Acceptable Use Policy

Table of contents

1. Overview and purpose
2. Prohibited data types
3. Prohibited uses
4. AI-specific restrictions
5. Upstream Provider compliance
6. Abuse of the Service itself
7. Consequences of violations
8. Reporting violations
9. Our review posture
10. Contact

1. Overview and purpose

PromptAssay is a prompt engineering and evaluation workbench. It is a tool for authoring, versioning, testing, and improving the prompts you use with large language models. It is not a general-purpose data processing platform, a database for personal information, a compliance system, a content distribution platform, or a substitute for your own production infrastructure. The restrictions in this AUP reflect that scope. They exist to keep the Service safe, lawful, and usable for everyone — and to make sure you do not accidentally expose yourself or your end users to risk by using the Service in a way it was not designed for.

2. Prohibited data types

You must not input any of the following into any field, prompt, test case, fragment, annotation, uploaded file, or API payload within the Service. This prohibition applies regardless of whether the data belongs to you, your colleagues, your customers, or a third party, and regardless of whether the data is real, synthesized, or lightly obfuscated.

• Personally identifiable information (PII) including names combined with other identifiers, home addresses, personal phone numbers, personal email addresses, dates of birth, parents' or mothers' maiden names, photographs of identifiable individuals, or similar information that identifies or can reasonably be used to identify a natural person. For prompt-engineering purposes, use fictional names and synthetic data.
• Government-issued identifiers including Social Security numbers, Individual Taxpayer Identification Numbers, driver's license numbers, passport numbers, national ID numbers, tax file numbers, Aadhaar numbers, or similar.
• Protected health information (PHI) as defined under HIPAA or equivalent laws, including medical records, diagnoses, treatment notes, prescription data, lab results, mental health information, and any health data linked to an identifiable individual. PromptAssay is not a HIPAA Business Associate and does not sign Business Associate Agreements.
• Payment card data including primary account numbers, full track data, CVV/CVC values, or PINs. PromptAssay is not a PCI DSS Level 1 service provider for the purposes of accepting card data in prompts. Test card numbers published by Stripe or other payment processors for development purposes are likewise not permitted in prompts.
• Financial account data including bank account numbers, routing numbers, IBANs, credit scores linked to identifiable individuals, and brokerage account details.
• Authentication credentials including passwords, password hashes, API keys you do not own, OAuth tokens, session cookies, private cryptographic keys, SSH keys, MFA backup codes, and recovery phrases. The only exception is the BYOK provider API keys you explicitly configure in the provider-keys section of Account settings, which are protected by encryption.
• Biometric data including fingerprint, facial recognition, voice print, iris, and DNA information.
• Children's personal data. Any personal data of an individual you know or reasonably should know is under 16 years old.
• Precise geolocation of identifiable individuals (real-time or historical coordinates tied to a named person).
• Data subject to specific regulatory regimes including (without limitation) ITAR/EAR-controlled technical data, classified government information, CJIS data, FERPA-protected student records with identifiers, GLBA-protected nonpublic personal financial information, and data subject to tribal or jurisdiction-specific data residency requirements.
• Confidential information of third parties that you are not authorized to disclose (including third-party source code, trade secrets, and material non-public information about publicly traded companies).

If you need to work on prompts that would otherwise require this kind of data, replace it with synthetic or clearly fictional equivalents before typing it into the Service.

3. Prohibited uses

You may not use the Service, and you may not use prompts authored in the Service, for any of the following:

• Illegal activity. Any activity that is unlawful in your jurisdiction or in ours, or that would cause another person to violate applicable law.
• Child sexual abuse material (CSAM). Generating, requesting, storing, transmitting, soliciting, or facilitating any sexually explicit content involving minors, or content that sexualizes minors, is strictly prohibited. Confirmed CSAM activity will result in immediate account termination and report to the National Center for Missing & Exploited Children (NCMEC) and law enforcement.
• Violent extremism and credible threats. Content that incites, promotes, glorifies, or celebrates terrorism, genocide, mass violence, or specific threats of violence against identifiable individuals or groups.
• Harassment and targeted abuse. Generating content intended to harass, threaten, or intimidate a specific individual or group, including doxxing, coordinated harassment, or non-consensual intimate imagery.
• Discriminatory content. Content that promotes hatred, degradation, or unlawful discrimination against people on the basis of race, ethnicity, national origin, religion, disability, gender, gender identity, sexual orientation, age, or other protected characteristics.
• Fraud, deception, and scams. Generating phishing content, fraudulent communications, fake identities, fake reviews, fake news, impersonation of real people or organizations, election manipulation content, or academic dishonesty tools.
• Malware and unauthorized access. Creating, distributing, or testing malware, ransomware, spyware, stalkerware, exploits targeting unpatched vulnerabilities in other people's systems, credential stuffing tools, or content designed to compromise systems you do not own or are not authorized to test.
• Critical infrastructure interference. Developing prompts intended to disrupt electrical grids, water systems, transportation systems, medical systems, financial market infrastructure, or similar.
• Regulated advice without proper disclaimers and qualified review. Using the Service to produce medical, legal, financial, tax, psychological, or engineering advice that will be delivered to real end users as though it were professional advice, without appropriate professional review and without clear disclaimers to end users that the content was machine-generated and is not a substitute for professional advice.
• High-risk automated decision-making. Deploying prompt outputs to make or materially contribute to legally or similarly significant decisions about individuals (employment, credit, insurance, housing, government benefits, criminal justice, education placement) without meaningful human review and without compliance with applicable law on automated decision-making.
• Infringement of intellectual property. Uploading content that infringes a third party's copyright, trademark, trade secret, or other rights; using the Service to reproduce paywalled content at scale; or using the Service to strip attribution from original works.
• Invasions of privacy. Using the Service to profile individuals without a lawful basis, to generate unauthorized deepfakes of real people, or to build prompts intended for mass surveillance.
• Weapons development. Generating specific instructions or research for creating chemical, biological, radiological, nuclear, or cyber weapons, or for significantly enhancing the capability of weapons of mass destruction.
• Spam and unsolicited bulk messaging.

