Terms of service

40 South Guard is AI compliance middleware. Guard sits between your business and your AI providers, scans AI interactions for Australian PII and prompt injection signatures (including in uploaded documents), generates cryptographically signed attestations on every call, and stores them in a tamper-evident audit trail.

Guard is a detective and evidentiary control, not a preventive guarantee. Guard does not replace your AI providers, does not provide AI models or generate AI responses, and does not make decisions on your behalf. Guard detects, signs, records, and surfaces.

Upstream providers. You choose your upstream AI providers and are responsible for maintaining your own accounts, API keys, and agreements with them. Your use of those providers is governed by your agreements with them, not by these Terms, and 40 South is not responsible for their acts, omissions, availability, or output.

Account creation. To use Guard, your organisation must create an account. The person who creates the account is the initial administrator. Administrators can invite additional users and assign roles (such as CISO, auditor, or engineer).

Access credentials. You are responsible for keeping your login credentials and Guard API keys secure. Do not share API keys outside your organisation. Notify us at security@40south.au immediately if you believe your credentials have been compromised.

Authorised use. You may only use Guard for lawful business purposes consistent with these Terms. You may not use Guard to process data on behalf of third parties without our written agreement.

Pricing. Guard is available on two subscription tiers:

• Starter: $2,500 per month (AUD), $30,000 per year. Includes up to 100,000 AI calls per month and all core compliance features.
• Unlimited: $5,500 per month (AUD), $66,000 per year. Uncapped AI calls and configurable compliance profiles per team.

Both tiers include PII detection, prompt injection detection, attestation signing, audit trail storage (7 years), and standard support.

Pilot. We offer a 60-day pilot at a flat fee of $4,500 (AUD). The pilot includes full Guard functionality on one team or use case, integration support, policy setup, and a compliance gap report. No obligation to continue after the pilot. The pilot fee is credited against your first year if you convert.

Payment terms. Invoices are issued in advance (annually by default; monthly available on request). Payment is due within 14 days of the invoice date. All amounts are in Australian dollars and are exclusive of GST unless stated otherwise.

No lock-in. Either party may terminate the subscription at the end of any billing period with 30 days' written notice. There are no early termination fees.

Price changes. We will give you at least 60 days' written notice of any price increase. The new price takes effect at the start of the next billing period after the notice period.

Your data is yours. All data processed through Guard belongs to you. We do not own, license, or claim any rights over your data.

Our role. For personal information contained in the data you submit to Guard, you are the entity responsible for that information and 40 South processes it as your service provider, on your documented instructions and for the purpose of providing the Service. We will make a data processing agreement available on request. Our handling of personal information is described in our Privacy Policy.

Data location. All data is processed and stored in Australia (Google Cloud Sydney, australia-southeast1, with failover to australia-southeast2). Data does not leave Australian borders during normal Guard operation.

Sub-processors. Our primary infrastructure sub-processor is Google Cloud, used in its Australian data centres. We maintain a current list of sub-processors that handle customer personal information and will give you reasonable notice of any new such sub-processor, so you can raise any concerns before it begins handling your data.

Data processing. We process your data solely to provide the Guard service. We do not use your data to train AI models. We do not sell your data. We do not share your data with third parties except as described in our Privacy Policy.

Audit trail. Guard maintains a tamper-evident audit trail of all AI interactions processed through the service. Evidence records are retained for 7 years, cryptographically signed and immutable once written.

PII handling. When Guard detects personal information in AI interactions, it records the detection (type, location, confidence level) in the attestation. By default, raw PII is removed from evidence records before storage. Where you enable the optional full-content logging configuration, content is captured and retained as you configure it and under your control.

Confidential information. Each party may receive information that the other treats as confidential, including security configurations, architecture detail, compliance findings, pricing, and business information. Each party will use the other's confidential information only to perform under these Terms, protect it with at least the same care it uses for its own confidential information (and no less than reasonable care), and not disclose it except to personnel and advisers who need it and are bound by similar obligations.

Exclusions. Confidential information does not include information that is or becomes public through no fault of the receiving party, was already known to it without obligation, is independently developed, or is rightfully received from a third party.

Compelled disclosure. A party may disclose confidential information where required by law or a regulator, and will, where lawful, give the other reasonable notice so it can seek protection.

During your subscription. You can export your compliance data, attestations, and audit trail at any time through the Guard dashboard or API. Export formats include JSON, CSV, and PDF.

On termination. After your subscription ends, you have 90 days to export your data. After 90 days, we will delete your account data and configuration. Audit trail records that fall within the 7-year retention period will be retained and made available to you on request.

