These API Terms of Use (the “API Terms”) govern access to and use of Hyvery’s application programming interfaces, webhooks, developer keys, SDKs, and related documentation (collectively, the “API”). These API Terms are incorporated by reference into the Hyvery Terms of Service (the “ToS”). Capitalized terms not defined here have the meanings in the ToS or DPA. If you accept these API Terms on behalf of an organization, you represent you have authority to bind that organization.
Order of Precedence. In case of conflict: the applicable Order Form (if any) controls, then the ToS, then these API Terms, then the AUP, SLA, and DPA.
License. Subject to these API Terms, Hyvery grants you a limited, revocable, non‑exclusive, non‑transferable, non‑sublicensable license to call the API solely to build and operate an integration with Hyvery for your internal business use or as otherwise permitted in an Order Form.
Keys. You must obtain API credentials (e.g., client ID/secret, tokens) (“Keys”). Keys are confidential, belong to Hyvery, and may be revoked or rotated at any time. You must keep Keys secure (see §6) and use them only for the approved application(s).
Use Limits. Access is subject to published rate limits, quotas, concurrency, and fair‑use policies (docs or Order Form). Hyvery may throttle or block requests that exceed limits or threaten stability.
Ownership. Hyvery and its licensors retain all right, title, and interest in the API, SDKs, docs, and all derivatives. No rights are granted except as expressly provided.
You will comply with the ToS, AUP, and law. Without limiting the AUP, you must not:
Circumvent authentication, rate limits, or usage caps; scrape or bulk‑download beyond API allowances.
Cache or store Hyvery data longer than necessary for the permitted purpose and in any case longer than your documented retention schedule or Customer’s instructions.
Use data obtained via the API for advertising profiling, selling, or sharing (as defined by CPRA) without explicit, documented consent and a signed addendum.
Publish, disclose, or resell API responses unless expressly authorized.
Reverse engineer or derive source code from any non‑open‑source component of the API or SDKs (to the extent permitted by law, this does not limit rights under OSS licenses).
Use test or production credentials interchangeably, or use production data in lower environments.
Introduce Malicious Code, create excessive load, or interfere with monitoring/logging.
Controller/Processor. As between the parties, Customer controls Customer Data. Hyvery processes Customer Data as Processor per the DPA. You will only access, use, retain, and disclose Customer Data obtained via the API as permitted by Customer’s documented instructions and applicable law.
Service Data. Hyvery may collect operational telemetry (e.g., request metadata) to operate, secure, and improve the Service. We may create Aggregated/De‑identified Data that does not identify you or Customer.
Data Subject Requests. Your app must support deletion/update/portability and promptly pass through requests you receive that relate to data sourced from Hyvery.
Residency. Unless otherwise agreed, primary processing is in the United States with limited operations in Canadaas disclosed.
Do not use Hyvery’s names, logos, or trademarks without prior written permission, except for truthful statements like “Works with Hyvery.”
Hyvery may identify your integration on our site or marketplace. You may request removal in writing; Hyvery will consider requests in good faith.
Semantic Versioning. Hyvery endeavors to follow semantic versioning: breaking changes in MAJOR versions, additive/compatible changes in MINOR, fixes in PATCH.
Deprecation. Hyvery will provide ≥90 days’ notice before removing or materially degrading an endpoint or field, and ≥180 days for widely used, breaking behavioral changes, except for security, legal, or third‑party dependency reasons requiring shorter timelines.
Beta/Preview. Beta/preview endpoints may change or end at any time and are provided AS IS without SLA.
You must implement appropriate administrative, physical, and technical safeguards, including at minimum:
Key Management. Store Keys in a secrets manager; never hard‑code in client apps or commit to source control. Rotate at least annually and upon personnel changes or suspected compromise.
Auth. Use OAuth 2.0/OpenID Connect where available; use short‑lived tokens; implement PKCE for public clients; restrict redirect URIs; validate state and nonce.