4. AI-specific restrictions

• No jailbreaking or safety-system circumvention. You may not use the Service to develop, test, publish, benchmark, or distribute prompts whose purpose is to circumvent, disable, defeat, or undermine the safety systems, content policies, or guardrails of any Upstream Provider's model, of our Service, or of any third-party AI system. Legitimate adversarial testing conducted under a responsible disclosure or red-team engagement authorized by the Upstream Provider is not prohibited; a good-faith note in the prompt metadata helps us distinguish.
• No prompt-injection payloads intended for attack. You may not use the Service to develop and distribute prompt injection payloads whose purpose is to attack third-party applications you do not own or are not authorized to test.
• No training data manipulation. You may not use the Service as part of a system that intentionally poisons the training data or evaluation benchmarks of any Upstream Provider.
• No disguising AI-generated content as human. Where applicable law or platform policy requires disclosure that content is machine-generated, you must comply.
• No generating non-consensual synthetic imagery or voice of real individuals.

5. Upstream Provider compliance

When you run an AI feature, PromptAssay calls the Upstream Provider (Anthropic, OpenAI, Google, or others) under your BYOK key. Your use must comply with that provider's current terms of service and usage policies in addition to this AUP. If there is a conflict between this AUP and an Upstream Provider's policy, the stricter rule applies to you. You are responsible for understanding the provider-specific policies that apply to your keys and models. Links to current provider policies are available in our Privacy Policy.

6. Abuse of the Service itself

• No unauthorized access. No attempts to access accounts, workspaces, or data belonging to other users, including credential stuffing, session hijacking, or enumerating user IDs.
• No reverse engineering or circumvention. No decompiling, disassembling, or reverse-engineering the Service, except where expressly permitted by law; no bypassing rate limits, tier enforcement, or licensing gates.
• No scraping, crawling, or mass automation of the Service outside of the documented public REST API, and only within the rate limits applicable to your plan.
• No denial-of-service or interference with the integrity or performance of the Service, including flooding endpoints, deliberately triggering errors, or consuming shared resources abusively.
• No probing, scanning, or testing for vulnerabilities except under a coordinated vulnerability disclosure authorized by us at security@promptassay.ai [PLACEHOLDER: confirm security alias].
• No impersonation of PromptAssay, its employees, or its administrators; no false attribution of content to us.
• No resale or competitive development. No using the Service, its documentation, or any subscription-derived access to build, train, or benchmark a directly competing product; no reselling access to the Service without written authorization.

7. Consequences of violations

The consequence of a violation depends on its severity, duration, whether it was inadvertent or willful, and whether it has been promptly corrected after notice. We may, in our sole discretion, apply one or more of the following:

• Warning and correction request — the most common response to a first, inadvertent violation.
• Content removal — removing specific prompts, fragments, or other content that violates this AUP.
• Feature restriction — disabling a specific feature (for example, the public API) while you remain able to use the rest of the Service.
• Temporary suspension — disabling account access pending resolution.
• Termination — permanent termination of the account and deletion of the workspace, subject to the retention provisions in our Privacy Policy.
• Reporting to authorities — for severe violations (CSAM, credible threats, specific illegal activity), we may and in some cases must report to law enforcement and to specialized organizations such as NCMEC.
• Civil recovery — where the violation causes us loss, we may seek recovery under the indemnification provisions of the Terms.

For inadvertent violations involving prohibited data input (Section 2), the first step is usually to notify you, require immediate deletion of the offending content, and request confirmation. We recognize that users sometimes paste in data without realizing it was covered by this AUP; we want to help you clean up, not punish a good-faith mistake. Repeated or willful violations are treated much more seriously.

8. Reporting violations

If you believe someone is using the Service in violation of this AUP, please report it to abuse@promptassay.ai [PLACEHOLDER: confirm abuse alias]. Include as much detail as you safely can, including the workspace or user identifiers you believe are involved, the nature of the violation, and any supporting evidence. Do not include prohibited data types (Section 2) in your report; describe them rather than including them. We review every report and will take action where appropriate.

For reports concerning CSAM specifically, also consider contacting the NCMEC CyberTipline.

9. Our review posture

We reserve the right, but have no obligation, to review Customer Content for compliance with this AUP. We do not proactively monitor the content of your prompts for editorial review, we do not maintain a safety-classifier filter on prompt inputs or outputs, and we do not scan your Customer Content as part of normal operations. Platform administrators may review specific content in response to a credible abuse report, a security incident, a legal process, or a support ticket you opened, in accordance with the platform-administrator access provisions of our Privacy Policy.

This means enforcement of the AUP is primarily complaint-driven. The absence of proactive review is not a license to violate this AUP. You remain responsible for complying with it at all times.

10. Contact

Questions about this AUP: legal@promptassay.ai [PLACEHOLDER: confirm legal alias]

Abuse reports: abuse@promptassay.ai [PLACEHOLDER: confirm abuse alias]

Security reports: security@promptassay.ai [PLACEHOLDER: confirm security alias]

See also: Terms of Service · Privacy Policy · Cookie Policy · Data Processing Addendum.