Terms of Service

These Terms of Service (the "Terms") form a binding agreement between you (the "Customer") and Sentinelle Labs ("Sentinelle", "we", "us"), and govern your access to and use of the Sentinelle platform, autonomous agent, web application, APIs and any related services (collectively, the "Service").

By creating an account, accessing the Service, or clicking "I accept", you confirm that you have read, understood and agreed to be bound by these Terms. If you do not agree, you must not use the Service.

The Acceptable Use Policy and the Security Testing Policy are incorporated into these Terms by reference. A breach of either is a breach of these Terms.

If you are accepting these Terms on behalf of an organisation, you represent and warrant that you have the authority to bind that organisation, in which case the term "Customer" refers to that organisation.

The Service is intended for security professionals, engineering teams, and the businesses that employ them. You must be at least eighteen (18) years old and legally capable of entering into a binding contract to use the Service.

When you create an account, you agree to provide accurate, current and complete information, and to keep that information up to date. You are solely responsible for safeguarding your credentials, for any activity carried out under your account, and for promptly notifying us of any suspected compromise.

We reserve the right to suspend or terminate accounts that we reasonably believe were obtained through misrepresentation, used in breach of these Terms, or used to circumvent enforcement actions taken against another account.

Sentinelle is an autonomous offensive-security agent. It performs reconnaissance, vulnerability research and exploitation work on the digital assets you explicitly designate, returning evidence-backed findings and remediation hints.

The Service is provided as software-as-a-service. We may release new features, deprecate existing ones, and adjust quotas, rate limits or default behaviours from time to time. We will use commercially reasonable efforts to give advance notice of material changes that adversely affect Customers on a paid plan.

The Service is built to perform offensive security operations, which by their nature can affect target systems. You may only direct the Service against assets that you own, or for which you possess clear, current, written authorisation from the asset owner that is sufficient under applicable law.

Before launching a mission, you must define the scope (in-scope and out-of-scope assets, allowed techniques, rate limits, time windows, production constraints and rules of engagement). You agree that you, and not Sentinelle, are responsible for ensuring the lawfulness, accuracy and completeness of that scope.

Sentinelle includes guard-rails to keep the agent within the scope you declare. These guard-rails are not a substitute for your own diligence, and we make no representation that they are infallible.

• You will not direct the Service against systems you do not own or are not properly authorised to test.
• You will maintain documentary proof of authorisation and provide it to us on request where reasonably necessary to investigate misuse or legal risk.
• You will respect any rules of engagement, maintenance windows, third-party authorisations and bug-bounty program terms that apply to a target.
• You will pause or stop a mission immediately if you become aware of a compliance, safety, availability or legal concern.

Security testing can degrade performance, trigger alarms, change state, interrupt workflows, and in some cases contribute to outages, instability or data loss. This is true even where tests are carefully scoped and rate-limited.

Sentinelle does not guarantee that missions will be non-disruptive, error-free, reversible, safe for production systems, or compatible with your internal controls, third-party contracts or bug-bounty policies.

You are solely responsible for deciding whether, when and where to execute a mission, including whether to run against production, staging or customer-facing systems. You assume all risk arising from execution of missions that you authorise, including operational, business, contractual, regulatory and reputational risk.

When you launch a mission, the Service captures and stores a forensic snapshot of the launch context. This snapshot is created automatically and you cannot opt out of it for an authorised mission to proceed.

• the source network address and approximate country from which the mission was initiated, the user-agent string of the client used, and the timestamp;
• the target as you declared it (hostname or IP), the public name resolution observed at that instant, and the scope (in-scope and out-of-scope assets) you supplied;
• the verbatim text of the authorisation you attested to (own asset / training lab / bug-bounty programme), the basis you selected and the timestamp at which you confirmed it;
• where applicable, the cryptographic proof or programme metadata that supported your declared authorisation (for example a verified DNS challenge or a public bug-bounty programme record).

While the mission runs, every command issued by the agent on your behalf, every observation it returns, every state transition and every finding is appended to a per-mission, tamper-evident chain of records. Each entry is cryptographically linked to its predecessor, so any later attempt to delete, alter or insert an entry is detectable by integrity verification.

