← Back to Overview

API Terms of Service

Terms & Conditions for API Access and Usage

1. OVERVIEW

  • Provider: [Company Name], Inc.
  • Service: [API Name] available at [https://api.domain.com]
  • Status: Production API (SLA 99.5% uptime)
  • Documentation: [https://docs.domain.com/api]

2. DEFINITIONS

  • API: Application Programming Interface for programmatic access
  • API Key: Unique credential for authentication
  • Rate Limit: Maximum requests per time period (see tier)
  • Endpoint: Specific API resource (e.g., /users, /documents)

3. API ACCESS & AUTHENTICATION

  • Registration: Required. Create account at [domain.com/signup]
  • API Key: Generated upon signup (keep confidential)
  • OAuth 2.0: Supported for third-party integrations
  • TLS 1.3: All requests MUST use HTTPS
  • Token Expiration: 1 year (renewal required)

4. RATE LIMITING & USAGE TIERS

Tier Requests/Min Requests/Day Cost
Free 10 1,000 $0
Pro 100 50,000 $99/mo
Enterprise Unlimited Unlimited Custom
  • Rate Limit Exceeded: HTTP 429 response (retry after 60 seconds)
  • Burst Allowance: 1.5x rate limit for short spikes
  • Monitoring: Headers show current usage (X-RateLimit-Remaining)

5. ACCEPTABLE USE POLICY

PROHIBITED USES:
  • ❌ Automated scraping (use API instead)
  • ❌ Reverse engineering API logic
  • ❌ DDoS attacks or stress-testing
  • ❌ Reselling API access without permission
  • ❌ Circumventing rate limits (proxies, multiple keys)
  • ❌ Accessing others' accounts (unauthorized)
  • ❌ Sending malicious payloads (SQL injection, XSS)
  • ❌ Violating GDPR, CCPA, or data protection laws

6. DATA PROTECTION & SECURITY

  • Data Retention: Customer data retained for [X] days after deletion
  • Encryption: AES-256 for stored data, TLS 1.3 for transit
  • API Logs: Retained for 90 days for security/debugging
  • GDPR Compliance: DPA required for personal data processing
  • Breach Notification: Within 24 hours if data exposed

7. WEBHOOKS & CALLBACKS

  • Webhook Delivery: HTTPS POST with HMAC-SHA256 signature
  • Retry Logic: Exponential backoff (up to 7 retries)
  • Timeout: 30 seconds (timeout = delivery failure)
  • Customer Responsibility: Must acknowledge within 30 seconds

8. UPTIME & SERVICE LEVEL AGREEMENT (SLA)

  • Target Uptime: 99.5% per calendar month
  • Scheduled Maintenance: Sundays 20:00-22:00 CET (announced 5 days prior)
  • Emergency Downtime: Not counted against SLA (force majeure, security incidents)
  • SLA Credit: 10% monthly fee if SLA missed (pro-rata)

9. ERROR CODES & RESPONSES

  • 200 OK: Request successful
  • 400 Bad Request: Invalid parameters
  • 401 Unauthorized: Invalid or missing API key
  • 403 Forbidden: Access denied to resource
  • 404 Not Found: Resource doesn't exist
  • 429 Too Many Requests: Rate limit exceeded
  • 500 Server Error: Our fault (retry recommended)
  • 503 Service Unavailable: Maintenance or outage

10. PRICING & BILLING

  • Billing Cycle: Monthly, charged on signup date
  • Overage Charges: $0.001 per additional request (after tier limit)
  • Payment Method: Credit card (recurring) or invoice (Enterprise)
  • Cancellation: Anytime, effective end of billing cycle
  • Refund Policy: No refunds for partial months

11. LIABILITY & DISCLAIMERS

  • AS-IS Basis: API provided without warranties
  • Data Loss: Provider not liable for lost/corrupted data (backup your data)
  • Liability Cap: Limited to 12 months of fees paid (B2B)
  • Exceptions: Unlimited for gross negligence, GDPR violations, death/injury

12. TERMINATION

  • By User: Anytime (access revoked immediately)
  • By Provider: For AUP violations (notice + 30 days cure period)
  • Upon Termination: All API keys disabled, data deletion after 90 days

13. THIRD-PARTY INTEGRATIONS & SUBPROCESSORS

  • Third-Party Services: API may integrate with: AWS (cloud hosting), Stripe (payments), Twilio (SMS), SendGrid (email) per AWS DPA
  • Subprocessor List: Current list at [https://domain.com/subprocessors]. Changes announced 30 days in advance
  • Data Flows: Personal data transferred to subprocessors only per documented instructions (GDPR Art. 28)
  • Liability: Provider responsible for subprocessor compliance; customer has no direct claim against subprocessor

14. API CHANGES & DEPRECATION

  • API Versioning: Current version: v3. Major version changes announced 90 days in advance
  • Endpoint Deprecation: Deprecated endpoints supported for 12 months minimum from deprecation notice
  • Breaking Changes: Non-breaking changes (new endpoints, new optional parameters) deployed without notice
  • Backwards Compatibility: Old API versions maintained for minimum 5 years (v1 support until [Date])
  • Migration Support: Provider offers free migration assistance for customers on deprecated versions

15. INTELLECTUAL PROPERTY & FEEDBACK

  • API IP Ownership: All API code, documentation, trademarks owned by Provider per 17 USC (Copyright)
  • Customer Content: Customer retains all IP rights to data transmitted via API
  • Feedback License: Any feedback/suggestions provided by customer may be used royalty-free by Provider for product improvements
  • No License: Access to API does NOT grant license to Provider IP (code, algorithms, business logic)

16. COMPLIANCE & REGULATORY

  • GDPR Compliance: Provider acts as Data Processor per GDPR Art. 28. DPA available upon request
  • HIPAA: API NOT HIPAA-compliant. Do NOT transmit Protected Health Information (PHI)
  • PCI DSS: API does NOT store credit cards. Payment data handled via PCI-compliant partners (Stripe, etc.)
  • SOC 2 Type II: Provider maintains SOC 2 Type II certification. Audit reports available to Enterprise customers
  • Compliance Certifications: ISO 27001 (information security), ISO 9001 (quality), updated [annually]

17. DISPUTE RESOLUTION & GOVERNING LAW

  • Governing Law: ☐ Delaware (USA) per Delaware Code ☐ German law (BGB) per German Civil Code
  • Disputes: Binding arbitration per US Federal Arbitration Act or DIS German Arbitration
  • Class Action Waiver: Both parties waive right to sue as class action. All disputes resolved individually
  • Injunctive Relief: Either party may seek temporary restraining order/injunction in court for IP infringement, AUP violations, urgent irreparable harm
CRITICAL API TERMS: API access is non-exclusive, revocable privilege (not property right). Rate limits enforced strictly (circumvention = immediate termination). Data security: AES-256 + TLS 1.3 mandatory. Webhooks must acknowledge within 30 sec (failure = retry). SLA 99.5% uptime (excludes scheduled maintenance, force majeure). Liability capped at 12 months fees (exceptions: GDPR violations, gross negligence, death/injury = unlimited). All disputes via arbitration in chosen jurisdiction. Subprocessor data flows documented in DPA.