies. All org members can view policy decisions on the vendor list.

Creating Policy Rules

Each policy contains one or more rules evaluated in priority order. To create a rule:

  1. Navigate to your organization's Policy page.
  2. Click "Add Rule".
  3. Set the priority (lower numbers are evaluated first).
  4. Choose the decision (allow, deny, or review).
  5. Define one or more conditions.
  6. Save the rule.

Rule Conditions

Conditions determine when a rule matches. You can combine multiple conditions using AND/OR logic. Available condition paths include:

  • transparency_score — The vendor's overall transparency percentage (0-100). Example: transparency_score >= 70 to require high transparency.
  • adoptability — The vendor's adoptability rating: green, yellow, red, or not_assessable.
  • evidence_level — The level of evidence available: E0 through E4.
  • fact.<fact_key> — Check specific assessment items. Example: fact.data.dpa_available eq true to require a DPA.

Supported operators: eq, neq, in, not_in, gte, lte, exists, not_exists.

Priority and Evaluation Order

Rules are evaluated from lowest priority number to highest. The first rule whose conditions match determines the decision. If no rule matches, the policy's default decision is applied (typically "review").

Example ordering:

  1. Priority 1 — Deny if adoptability is red.
  2. Priority 2 — Allow if transparency_score >= 70 and DPA is available.
  3. Priority 3 — Review everything else (default).

Testing Policies

Before activating a policy, you can test it against specific vendors:

  1. On the Policy page, click "Test Policy".
  2. Select a vendor from the dropdown.
  3. The system will show which rule matched and what decision would be applied.

This helps you verify that your rules produce the expected results before they affect your organization's vendor list.

Policy Settings Guide — AI Assess