Mission records, the launch snapshot and platform-wide security events (sign-in, sign-up, mission launch attempts, network-reputation decisions, administrative actions, abuse reports) are retained for the period required by applicable law and the Privacy Notice, and are accessible only to a restricted set of authorised personnel under audit. Each access by personnel is itself logged into the same chain.

These records exist to (i) enforce these Terms and the Acceptable Use Policy, (ii) respond to abuse complaints from third parties or hosting providers, (iii) cooperate with regulators, courts and law-enforcement authorities, and (iv) demonstrate, where contested, the identity of the operator who launched a given mission and the authorisation they declared at the time.

You are responsible for the lawful, authorised and proportionate use of the Service. You are responsible for the security of the credentials you provide to the Service, and for any data you upload, paste or otherwise submit while using the Service.

You will comply with all applicable laws and regulations, including laws governing computer misuse, unauthorised access, data protection, export controls, sanctions, anti-corruption and intellectual property.

• You will review outputs before relying on them for security or operational decisions.
• You will use environments, throttles, maintenance windows and rollback measures appropriate to your risk tolerance.
• You will ensure that your personnel use the Service only within internal approvals and delegated authority.

You will not, and will not permit any third party to:

• use the Service to access, test, interfere with or exploit any system you do not own or are not authorised to test;
• use the Service for unlawful intrusion, credential theft, persistence, surveillance, extortion, destructive activity or any other form of unauthorised offensive activity;
• use the Service to violate laws, evade legal restrictions, bypass sanctions or export controls, or to help another person do so;
• abuse bug-bounty, coordinated disclosure or responsible disclosure programs, including by acting outside program scope, ignoring rate limits, exceeding authorised techniques or withholding material impact for leverage;
• use the Service to develop, distribute, sell or weaponise malware, ransomware, destructive payloads or exploit kits against third parties;
• exfiltrate, publish or commercialise third-party data, secrets or vulnerabilities except as strictly necessary for an authorised and lawful security engagement;
• circumvent or disable any safety, rate-limit, billing, authentication, monitoring or scope-enforcement mechanism;
• reverse-engineer, decompile or otherwise attempt to derive the source code, models or training data of the Service, except to the extent expressly permitted by law;
• scrape, copy or otherwise extract the Service's outputs to build a competing product or to train a competing model;
• resell, sublicense or otherwise make the Service available to third parties outside the scope of your subscription.

Sentinelle and its licensors retain all right, title and interest in and to the Service, including all software, models, prompts, documentation, trademarks and logos. No rights are granted to you except those expressly set out in these Terms.

Subject to your compliance with these Terms, we grant you a limited, non-exclusive, non-transferable, revocable licence to access and use the Service for your internal business purposes during your subscription term.

You may submit feedback, suggestions and ideas to us. You agree that we may use such feedback for any purpose without compensation or attribution to you.

As between you and us, you retain ownership of all data you submit to the Service and of all findings, reports and outputs generated by the Service against your scoped targets (collectively, "Customer Data").

You grant us a worldwide, non-exclusive, royalty-free licence to host, process and display Customer Data solely as necessary to operate, secure, support and improve the Service for you, and to perform our obligations under these Terms. We do not use Customer Data to train foundation models that are made available to other customers.

You are responsible for keeping a backup of any Customer Data you wish to retain. We will make Customer Data available for export during the subscription term and for a reasonable period following termination, after which we may delete it in accordance with our retention schedule.

Fees, billing cycle and included quotas are set out in your order form, in-app pricing page or other written agreement (the "Order"). Unless your Order says otherwise, fees are charged in advance and exclude taxes.

All fees are non-refundable. Cancelling an active subscription stops the next renewal but does not refund the current billing period — you keep access until the end of that period. Statutory consumer rights that cannot be waived (e.g. specific EU / EEA / UK regimes) remain unaffected.

Subscriptions renew automatically at the end of each billing period at the then-current price for the same term, unless either party gives notice of non-renewal before the end of the current term.

We may suspend access to the Service for accounts with overdue invoices after providing reasonable notice. Continued non-payment may lead to termination of the account and forfeiture of remaining quotas.

We will use commercially reasonable efforts to keep the Service available with the uptime targets, if any, set out in your Order. Service-level commitments, if any, are the only remedies available to you for downtime.

Scheduled maintenance, third-party outages, force majeure, or actions taken to protect the integrity or security of the Service may cause temporary unavailability and are excluded from any uptime calculation.

