CadreenResearch Preview
DocumentationAPI ReferenceGuides & Cookbooks
Back to Guides & Cookbooks
Cookbook

How to enable GDPR, HIPAA, and PCI-DSS compliance in one call

Pre-built compliance policy templates. Enable GDPR — PII access requires DPO approval, 24h timeout, high-severity logging. One call. Your workspace is compliant.

1

Available compliance templates

Cadreen ships with pre-built compliance policy templates. Each template creates a set of policies that enforce the standard's requirements.

GDPR

PII access requires DPO approval. 24h timeout. High-severity logging. Data subject rights enforced.

PII access → DPO approval
Data deletion requests honored
Cross-border transfer blocked by default
HIPAA

PHI access requires approval + logging + redaction. Audit trail for every access.

PHI access → approval + logging
Automatic redaction in responses
Audit trail for compliance reviews
PCI-DSS

All financial tool invocations logged and redacted. Cardholder data never exposed in responses.

Financial tools → logged + redacted
Cardholder data masked
Access restricted to authorized roles
2

Enable a template

TypeScript
// Enable GDPR compliance
const policy = await cadreen.policies.create({
  policy_type: "compliance",
  policy_text: "Enable GDPR compliance: PII access requires DPO approval, 24h timeout, high-severity logging.",
  risk_level: "high",
});

console.log(policy.id);     // "pol_gdpr_001"
console.log(policy.status); // "active"

// The template creates sub-policies automatically:
// - PII access → DPO approval
// - Data deletion → honored within 30 days
// - Cross-transfer → blocked by default
Python
# Enable HIPAA compliance
policy = await cadreen.policies.create(
    policy_type="compliance",
    policy_text="Enable HIPAA compliance: PHI access requires approval and logging, automatic redaction in responses.",
    risk_level="high",
)

print(policy.id)  # "pol_hipaa_001"
3

See it enforced across surfaces

opencode — PII access blocked
> Look up customer john@example.com's credit card number

I can't do that. Your workspace has PCI-DSS compliance enabled.
Cardholder data is masked by default.

If you need access, say "request access" and I'll escalate to your DPO.
SDK — governance decision
const result = await cadreen.intent.invoke({
  messages: [{ role: "user", content: "Show me all PII for user 123" }],
});

console.log(result.type);       // "blocked"
console.log(result.reason_code); // "compliance_pii_access"
console.log(result.policy_id);   // "pol_gdpr_001"
Note
Compliance policies are just governance policies with a specific type. They use the same enforcement mechanism — approval tokens, conversational blocking, audit trails.
4

Audit trail for compliance reviews

Every governance decision is logged with full context. Query from any surface for compliance reviews.

CLI — compliance audit
$ cadreen traces --decision blocked --policy pol_gdpr_001

Found 12 blocked requests (last 30 days):

  2026-06-21  PII access blocked     user:456  DPO approval requested
  2026-06-20  PII access blocked     user:789  DPO approved (2h response)
  2026-06-18  Cross-transfer blocked  user:123  No approval requested
Note
The Semantic Action Log hash-chains every action. Verify integrity with one call: GET /api/sal/chain/verify.
Note
Back to: All Guides & Cookbooks | Company-wide policies | Intelligence traces