API Terms of Service

1. API Access and License

1.1 License Grant. Dyva grants you a limited, non-exclusive, non-transferable, revocable license to access and use the API for developing, testing, and operating applications that integrate with Dyva ("Client Applications"). This license is conditioned on your compliance with these API Terms.

1.2 Account Requirements. API access requires a Pro subscription ($30/month) or above. Your tier determines your rate limits, available endpoints, and feature access. Creator and Enterprise plans get higher limits and additional capabilities. See our rate limits documentation for the full breakdown.

1.3 API Keys. You authenticate via API keys generated from your Dyva dashboard. Treat them like passwords:

• Never share your keys with anyone
• Never embed keys in client-side code, mobile apps, or public repositories
• Store keys in environment variables or a secrets manager -- not in source code
• Rotate keys regularly and immediately revoke any key you suspect is compromised
• Use separate keys for development and production environments

You are responsible for all activity under your API keys. If someone else uses your key, that is on you.

1.4 SDKs and Libraries. We may provide official SDKs and client libraries. These are provided under their respective open-source licenses and are subject to these API Terms when used to access the Dyva API.

2. Permitted and Prohibited Uses

2.1 What You Can Build. You can use the API to:

• Create, configure, and manage Dyvas programmatically
• Integrate Dyva conversations (text and voice) into your applications
• Build tools, dashboards, and utilities that complement the Dyva platform
• Access and export your own account data for backup, analytics, or integration
• Embed Dyva characters in websites, apps, Discord servers, Telegram bots, and Slack workspaces
• Build custom interfaces on top of Dyva's conversation and knowledge base APIs
• Create white-label experiences using the embedding features

2.2 What's Banned. Do not:

• Resell or redistribute raw API access without our written permission
• Build a service that directly competes with Dyva's core product using our API
• Circumvent, bypass, or disable rate limits, authentication, or any security mechanism
• Scrape, crawl, or systematically extract data beyond what the API is designed to provide
• Use API outputs to train, fine-tune, or develop machine learning models without our written consent
• Misrepresent your application's relationship with Dyva (do not imply endorsement or official affiliation)
• Access the API from more accounts or keys than your subscription tier allows
• Use the API to send spam, conduct phishing, or facilitate any illegal activity
• Reverse engineer the API or attempt to extract Dyva's proprietary models or algorithms
• Violate the Acceptable Use Policy or any applicable law

3. Rate Limits and Quotas

3.1 Per-Tier Limits. Every API endpoint has rate limits and quotas that vary by subscription tier. The full, current limits are documented at /docs/rate-limits. Do not hardcode our limits -- they may change.

3.2 Response Headers. Every API response includes rate limit headers so you can track your usage in real time:

• X-RateLimit-Limit -- your maximum requests for the current window
• X-RateLimit-Remaining -- requests remaining in the current window
• X-RateLimit-Reset -- Unix timestamp when the window resets
• Retry-After -- seconds to wait before retrying (included with 429 responses)

3.3 Handling 429s. When you hit a rate limit, you get an HTTP 429 Too Many Requests response. Respect the Retry-After header and implement exponential backoff. Do not hammer the API -- persistent or intentional circumvention of rate limits will get your access revoked.

3.4 Limit Changes. We may adjust rate limits at any time. For reductions to existing tier limits, we will give at least 14 days notice so you have time to adapt.

4. Data and Privacy

4.1 Your Data Through the API. Data you send through the API is handled per our Privacy Policy. API conversation data follows the same retention and handling rules as data from the web interface.

4.2 No Training on Your API Data. By default, we do not use data submitted through the API to train or improve our AI models. Your prompts, conversations, and knowledge base content remain yours. If we ever change this default, you will be notified and given the ability to opt out before any change takes effect.

4.3 Your Responsibilities. If your application processes personal data through the Dyva API, you must:

• Maintain a privacy policy that discloses your use of third-party AI services
• Obtain proper consent from your end users before sending their data to Dyva
• Comply with all applicable data protection laws (GDPR, CCPA, and others relevant to your users)
• Promptly notify us of any data breach that may affect data processed through the API

4.4 Data Processing Agreement. If you process personal data of individuals in the EEA, UK, or Switzerland through the API, our Data Processing Agreement applies automatically.

5. Security Requirements

Security is not optional. If you use our API, you agree to these baseline requirements:

• HTTPS Only. All API requests must use HTTPS. We do not accept plaintext HTTP connections. Ever.
• Key Storage. Store API keys securely using environment variables, secrets managers, or encrypted vaults. Never in source code, config files committed to version control, or client-side bundles.
• Key Rotation. Rotate your API keys at least every 90 days. Immediately rotate if you suspect any compromise.
• Access Control. Limit API key access to the minimum number of people and systems necessary.
• Breach Notification. If you discover or suspect unauthorized access to your API keys or any data processed through the API, notify us at security@dyva.ai within 24 hours.

We reserve the right to suspend API access immediately if we detect a security vulnerability in your integration that poses a risk to our platform or other users.

