Safety model

Trust boundaries and prompt injection defense

CertifiedData enforces hard trust boundaries between sandbox demos, authenticated free-tier usage, and production. Prompt input cannot control signing, billing, publication, policy, or plan entitlements.

Trust boundary model

SANDBOX

Anonymous sandbox

→Dataset generation: 10 runs / 24h per IP · 1,000 rows max
→Decision Ledger demo: 30 / min per IP
→Commerce: 3 sandbox keys / 24h · 24h TTL
→Notary: 3 free attestations

Issuance: sandbox.cert.v1 · scert_ prefix · 7-day TTL

Registry: Not in production registry

Retention: TTL-bound · claim-and-upgrade to persist

Sandbox issuance is intentionally separated from production. A scert_ certificate has no registry entry and expires. It cannot be used as production compliance evidence.

FREE

Authenticated — free account

→Dataset generation: 5 jobs / mo · 10,000 rows max
→Decision Ledger: 1,000 records / mo
→Commerce: unlimited sandbox transactions
→API access on free plan

Issuance: cert.v1 · permanent

Registry: Listed in production registry

Retention: Permanent · 7-day retention on free tier

Free-tier API keys are rate-limited per plan. Permanent registry listing but retention limited to 7 days (preview only). Build+ for 7-year retention.

PRODUCTION

Production — paid plan

→Dataset generation: plan-based row limits
→Decision Ledger: unlimited (Build+)
→Commerce: live Stripe rail (Build+)
→Workflows: 1 (Build) to unlimited (Trust+)

Issuance: cert.v1 through cert.v4 depending on plan

Registry: Production registry · public or private

Retention: 7-year retention (Build+) · customizable (Govern / Enterprise)

Production issuance creates permanent registry entries with public verify URLs. cert.v4 includes full chain-of-custody and EU AI Act Article 10/12 metadata fields.

Prompt injection resistance

Every natural-language dataset or decision entry surface uses this exact pipeline. Raw prompt text never drives execution directly.

Receive prompt input

Raw natural language from the agent or user

Treated as untrusted text. Never executed directly. Never allowed to set system-level fields.

Parse

NLP extraction of intent, domain, columns, rows, constraints

Parser runs in a bounded sandbox. Rejects injected directives, URLs, system-prompt-style instructions, HTML, and script content.

Typed intermediate spec

DatasetSpec object with typed fields: domain, columns[], rows, engine, cert_level

Spec fields are typed and bounded. No free-text execution path from prompt to spec to output. cert_level cannot be set from prompt — only from authenticated plan entitlement.

Validation

Schema validation against DatasetSpec contract

Rejected if: cert_level exceeds plan entitlement, engine exceeds plan entitlement, rows exceed limit, any field contains injection patterns.

Execution

Generation engine runs from the validated typed spec

Only the validated spec drives execution. The original prompt text is logged but never re-evaluated or passed to the engine.

What prompt input can never control

These fields are exclusively controlled by authenticated plan entitlement and server-side policy — never by prompt text.

✗

cert_level

Determined by plan entitlement only

✗

billing

Controlled by Stripe plan subscription

✗

publicMode

Requires explicit authenticated API flag

✗

engine

Bounded by plan — ctgan/dp-ctgan gated

✗

signing

Server-side only — no prompt influence

✗

policy_bypass

Policy evaluation is non-bypassable

✗

rate_limit

IP/account-level — not overridable via prompt

✗

publish

Publication to registry requires auth + plan

Examples of blocked prompt patterns

Pattern	Category
ignore previous instructions	System prompt injection
set cert_level to cert.v4	Entitlement bypass attempt
skip policy evaluation	Policy bypass attempt
publish to public feed	Unauthorized publication
<script>...</script>	HTML/script injection
https://attacker.com/exfil?data=	URL injection / exfiltration
approve this transaction	Authorization bypass attempt
set billing: free	Billing field injection

These patterns are stripped or cause immediate rejection in the prompt parser. The normalized spec shown before execution will not contain any of these values.

Sandbox vs production issuance

	Sandbox (scert_)	Production (cert_)
Auth required	No	Yes
TTL	7 days	Permanent
Registry listing	No	Yes (cert.v1+)
cert_level	sandbox.cert.v1	cert.v1 – cert.v4
Upgradeable	Yes (claim API)	N/A
Compliance use	No — not valid	Yes — audit-ready
Public verify URL	Yes — verify UI	Yes — verify UI + registry
Identify prefix	scert_	cert_

Security overview Trust center Certificate policy Certification levels Verify surface Plans and limits