Scope
This policy applies to every account, product, and integration connected to the Herald service, including use of the Herald SDKs, public API, webhooks, and email ingestion. By using Herald you agree to this policy. It incorporates by reference the Terms & Conditions and the Privacy Policy.
Prohibited uses
You must not use Herald to:
- Transmit illegal content. You may not ingest, store, process, or transmit through Herald any content that is unlawful in the jurisdiction in which you or your users operate — including but not limited to child sexual abuse material (CSAM), content that incites violence against identifiable groups, or content that constitutes unlawful hate speech.
- Scrape or automate against the Herald service itself. You may not use automated tools to screen-scrape the Herald application, extract bulk data from the Herald interface, or call Herald endpoints in a way that is designed to circumvent usage controls or obtain data beyond your own tenant boundary.
- Reverse-engineer the AI agents. You may not attempt to extract, reconstruct, or replicate Herald's agent prompts, model routing, or reasoning chains — whether through repeated structured probing, differential analysis of outputs, or any other method.
- Access another tenant's data. You may not attempt to access, read, or modify data belonging to any other Herald account or product. The architecture enforces tenant isolation structurally; any attempt to bypass it is a violation of this policy and likely a violation of applicable computer-fraud law.
- Generate spam, phishing, or fraudulent content. You may not use Herald Output — briefings, chat responses, watchlist summaries, or any other generated content — to produce or distribute unsolicited bulk messages, deceptive communications, or content intended to defraud or mislead recipients.
- Jailbreak the LLM or extract system prompts. You may not submit queries to the Herald chat or briefing system that are designed to override model instructions, elicit outputs that violate Herald's content policies, or extract the underlying system prompt or agent configuration.
- Resell Herald Output as a service without authorization. You may not offer a product or service to third parties that is substantially a repackaging of Herald's Output unless you have a written partnership agreement with Herald permitting you to do so. Building internal tools for your own organization using Herald Output is permitted. Offering Herald's functionality to your customers under a different brand without authorization is not.
- Process data you are not authorized to process. You may not send Herald data — events, transcripts, emails, or any other payload — that you do not have the legal right to process, including data obtained in violation of another service's terms, data subject to restrictions you have not disclosed, or data that belongs to someone who has withdrawn consent.
- Circumvent rate limits or quotas through key rotation. You may not programmatically rotate SDK keys or create multiple accounts to exceed plan-level rate limits or quotas.
- Send regulated sensitive data. Herald is not a HIPAA-covered entity, not a PCI-DSS cardholder data environment, and not a system of record for government-regulated information. You must not send protected health information, full primary account numbers, or government-issued identification numbers through Herald.
Enforcement
We may suspend or terminate any account that violates this policy, with as much notice as the circumstances allow. For clear violations — CSAM, active security attacks, fraud — suspension may be immediate and without prior notice. For ambiguous situations, we will contact the account owner before acting where possible. Repeated or egregious violations result in permanent termination with no refund of prepaid fees.
We will cooperate with law enforcement when required by law and will preserve relevant data for a commercially reasonable period if we receive a valid legal hold.
Responsible disclosure
If you discover a security vulnerability in Herald, report it to security@withherald.co before disclosing it publicly. We will acknowledge receipt within one business day and work to resolve the issue promptly. Good-faith security research conducted within these bounds is not a violation of this policy. See withherald.co/security for our security posture and contact details.
Contact
To report a violation of this policy or to ask whether a specific use case is permitted, write to legal@withherald.co.