Uptime. We target 99.9% uptime for the Guard proxy and API services, measured monthly. Scheduled maintenance windows are excluded. Service credits apply where monthly uptime falls below the target, as set out in the applicable Order Form. Where service credits apply, they are your sole and exclusive financial remedy for a failure to meet the uptime target.

Latency. Guard adds minimal latency to AI interactions under normal operating conditions. We do not warrant specific latency figures, but we monitor performance continuously and will notify you of any significant degradation.

Support. Standard support is included. We respond to enquiries within one business day. Critical issues (service outage, security incident) are escalated immediately.

Incident notification. If we become aware of a security incident that affects your data, we will notify you within 72 hours and provide ongoing updates until the incident is resolved.

Exclusions. Service level commitments do not apply to outages or degradation caused by: upstream AI model provider failures, your acts or omissions, third-party network or infrastructure failures outside our reasonable control, or events of force majeure.

Guard does:

• Scan AI interactions against configured compliance profiles
• Detect Australian PII patterns (TFN, Medicare, ABN, BSB, and others) with multi-layered pattern matching and checksum validation where applicable
• Detect prompt injection signatures in prompts and uploaded documents
• Generate per-call cryptographically signed attestations
• Maintain a 7-year tamper-evident audit trail
• Provide compliance reporting and APRA-ready evidence export

Guard does not:

• Guarantee that every instance of PII, prompt injection, or other policy event will be detected
• Prevent every loss, breach, or incident arising from your use of AI
• Provide legal advice or legal opinions on your compliance status
• Guarantee regulatory compliance (Guard supplies evidence and detective controls; achieving and maintaining compliance is your organisation's responsibility)
• Replace your compliance team, legal counsel, or auditors
• Make automated decisions on behalf of your organisation
• Provide AI models or generate AI responses

Guard is a tool that supports your compliance efforts. It does not substitute for professional legal or compliance advice. No AI compliance control can guarantee absolute prevention; Guard's value is in maximising detection, signing the evidence, and surfacing what slipped through so your team can act.

You agree to:

• provide accurate information when creating your account
• keep your credentials and API keys secure
• select and configure your upstream AI model providers
• design and control the prompts and data you submit to the Service
• ensure your use of Guard complies with all applicable Australian laws (including the Privacy Act 1988 (Cth) and APP 8 where data is sent to overseas providers)
• act on incidents and alerts surfaced by Guard within timeframes appropriate to your regulatory obligations
• maintain your own internal controls, governance, and human-in-the-loop processes
• not use the Service to store or transmit unlawful, infringing, or malicious content, or in any way that breaches a third party's rights
• not use the Service to build, benchmark, or assist a competing product, or to resell or provide it to third parties as a service bureau, without our written agreement
• not attempt to circumvent, disable, or interfere with Guard's security features
• not reverse engineer, decompile, or attempt to extract the source code of Guard
• not use Guard to process data you do not have lawful authority to process
• notify us promptly of any suspected security incident involving your Guard account

Our IP. Guard, including its software, documentation, algorithms, and brand, is owned by 40 South Pty Ltd. These Terms do not transfer any intellectual property rights to you.

Your data. You retain all rights in your data. We do not acquire any intellectual property rights in your data by processing it through Guard.

Aggregated telemetry. We may use aggregated, anonymised telemetry derived from Service usage to improve the Service. This telemetry does not contain personal information or customer-identifying detail.

Feedback. If you provide suggestions or feedback about Guard, we may use that feedback to improve the Service without any obligation to you.

Logo and case study rights. We may, with your prior written consent, reference your organisation's name and logo as a customer of Guard, and develop case studies based on your deployment. Specific uses are subject to your veto.

We understand that customers in regulated industries must oversee their material third-party providers (for example, under APRA CPS 234 and CPS 230). On request and subject to confidentiality, we will provide available compliance documentation — such as security and architecture summaries, completed security questionnaires, penetration test summaries, and independent assurance reports once available — and reasonable cooperation to help you meet your third-party assurance and audit obligations.

Any on-site or independent audit is by prior written agreement, at reasonable frequency and on reasonable notice, conducted during business hours, and in a way that does not disrupt our operations or compromise the security or confidentiality of other customers' data.

Service warranty. We will perform the Service with reasonable care and skill, using commercially reasonable efforts to detect and record AI policy events (including PII exposure, prompt injection patterns, and document-embedded threats) in accordance with our published Documentation.

Disclaimer. Except as expressly stated in these Terms and to the maximum extent permitted by law:

• We do not warrant that the Service will detect every instance of a policy event
• We do not warrant that the Service or its output will be uninterrupted or error-free
• We do not warrant that the Service will prevent every loss, breach, or incident
• All other warranties, conditions, and representations (express or implied) are excluded

The Customer acknowledges that no AI policy control can guarantee absolute prevention.

