diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml
new file mode 100644
index 0000000..ba3f1ed
--- /dev/null
+++ b/.github/workflows/tests.yaml
@@ -0,0 +1,31 @@
+---
+name: tests
+
+on:
+  pull_request:
+    branches:
+      - main
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  verify-data:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Install ec-cli
+        run: |-
+          mkdir -p "${HOME}/.local/bin"
+          curl -sL https://github.com/enterprise-contract/ec-cli/releases/download/snapshot/ec_linux_amd64 -o "${HOME}/.local/bin/ec"
+          chmod +x "${HOME}/.local/bin/ec"
+          ec version
+
+      - name: Validate data
+        run: ./hack/verify-data.sh
diff --git a/hack/verify-data.sh b/hack/verify-data.sh
new file mode 100755
index 0000000..7e800e6
--- /dev/null
+++ b/hack/verify-data.sh
@@ -0,0 +1,28 @@
+#!/usr/bin/env bash
+
+set -o errexit
+set -o pipefail
+set -o nounset
+
+cd "$(git root)"
+
+# The EC policy does not allow for relative paths. For this reason, we use envsubst to replace
+# occurrences of $PWD with the actual working directory. The result is a temporary policy file
+# with absolute paths.
+# NOTE: An alternative to saving the modified policy to a temporary file is to use a heredoc, e.g.
+# `ec validate input --file <(...)` However, when doing so, the file name is something like
+# `/dev/fd/63` which EC does not understand as neither a JSON nor a YAML file. Instead EC tries to
+# fetch such resource from a Kubernetes cluster 😅
+POLICY_YAML="$(mktemp --suffix '.yaml')"
+< policy.yaml envsubst '$PWD' > "${POLICY_YAML}"
+
+ec validate policy --policy "${POLICY_YAML}"
+echo '✅ Policy config validated'
+
+# The command requires --file to be used at least once. This sets the input to be verified by the
+# policy rules. However, here we are verifying the data sources which does not require an input.
+# So we use a dummy input file instead.
+ec validate input --policy "${POLICY_YAML}" --output yaml --file <(echo '{}') | yq .
+echo '✅ Data validated'
+
+rm -f "${POLICY_YAML}"
diff --git a/policy.yaml b/policy.yaml
new file mode 100644
index 0000000..73efa8a
--- /dev/null
+++ b/policy.yaml
@@ -0,0 +1,15 @@
+---
+name: verify-data
+description: >-
+  This policy config is responsible for verifying the integrity of the data defined in this
+  repository.
+sources:
+  - policy:
+      - github.com/enterprise-contract/ec-policies//policy/lib
+      - github.com/enterprise-contract/ec-policies//policy/release
+    data:
+      - $PWD/data/rule_data.yml
+      - $PWD/data/required_tasks.yml
+    config:
+      include:
+        - '@policy_data'