By accessing or using PromptSentry (the "Service"), including through API integration, SDK, Docker deployment, Helm chart, or our web dashboard, you ("Customer", "you") agree to be bound by these Terms of Service ("Terms"). If you are entering into these Terms on behalf of an organization, you represent that you have authority to bind that organization.
These Terms form a binding contract between you and Five Nines Consulting LLC. If you do not agree to these Terms, do not use the Service.
The Privacy Policy at promptsentry.net/privacy is incorporated by reference and governs how FNC processes personal data through the Service. By accepting these Terms, you also acknowledge the Privacy Policy.
PromptSentry is a prompt injection firewall platform that:
The specific features available depend on the subscription tier and configuration.
3.1 You are responsible for maintaining the confidentiality of all API keys, admin tokens, and OAuth credentials associated with your account.
3.2 You must immediately notify FNC at security@promptsentry.net if you suspect unauthorized access to your credentials.
3.3 FNC will never ask you to share your API key or admin token by email, phone, or chat.
3.4 API key secrets are stored only as a SHA-256 hash in our systems. If you lose a key, you must rotate it — we cannot recover the original secret.
You may use PromptSentry to:
You may not use PromptSentry to:
The default API rate limit is 500 scans per minute per IP. Enterprise contracts may negotiate higher limits. Exceeding rate limits returns HTTP 429. FNC reserves the right to suspend access for sustained abuse of rate limits.
PromptSentry operates in one of three modes, configurable by the Customer:
| Mode | Behavior | Implication |
|---|---|---|
monitor (default) | All prompts pass through. Malicious verdicts logged but not blocked. | Customer is responsible for downstream enforcement. |
active | Malicious verdicts return HTTP 403 to the calling application. Prompt is blocked. | False positives may block legitimate requests. Customer is responsible for tuning thresholds. |
bypass | Pipeline disabled. All prompts allowed through. | No protection active. Customer assumes all risk. |
False positives (benign prompts blocked): In active mode, false positives will block legitimate requests. FNC is not liable for business impact caused by false positive blocks. Customers are responsible for threshold tuning.
False negatives (attacks not detected): FNC does not guarantee 100% detection. Customers should implement defense-in-depth rather than relying solely on PromptSentry.
Detection accuracy is measured against controlled benchmark datasets and may differ from Customer-specific prompt distributions. Current benchmark results on Gemini 3.1 Flash-Lite GA (primary classifier):
These figures represent benchmark accuracy (e.g., "98.92% attack-suite accuracy on benchmark datasets"). Customers are responsible for ongoing evaluation against their own traffic distributions.
6.1 The default PromptSentry configuration transmits prompt text to Google AI Studio (Gemini) for classification and, for gray-zone prompts, to Anthropic (Claude Opus). By using the default configuration, you agree to comply with Google's and Anthropic's applicable terms of service.
6.2 FNC is not responsible for the availability, accuracy, or data handling of third-party services. If Google AI Studio or Anthropic is unavailable, PromptSentry falls back to regex-only detection (configurable behavior).
6.3 Customers who require that prompt data never leave their own infrastructure must configure a BYOM (Bring Your Own Model) endpoint via PROMPTSENTRY_CLASSIFIER_ENDPOINT_URL and disable escalation. FNC can provide guidance but does not operate BYOM model infrastructure.
6.4 Optional integrations (ServiceNow, Palo Alto Panorama) are Customer-configured and Customer-controlled. FNC is not responsible for data shared with these systems.
7.1 The parties agree that for data processed through the /scan endpoint, FNC acts as a data processor and the Customer acts as the data controller for the purposes of GDPR Article 4(7)–(8).
7.2 FNC will process personal data only on documented instructions from the Customer (via configuration), except where required by law.
7.3 FNC will implement appropriate technical and organizational measures to protect personal data, as described in the Privacy Policy.
7.4 FNC will not sub-contract the processing of personal data to any sub-processor not listed in the Privacy Policy without notifying the Customer in advance.
7.5 FNC will delete any retained Customer scan data within 30 days of termination of the applicable Service agreement. Routine scan records are already deleted on the rolling 24-hour retention cycle described in the Privacy Policy — the 30-day termination window applies to any data that persists beyond normal retention (e.g., API key metadata, tenant configurations, and any Customer-enabled extended retention).
7.6 Customers who require a signed Data Processing Agreement (DPA) for GDPR compliance should contact privacy@promptsentry.net.
8.1 Customers deploying PromptSentry in products used by children under 13 must:
child_safety.enabled=true in tenant config)8.2 FNC's child safety mode returns crisis resources (hotline numbers, text lines) for self-harm signals instead of generic blocks. Customers must not modify or suppress crisis resource delivery for users in crisis.