Transport. Enforce TLS 1.2+; verify certificates; reject insecure ciphers.
Least Privilege. Request only the scopes and resources required; segregate duties; use service accounts for automation.
Input Validation. Validate and sanitize inputs; implement idempotency for mutating calls where supported.
Logging. Do not log secrets or sensitive personal data.
Incident Notice. Notify Hyvery at security@hyvery.com within 24 hours of discovering any breach of your systems affecting Hyvery data or Keys, and cooperate on containment and remediation.
Delivery. Hyvery webhooks use at‑least‑once delivery with retries and exponential backoff. Your endpoint must return 2xx within a reasonable timeout.
Verification. Verify X‑Hyvery‑Signature (HMAC‑SHA256 over the payload using your shared secret).
Idempotency. Handle duplicates using event IDs/timestamps and your own idempotency keys.
Security. Use HTTPS; allowlist Hyvery IP ranges if needed; rotate secrets periodically.
Use the provided sandbox for development and QA. Do not use production Customer Data in test environments. Populate with synthetic or de‑identified data only.
API access may be included in your Subscription or billed separately. Hyvery may charge for overage usage (e.g., calls, data transfer, storage) per the Order Form, price page, or written quote. Hyvery may suspend or throttle for persistent overages without payment.
Hyvery may monitor API usage (e.g., headers, request IDs, metadata) to operate, secure, and improve the Service and to enforce these API Terms. On reasonable notice, Hyvery may request logs or other evidence of compliance. Violations may result in warning, throttling, suspension, or termination of Keys or accounts.
Integrations you enable with third‑party services are between you and those providers. Hyvery is not responsible for third‑party terms, performance, or outages. Your use of third‑party SDKs is at your risk.
The API (including beta/preview, SDKs, and webhooks) is provided “AS IS” and “AS AVAILABLE.” To the maximum extent permitted by law, Hyvery disclaims all warranties not expressly stated in the ToS. Service credits under the SLA are the sole and exclusive remedy for covered availability issues. Liability is limited as set forth in the ToS.
You will defend and indemnify Hyvery against: (a) claims arising from your apps or integrations; (b) your misuse of the API or data; (c) your violation of law or third‑party rights; or (d) third‑party claims relating to dependencies you choose.
Hyvery may suspend or revoke Keys immediately for security, legal, or AUP reasons, or if your use threatens platform stability or violates these API Terms. Upon termination, you must stop calling the API and delete Keys and any cached Hyvery data unless retention is required by law or expressly permitted by Customer.
You will not access or use the API in violation of US or other applicable export/sanctions laws and will not permit access by denied parties.
Hyvery may update these API Terms per the ToS change mechanism. Materially adverse changes for active annual terms will take effect on renewal unless you consent earlier.
Support: support@hyvery.com
Security: security@hyvery.com
Privacy: privacy@hyvery.com
Per‑Tenant Caps: Requests per minute/hour/day; concurrent jobs; size limits for payloads and attachments.
Bursting: Short bursts may be allowed with token bucket algorithms; sustained excess throttled with 429 and Retry‑After.
Abuse Signals: Credential stuffing, rapidly repeated errors, excessive non‑existent resource calls may lead to automated blocking.
Store only the minimal data necessary; avoid long‑term caching; encrypt at rest; rotate keys; implement deletion workflows aligned to Customer instructions.
Do not mix test and production data. Maintain separate projects/tenants, Keys, and secrets.
Threat model key flows; review scopes; validate redirects and PKCE; implement HMAC verification for webhooks.
Centralize secrets; enable MFA for developer accounts; enforce least privilege in your CI/CD.
Run SAST/DAST/dependency scans; maintain an SBOM; perform code review; pen test high‑risk public integrations.
Document a support process (incident intake, severity, rollback).
Provide a privacy notice to your end users describing data collection and sharing with Hyvery.