Compliance

Policy Engine's compliance story is unusually clean: it's a library, not a service; it has no network surface, no state, no data store. What remains is determinism, auditability, and safe-by-design evaluation.

Deterministic evaluation

The same rule with the same facts always returns the same decision. No randomness, no time-of-day dependence (except through explicit time macros your rule references), no external calls. Auditors can reproduce decisions from logs alone.

Auditable decision traces

Every evaluation returns a structured trace: which leaves were checked, which passed, which failed, and why. Logs become first-class compliance evidence. A DENY always tells the auditor which specific fact failed and against which value it was compared.

GDPR — purpose limitation

Because rules are declarative JSON, Art. 5(1)(b) purpose limitation is easy to demonstrate. You can enumerate exactly which facts the rule consumes — no hidden inputs, no side-effectful data gathering.

No dynamic code execution

The engine has no eval, no script surface, no plugin loader. Rules are data, not code. Accepting rules from untrusted sources (e.g. tenant-authored rules in a multi-tenant platform) is safe — the worst case is a rule that always evaluates to DENY or ALLOW, not arbitrary code execution.

Thread-safe, stateless

No shared mutable state. The engine can evaluate many (rule, facts) pairs in parallel without coordination. Performance posture: sub-millisecond for typical rules; bounded latency even for deeply nested rules thanks to short-circuit evaluation.