8.3 Customers deploying PromptSentry in healthcare contexts handling PHI under HIPAA must contact legal@promptsentry.net to execute a Business Associate Agreement before going live.
9.1 Uptime: FNC targets a 99% monthly uptime best-effort target for FNC-hosted (SaaS) deployments, excluding scheduled maintenance. Formal SLAs are available by separate written agreement for Enterprise customers. No uptime guarantees apply to self-hosted deployments.
9.2 Degraded Operation: PromptSentry degrades gracefully: Google AI unavailable → regex-only fallback; Anthropic unavailable → escalation skipped, primary verdict stands; Redis unavailable → scans may fail or proceed depending on configuration.
9.3 Security posture: PromptSentry is on the SOC 2 Type II roadmap, targeted for Q1 2027. The Service is designed to support compliance with GDPR, CCPA, and COPPA, though FNC has not undergone third-party security audit at this time.
9.4 Latency: Pipeline latency on the Gemini 3.1 Flash-Lite GA primary classifier (measured):
| Path | p50 | p95 |
|---|---|---|
| Attack pipeline | ~856ms | ~1.3s |
| Content pipeline | ~887ms | ~1.4s |
Actual latency depends on external classifier response times, network conditions, and Customer infrastructure. FNC does not guarantee specific latency SLAs except by separate written agreement.
9.5 Audit rights: Enterprise customers may submit an annual security questionnaire to security@promptsentry.net. A SOC 2 report will be made available to Enterprise customers when completed (target Q1 2027). Penetration testing of FNC-managed infrastructure requires advance written approval.
10.1 FNC retains all rights to the PromptSentry platform, including the detection pipeline, classifier prompts, pattern library (27 regex patterns across injection, encoding, multi-language, code injection, and meta-injection categories), scoring logic, and dashboard UI.
10.2 Customers retain all rights to their data, including prompts submitted to the Service.
10.3 Training signal data collected from Customer scans (gray-zone signals, Opus disagreements) is stored locally on Customer infrastructure and remains Customer data. FNC does not access or use Customer training signals.
10.4 If you submit feedback or suggestions about the Service, FNC may use that feedback without restriction or compensation.
11.1 FNC's total liability for any claim arising under these Terms shall not exceed the greater of (a) the fees paid by Customer to FNC in the 12 months preceding the claim, or (b) $1,000.
11.3 FNC makes no warranty that:
You agree to defend, indemnify, and hold harmless FNC and its officers, directors, employees, and contractors from any claim, liability, damage, or expense (including reasonable legal fees) arising from:
13.1 Either party may terminate the agreement with 30 days' written notice.
13.2 FNC may immediately suspend or terminate access if:
13.3 Upon termination of SaaS services, FNC will delete any retained Customer scan data within 30 days. Routine scan records are already deleted on the rolling 24-hour cycle described in the Privacy Policy. Customers may request an export of any retained scan records before termination.
14.1 These Terms are governed by the laws of the Commonwealth of Virginia, United States, without regard to conflict-of-law principles.
14.2 Any dispute not resolved informally within 30 days of written notice shall be submitted to binding arbitration administered by the American Arbitration Association in Roanoke, Virginia, under its Commercial Arbitration Rules.
14.3 Class action waiver: You waive any right to bring or participate in any class action lawsuit against FNC.
Neither party is liable for failure to perform obligations due to events beyond reasonable control, including acts of God, war, terrorism, pandemic, government action, or third-party service outages (including Google AI Studio, Anthropic, or other sub-processors).
Customer may not assign these Terms without FNC's prior written consent. FNC may assign these Terms to a successor in connection with a merger, acquisition, or sale of substantially all assets without Customer consent, provided the successor assumes all obligations herein.
Sections 10 (Intellectual Property), 11 (Limitation of Liability), 12 (Indemnification), and 14 (Governing Law and Disputes) survive termination of these Terms.
These Terms represent FNC's standard terms. Enterprise customers with specific requirements — including custom DPAs, BAAs (HIPAA), MSAs, or negotiated SLAs — should contact sales@promptsentry.net. Negotiated terms supersede these standard Terms where they conflict.
FNC may update these Terms with 30 days' notice for material changes. Continued use of the Service after the effective date constitutes acceptance. For Customers on annual contracts, material changes to terms take effect at the next renewal unless FNC provides written notice of immediate changes.
Legal / Contracts: legal@promptsentry.net
Security / Vulnerability Reports: security@promptsentry.net
Privacy / Data Requests: privacy@promptsentry.net
Sales / Enterprise: sales@promptsentry.net
General Support: support@promptsentry.net
Five Nines Consulting LLC
Roanoke, VA · United States