| Data class | Allowed use | Review required | Exception owner |
|---|---|---|---|
| First-party source code | Allowed with review | Yes | Engineering lead |
| Secrets and credentials | Not allowed | N/A (not allowed) | Security lead |
| Customer data and PII | Not allowed | N/A (not allowed) | Security lead |
| Regulated data (PHI, PCI, financial) | Not allowed | N/A (not allowed) | Compliance lead |
| Internal docs and tickets | Allowed | No | Engineering lead |
# AI coding assistant policy card Practical guardrails for AI coding assistants: which tools are allowed, what data they may touch, and when human review is required. ## Allowed assistants - Claude Code - Cursor - GitHub Copilot ## Data handling rules - First-party source code: Allowed with review (review Yes, exceptions via Engineering lead) - Secrets and credentials: Not allowed (review N/A (not allowed), exceptions via Security lead) - Customer data and PII: Not allowed (review N/A (not allowed), exceptions via Security lead) - Regulated data (PHI, PCI, financial): Not allowed (review N/A (not allowed), exceptions via Compliance lead) - Internal docs and tickets: Allowed (review No, exceptions via Engineering lead) ## Review requirements Human review is required for: - Autonomous code changes merged without a human in the loop - Dependency or supply-chain changes - Infrastructure or IaC changes - Access to production data or systems _This card is a starting template to adapt to your organization. It is not legal or compliance advice._
About the AI coding assistant policy card
The AI coding assistant policy card turns a few practical choices into a governance card your team can paste into a handbook or wiki. Pick the assistants you allow, such as Cursor, Claude Code, GitHub Copilot, or Codex CLI, set a handling posture for each data class (source code, secrets, customer data, regulated data, and internal docs), and choose when a human review is required. The tool builds a markdown policy card and a CSV exception matrix you can copy or download, with one row per data class showing the allowed use, whether review is required, and who owns exceptions.
It is built for engineering managers, security leads, and platform teams who need a clear starting point for coding-assistant guardrails. Everything runs in your browser from deterministic rules. Your selections and notes are never uploaded, logged, or stored, which matters because the choices can reveal internal vendors, security posture, and customer-data handling. The card is a starting template to adapt to your organization, not legal or compliance advice. Treat the warnings as cues to confirm with your own policy and counsel.
How to use
- Check the assistants you allow, and add any others in the optional box. A common set is selected so you can see the format.
- Set a handling posture for each data class: allowed, allowed with review, or not allowed. Sensitive classes start as not allowed.
- Choose which activities require a human review, such as autonomous code changes or dependency changes.
- Read the warnings, the exception matrix, and the generated policy card. Add an optional scope note if you need one.
- Copy the markdown policy card into your handbook or download the CSV exception matrix, then adapt it and confirm it with your own policy.
Worked examples
A secrets warning
If secrets and credentials are not set to not allowed, the card warns never to paste API keys, tokens, or .env contents into an assistant and not to let an agent read secret stores.
A source-code retention cue
If first-party source code is allowed without review, the card prompts you to confirm the vendor's retention and training terms so proprietary code is not retained or used to train shared models.
An exception matrix row
Each data class becomes a row with its allowed use, whether review is required, and the exception owner, so reviewers can see who signs off on exceptions at a glance.
Frequently asked questions
- What does this tool produce?
- A markdown policy card and a CSV exception matrix. The card lists your allowed assistants, the handling posture for each data class, the review requirements, and warnings. The matrix has one row per data class with its allowed use, whether review is required, and the exception owner.
- Are my selections uploaded anywhere?
- No. The card is built entirely in your browser from deterministic rules. Your selections and notes are never uploaded, logged, or stored, and they are not included in any analytics. Only coarse, anonymous counts are recorded so we can tell how often the tool is used.
- Is this legal or compliance advice?
- No. The output is a starting template to adapt to your organization, not legal or compliance advice. The warnings are cues for a human to confirm. Review the card against your own policy, contracts, and counsel before publishing it.
- Can I add assistants that are not in the list?
- Yes. Use the other-assistants box to add any names, one per line or comma separated. They are added to the allowed-assistants list in the generated card.
- Is the CSV safe to open in a spreadsheet?
- Yes. The export is a standard CSV with one row per data class, and cell values are escaped so a spreadsheet does not treat any text as a formula.
- Is the AI coding assistant policy card free?
- Yes. It is free to use and does not require an account.
Use this again tomorrow
Save this page so it's one tap away when you need a quick result.
Take a 2-minute brain break.
Play Daily Challenge on sts.games