Australian Consumer Law. Nothing in these Terms excludes, restricts, or modifies any consumer guarantee, right, or remedy under the Australian Consumer Law that cannot be excluded, restricted, or modified by agreement.

Liability cap. To the maximum extent permitted by law, each party's total aggregate liability arising out of or in connection with these Terms or the Service, whether in contract, tort (including negligence), under statute or otherwise, is capped at the total Fees paid by the Customer to 40 South in the twelve (12) months immediately preceding the event giving rise to the liability.

Excluded losses. To the maximum extent permitted by law, neither party is liable for indirect, consequential, special, or punitive damages, loss of profits, loss of revenue, loss of business opportunity, loss of goodwill, or loss of data (other than the cost of restoring data from your most recent backup), regardless of how those losses arise.

Cap exclusions. The liability cap does not limit liability for: (a) breach of confidentiality under section 6; (b) the intellectual property indemnity under section 15; (c) wilful misconduct or fraud; or (d) liability that cannot be excluded or limited under applicable law (including consumer guarantees under the Australian Consumer Law).

Your acts and omissions. We are not liable for any failure or delay caused by: outages or failures of upstream AI model providers; your misuse of the Service or breach of these Terms; modifications to the Service made by anyone other than us; third-party network or infrastructure failures outside our reasonable control; or events of force majeure (see section 20).

Nothing in these Terms excludes or limits any rights you have under the Australian Consumer Law that cannot be excluded or limited by contract.

Mutual IP indemnity. Each party will defend and indemnify the other against third-party claims alleging that (in our case) the Service as supplied by us, or (in your case) your data as submitted to the Service, infringes the intellectual property rights of a third party, subject to the indemnified party providing prompt notice, reasonable cooperation, and control of the defence.

Customer indemnity. You agree to indemnify 40 South against claims, losses, or expenses arising from: your breach of these Terms; your use of Guard in violation of applicable law; data processed through Guard that you did not have lawful authority to process; or representations made about the Service outside the language we have published.

By you. You may cancel your subscription at any time with 30 days' written notice. Your access continues until the end of the current billing period.

By us. We may suspend or terminate your access if you breach these Terms and fail to remedy the breach within 14 days of written notice. We may also terminate immediately if required by law or if your use of Guard poses a security risk to other customers.

Effect of termination. On termination, your access to the Guard dashboard and API is revoked. You have 90 days to export your data. Audit trail records within the 7-year retention window remain accessible on request.

Good-faith resolution. If a dispute arises out of or in connection with these Terms, the parties will first try to resolve it by good-faith discussion between senior representatives within 30 days of written notice of the dispute.

Mediation. If the dispute is not resolved by discussion within that period, the parties will attempt to resolve it by mediation administered by the Australian Disputes Centre (ADC) in Sydney, in accordance with the ADC's mediation guidelines. The costs of mediation are shared equally.

Escalation. If the dispute is not resolved within 30 days of the mediation commencing (or if mediation is declined by either party), either party may pursue the matter through the courts identified in section 19 (Governing law).

Urgent relief and continued performance. Nothing in this section prevents either party from seeking urgent injunctive or equitable relief. Each party will continue to meet its obligations while a dispute is being resolved.

Entire agreement. These Terms, together with our Privacy Policy and any Order Form, constitute the entire agreement between you and 40 South regarding the Service.

Order of precedence. If there is any inconsistency between these Terms and an Order Form, the Order Form prevails to the extent of the inconsistency for that order.

Survival. Provisions that by their nature should survive termination — including Data handling and privacy (section 5), Confidentiality (section 6), Intellectual property (section 11), Warranty (section 13), Liability (section 14), Indemnity (section 15), and Governing law (section 19) — survive termination or expiry of these Terms.

Severability. If any provision of these Terms is found to be unenforceable, the remaining provisions continue in full force.

Waiver. A failure to enforce any provision of these Terms is not a waiver of that provision.

Assignment. You may not assign your rights under these Terms without our written consent. We may assign our rights in connection with a merger, acquisition, or sale of assets, provided the assignee agrees to be bound by these Terms.

No third-party beneficiaries. These Terms do not confer any rights on any person or entity other than the parties and their permitted successors and assigns.

Notices. Notices to 40 South should be sent to legal@40south.au. Notices to you will be sent to the email address associated with your account.

Legal enquiries: legal@40south.au

General enquiries: hello@40south.au

40 South Pty Ltd (ABN 54 698 132 188 · ACN 698 132 188), New South Wales, Australia