# Safe Transactions in Policies

This page explains how Safe transactions are matched against policy rules.

- For more on Fordefi policies, see [Set Policies](/user-guide/policies).
- For information on adding a Safe{Wallet} to Fordefi, see
[Connect a Safe{Wallet}](/user-guide/vaults/connect-safe-wallet).


## How policy evaluation works for Safe transactions

Fordefi's policy engine evaluates
[Safe transactions](/user-guide/manage-transactions/safe-transactions) using their
decoded semantics, treating the Safe  as a first-class transaction origin.

When Fordefi signs a Safe transaction (`SafeTx`) and a Safe has been added
for the Safe contract:

- The **origin** in the policy engine is the **Safe{Wallet}**, not the Fordefi
signer vault. Logically, the user is signing on behalf of the Safe.
- Policies run against the **decoded Safe action** — for example, *Transfer*,
*Allowance*, or *Contract call* — not against `execTransaction` (`CALL` /
`DELEGATECALL`) or "message signature".
- The semantic meaning of the operation is leading. If a Safe action represents
a transfer, Fordefi evaluates it as a transfer policy, even though it is
technically a signed message.


This means existing Fordefi policy rules apply to Safe transactions without any
new policy concepts.

## Supported policy categories

You can use the existing policy framework with Safe transactions. Rules can
match on:

- **Initiator**: Who proposed the Safe transaction.
- **Origin**: The Safe vault.
- **Recipient**: The address the Safe is interacting with.
- **Transaction type**: Transfer, contract call, allowance, or message
signature.
- **Asset**: The token (or native currency) involved.
- **Transaction amount**


For details on each category, see
[Policy Rules: Conditions and Actions](/user-guide/policies/policy-rules-conditions-and-actions).

## When no Safe{Wallet} is configured

If a Safe contract has not been added as a Safe vault to your organization, the
policy engine cannot detect the Safe origin. In that case:

- The transaction is evaluated, as if the **Fordefi signer vault** is the origin.
- The semantic action is not decoded; the operation is treated as a generic
message signature.


To get full Safe-aware policy evaluation,
[add the Safe{Wallet} as a vault](/user-guide/vaults/connect-safe-wallet).

## Periodic Amount considerations

Fordefi signs a Safe message at the moment a Safe signer requests it, even
though the resulting Safe transaction may never execute on chain — for example,
if other Safe signers reject it. Periodic Amount policy rules count signed
amounts at sign time, so a signed-but-not-executed Safe transaction can still
consume Periodic Amount allowance even though no assets moved.

If this matters for your operation, monitor executed Safe transactions through
transaction history alongside the Periodic Amount limit.