Skip to main content
POST
/
api
/
policies
/
prebuilt
Load Prebuilt Policy
curl --request POST \
  --url https://api.example.com/api/policies/prebuilt \
  --header 'Content-Type: application/json' \
  --data '{
  "type": {}
}'
{
  "policy": {
    "id": "<string>",
    "name": "<string>",
    "type": "<string>",
    "prebuilt_type": "<string>",
    "rules_count": 123,
    "rules": [
      {
        "rule_id": "<string>",
        "name": "<string>",
        "type": "<string>",
        "description": "<string>",
        "severity": {},
        "threshold": {},
        "time_window": {},
        "conditions": {},
        "policy_excerpt": "<string>",
        "policy_section": "<string>"
      }
    ],
    "created_at": "<string>"
  },
  "error": "<string>",
  "message": "<string>",
  "details": [
    {}
  ]
}

Overview

This endpoint creates a new policy using prebuilt rule sets for common compliance frameworks. Choose from Anti-Money Laundering (AML), GDPR data protection, or SOC2 security controls.

Authentication

Requires a valid session token. Returns 401 UNAUTHORIZED if not authenticated.

Request

type
enum
required
Policy pack type to load.Options:
  • aml - Anti-Money Laundering compliance rules
  • gdpr - GDPR data protection and privacy rules
  • soc2 - SOC2 security and operational controls

Content Type

application/json

Example Request

curl -X POST https://yourdomain.com/api/policies/prebuilt \
  -H "Content-Type: application/json" \
  -H "Cookie: session=your_session_token" \
  -d '{
    "type": "aml"
  }'

Response

policy
object
The created policy with prebuilt rules
id
string
UUID of the created policy
name
string
Policy name (e.g., “AML Compliance Policy”)
type
string
Always prebuilt for prebuilt policies
prebuilt_type
string
The selected prebuilt type: aml, gdpr, or soc2
rules_count
number
Total number of rules in the policy
rules
array
Array of prebuilt compliance rules
rule_id
string
Unique rule identifier in UPPER_SNAKE_CASE
name
string
Human-readable rule name
type
string
Rule category (e.g., structuring, velocity, encryption)
description
string
Detailed description of the rule
severity
enum
Rule severity: CRITICAL, HIGH, or MEDIUM
threshold
number | null
Numeric threshold for threshold-based rules
time_window
number | null
Time window in hours for temporal rules
conditions
object
Rule evaluation logic with recursive AND/OR conditions
policy_excerpt
string
Reference to the compliance regulation
policy_section
string
Section reference (e.g., “31 CFR § 1010.314”)
created_at
string
ISO 8601 timestamp of policy creation

Success Response

{
  "policy": {
    "id": "550e8400-e29b-41d4-a716-446655440000",
    "name": "AML Compliance Policy",
    "type": "prebuilt",
    "prebuilt_type": "aml",
    "rules_count": 12,
    "rules": [
      {
        "rule_id": "STRUCTURING_PATTERN",
        "name": "Transaction Structuring Detection",
        "type": "structuring",
        "description": "Detects multiple transactions just below reporting threshold",
        "severity": "CRITICAL",
        "threshold": 10000,
        "time_window": 24,
        "conditions": {
          "AND": [
            {
              "field": "amount",
              "operator": "greater_than",
              "value": 9000
            },
            {
              "field": "amount",
              "operator": "less_than",
              "value": 10000
            }
          ]
        },
        "policy_excerpt": "31 CFR § 1010.314 - Structured transactions to evade BSA reporting",
        "policy_section": "31 CFR § 1010.314"
      }
    ],
    "created_at": "2026-02-28T10:30:00Z"
  }
}

Error Responses

error
string
Error code identifier
message
string
Human-readable error message
details
array
Validation error details (for VALIDATION_ERROR)

400 Bad Request

{
  "error": "VALIDATION_ERROR",
  "message": "Invalid request body",
  "details": [
    {
      "code": "invalid_enum_value",
      "expected": ["aml", "gdpr", "soc2"],
      "received": "hipaa",
      "path": ["type"],
      "message": "Invalid enum value. Expected 'aml' | 'gdpr' | 'soc2', received 'hipaa'"
    }
  ]
}

401 Unauthorized

{
  "error": "UNAUTHORIZED",
  "message": "Authentication required"
}

500 Internal Server Error

{
  "error": "INTERNAL_ERROR",
  "message": "Failed to create policy"
}

{
  "error": "INTERNAL_ERROR",
  "message": "Failed to insert rules"
}

Prebuilt Policy Types

AML (Anti-Money Laundering)

Includes rules for:
  • Transaction structuring detection
  • Rapid fund movement patterns
  • High-risk jurisdiction monitoring
  • Unusual transaction patterns
  • Smurfing detection

GDPR (General Data Protection Regulation)

Includes rules for:
  • Data retention limits
  • Consent verification
  • Right to erasure compliance
  • Cross-border data transfer restrictions
  • Encryption requirements

SOC2 (Service Organization Control 2)

Includes rules for:
  • Access control violations
  • Multi-factor authentication enforcement
  • Encryption at rest and in transit
  • Audit logging requirements
  • Password policy compliance

Notes

  • All rules are set to is_active: true by default
  • Rules can be toggled or modified after creation using the rules management endpoints
  • The policy type field is set to prebuilt to distinguish from PDF-ingested policies
  • The prebuilt_type field stores the original pack type for reference

Build docs developers (and LLMs) love

Get started for freeTalk to us