Each party will protect the confidential information of the other with at least the same degree of care it uses for its own confidential information of similar nature, and in no event less than reasonable care.

Vulnerability findings, exploit details and proof-of-impact captured through the Service are treated as your confidential information. We will not disclose them outside our personnel, contractors and sub-processors who have a legitimate need to know and who are bound by confidentiality obligations no less protective than those set out here.

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE SERVICE IS PROVIDED "AS IS" AND "AS AVAILABLE" WITHOUT WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, OR NON-INFRINGEMENT.

Security testing is inherently probabilistic. We do not warrant that the Service will identify every vulnerability in your environment, that its findings will be free of false positives or false negatives, or that operations performed against your scoped targets will be free of operational impact.

You acknowledge that the Service may issue commands, create traffic, interact with credentials, invoke third-party tooling, and generate exploit or proof-of-impact actions. You remain solely responsible for assessing whether those actions are appropriate for the systems, people and environments you place in scope.

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, NEITHER PARTY WILL BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL OR PUNITIVE DAMAGES, OR FOR ANY LOSS OF PROFITS, REVENUE, GOODWILL OR DATA, ARISING OUT OF OR IN CONNECTION WITH THESE TERMS OR THE SERVICE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

EACH PARTY'S TOTAL CUMULATIVE LIABILITY ARISING OUT OF OR RELATED TO THESE TERMS WILL NOT EXCEED THE FEES PAID BY THE CUSTOMER TO SENTINELLE FOR THE SERVICE IN THE TWELVE (12) MONTHS PRECEDING THE EVENT GIVING RISE TO THE CLAIM.

These limitations do not apply to liability that cannot be excluded under applicable law, including liability for fraud, gross negligence or wilful misconduct.

You will defend, indemnify and hold harmless Sentinelle, its affiliates and their respective officers, directors, employees and agents from and against any third-party claims, damages, liabilities, costs and expenses (including reasonable legal fees) arising out of or related to: (a) your use of the Service in breach of these Terms or the incorporated policies; (b) your direction of the Service against systems you were not authorised to test; (c) any allegation that your mission authorisation, scope or rules of engagement were invalid, incomplete or unlawful; or (d) Customer Data submitted to or generated through the Service.

These Terms remain in effect while you have an active account or subscription. Either party may terminate for material breach if the other party fails to cure the breach within thirty (30) days of written notice.

We may suspend or terminate access to the Service immediately, without prior notice and without liability to you, if we reasonably believe your use of the Service poses a security, legal, compliance or operational risk to Sentinelle, our other customers, target systems or third parties.

We may investigate suspected misuse, preserve relevant logs and evidence, cooperate with affected asset owners, and disclose information to law enforcement, regulators, courts or other competent authorities where we reasonably believe doing so is necessary to investigate, prevent or respond to unlawful or harmful conduct.

When you delete your account, or when we delete it for breach, we erase the personal information associated with your profile (such as email, display name and billing details) in line with our Privacy Notice. The forensic mission records described in the section “Mission Records & Forensic Logging” are not erased: they are retained, in pseudonymised form, for the period required by applicable law and by our anti-abuse, security-incident and provider-disclosure obligations. Account deletion therefore breaks the link between the records and your personal identity, but does not erase the records themselves; we may still rely on them to respond to a complaint, requisition or claim concerning a mission you launched before deletion.

Sections that by their nature should survive termination (including Intellectual Property, Mission Records & Forensic Logging, Customer Data, Confidentiality, Disclaimers, Limitation of Liability, Indemnification and Governing Law) will survive.

The governing law and exclusive forum for any dispute arising out of or in connection with these Terms will be set out in your Order, or otherwise agreed in writing between you and Sentinelle. Where applicable law gives consumers the right to bring proceedings in the courts of their place of residence, those rights are preserved.

Before bringing a formal proceeding, the parties will use reasonable efforts to resolve the dispute through good-faith negotiation, escalating to senior representatives on each side.

We may update these Terms from time to time. If a change is material, we will notify you by email or in-app at least thirty (30) days before it takes effect. Your continued use of the Service after the effective date of an update constitutes acceptance of the updated Terms.

Questions about these Terms? Reach us at legal@sentinelle.ai.