Policy Templates and Ask Xybern¶
Two ways to create a policy without starting from scratch: pick a pre-built compliance template, or describe what you need in plain English and let Xybern configure it automatically.
Compliance Templates¶
Four templates are available in the Policies tab under Start from a template. Each creates a fully configured policy in one click.
HIPAA¶
Designed for patient records, clinical notes, and healthcare correspondence.
| Setting | Value |
|---|---|
| Strip persons | Yes |
| Strip dates | Yes, 90-day offset |
| Strip emails | Yes |
| Strip phones | Yes |
| Strip signatures | Yes |
| Permanent redaction | No |
Covers the HIPAA Safe Harbour method for de-identification (45 CFR ยง164.514(b)). Dates are shifted by 90 days rather than removed entirely, preserving temporal relationships for analysis while breaking direct identification.
GDPR¶
General-purpose template for EU data subject records, HR files, and customer data.
| Setting | Value |
|---|---|
| Strip persons | Yes |
| Strip organisations | Yes |
| Strip emails | Yes |
| Strip phones | Yes |
| Strip dates | Yes, 30-day offset |
| Permanent redaction | No |
Addresses GDPR Article 4(1) personal data categories. Organisations are stripped alongside persons because company affiliations can re-identify individuals in small-team contexts.
PCI-DSS¶
For payment records, transaction logs, and financial documents containing cardholder data.
| Setting | Value |
|---|---|
| Strip persons | Yes |
| Strip financials | Yes |
| Strip emails | Yes |
| Strip phones | Yes |
| Permanent redaction | Yes |
Permanent redaction is enabled by default. Cardholder names, account references, and financial figures never appear in LLM responses. The de-anonymization step is skipped entirely, satisfying PCI-DSS Requirement 3 (protect stored cardholder data).
SOC 2¶
For infrastructure logs, access records, and audit evidence containing employee and system identifiers.
| Setting | Value |
|---|---|
| Strip persons | Yes |
| Strip emails | Yes |
| Strip dates | Yes, 14-day offset |
| Permanent redaction | No |
A lighter profile suited to audit and compliance workflows where exact timestamps matter less than relative sequence. The 14-day offset preserves incident timelines while anonymizing the calendar dates.
Ask Xybern¶
Ask Xybern generates a custom policy from a plain-language description of your data processing needs. You describe what your documents contain and what you want protected, and Xybern configures the entity types, custom patterns, and redaction settings automatically.
How to use it¶
- Go to Policies in your Redact workspace
- Click Ask Xybern next to the New Policy button
- Describe your use case in the text box
- Click Generate Policy
- Review the generated policy name, entity tags, and explanation
- Click Done to close, the policy is already saved and active
Example inputs¶
Healthcare records
I process UK healthcare records that contain NHS numbers, patient names, and dates of birth.
Produces: Persons, Dates, one custom entity pattern for NHS numbers (10-digit format).
HR onboarding
I process HR onboarding documents with employee full names, personal email addresses, national insurance numbers, bank account details, and home addresses. Bank details must never be reversible.
Produces: Persons, Emails, Financials with permanent redaction, custom entity for NI numbers.
Legal contracts
I process legal contracts containing client names, case reference numbers, and billing amounts. Strip everything before it reaches the LLM.
Produces: Persons, Orgs, Financials, custom entity for case references.
What Ask Xybern configures¶
- Which built-in entity types to enable (persons, orgs, emails, phones, dates, financials, signatures)
- Whether permanent redaction is appropriate for the use case
- Custom regex patterns for domain-specific identifiers (NHS numbers, employee IDs, case references, account numbers)
- A descriptive policy name
How it works¶
Ask Xybern sends your description to an AI model with a structured prompt that maps natural language to policy configuration fields. The model returns a JSON configuration that is validated and saved as a real policy. No manual editing is required, though you can open the policy afterwards and adjust any field.
The AI call uses Anthropic as the primary provider with DeepSeek as automatic fallback if the primary is unavailable.
After creating a policy¶
Whether you used a template or Ask Xybern, the policy is immediately active. You can:
- Edit any field from the policy card in the Policies tab
- Set it as the default policy for your workspace
- Add or remove custom entity patterns
- Delete it if it was created in error (a confirmation modal appears before deletion)
Related¶
- Policies - full reference for all policy settings and entity types
- Vault Search & Filtering - query vault records by policy outcome
- Retention Policy - auto-delete vault records on a schedule