6. Service Level and Support

6.1 Uptime Target. We target 99.9% uptime for the API but do not guarantee it. The API is provided "as is" and "as available." We will communicate scheduled maintenance at least 48 hours in advance when possible.

6.2 Status Page. Real-time API status, incident reports, and maintenance schedules are published at status.dyva.ai. Subscribe for notifications if uptime matters to your application (and it should).

6.3 Support. API support is available through: (a) developer documentation at /docs; (b) email at api@dyva.ai; and (c) community channels. Response times depend on your subscription tier -- Enterprise customers get priority support with defined SLAs.

6.4 No Default SLA. Unless you have a separate Enterprise Agreement with specific SLA commitments, no service level agreement applies. We are not liable for downtime, latency spikes, or temporary unavailability. Build your applications with appropriate error handling and fallbacks.

7. API Changes and Versioning

7.1 Versioning. The API is versioned (currently v1). We maintain backward compatibility within a major version wherever commercially reasonable. Non-breaking additions (new endpoints, new optional fields) can happen without a version bump.

7.2 Breaking Changes. When we need to introduce breaking changes, we will: (a) give at least 30 days notice via email and developer changelog; (b) release breaking changes under a new API version when possible; and (c) keep the previous version running for at least 90 days after the new version launches.

7.3 Deprecation Policy. We may deprecate specific endpoints, features, or parameters. Deprecated items will be flagged in the documentation and in response headers (Deprecation and Sunset headers). Deprecated features continue working for at least 60 days from the deprecation announcement. Use that time to migrate.

7.4 Migration Support. For major version transitions, we provide migration guides, changelogs, and SDK updates. We want your integrations to keep working -- breaking things is not the goal.

8. Fees and Billing

8.1 Credit-Based Pricing. API usage is billed through Dyva's credit system. Your subscription includes a monthly credit allotment. Each API call consumes credits based on the endpoint, model, and resources used. Current pricing is at /pricing.

8.2 Overages. When you exhaust your monthly credits, additional usage is billed at your tier's overage rate. We will warn you at 80% and 100% of your credit allotment. You can set hard spending limits in your dashboard to prevent surprises.

8.3 Enterprise Pricing. For high-volume or custom requirements, contact us at enterprise@dyva.ai. Enterprise agreements can include custom rate limits, dedicated infrastructure, SLAs, and volume pricing.

8.4 Price Changes. We may change API pricing with at least 30 days notice. Price changes do not affect the current billing period.

9. Intellectual Property

9.1 Dyva's IP. The API, its documentation, SDKs, and all associated intellectual property belong to Dyva. These terms do not grant you rights to our trademarks, logos, or branding. Do not use Dyva marks in ways that imply endorsement or official affiliation without our written consent.

9.2 Your Applications. You own your Client Applications. We claim no ownership over what you build with the API. Your code, your designs, your users -- all yours.

9.3 API Output Ownership. Content generated through the API (AI responses, generated images, synthesized voice) is owned by you to the extent permitted by applicable law, subject to our Terms of Service and any limitations of the underlying AI models. You are responsible for how you use and distribute generated content.

9.4 Attribution. You are not required to display Dyva attribution in your applications, but we appreciate it. If you do reference Dyva, follow our brand guidelines.

9.5 Feedback. If you share suggestions, feature requests, or bug reports about the API, you grant Dyva a perpetual, royalty-free license to use that feedback without obligation to you. We value developer input -- it makes the platform better for everyone.

10. Termination

10.1 By You. You can stop using the API at any time. Revoke your API keys from the dashboard. No notice required, no hard feelings.

10.2 By Dyva. We may suspend or terminate your API access immediately if: (a) you breach these API Terms, the Terms of Service, or any Dyva policy; (b) your usage poses a security risk to our platform or other users; (c) we need to comply with a legal obligation; or (d) your account is terminated for any reason.

10.3 After Termination. When your API access ends: (a) your API license terminates immediately; (b) stop all API usage; (c) delete any cached Dyva data within 30 days, unless law requires you to keep it; (d) your end users lose access to Dyva-powered features in your application. Plan accordingly.

10.4 Survival. Sections 4 (Data and Privacy), 5 (Security), 8 (Fees -- for outstanding balances), 9 (IP), and this Section 10 survive termination.

11. Disclaimer and Limitation of Liability

THE API IS PROVIDED "AS IS" AND "AS AVAILABLE" WITHOUT WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED. TO THE MAXIMUM EXTENT PERMITTED BY LAW, DYVA DISCLAIMS ALL WARRANTIES, INCLUDING BUT NOT LIMITED TO MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, AND ANY WARRANTIES ARISING FROM COURSE OF DEALING OR USAGE OF TRADE.

DYVA'S TOTAL LIABILITY UNDER THESE API TERMS IS CAPPED AT THE FEES YOU PAID FOR API ACCESS IN THE 12 MONTHS PRECEDING THE CLAIM. DYVA IS NOT LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, INCLUDING LOST PROFITS, LOST DATA, BUSINESS INTERRUPTION, OR COST OF SUBSTITUTE SERVICES.

You acknowledge that: (a) AI-generated outputs may be inaccurate, incomplete, or inappropriate; (b) the API may experience downtime or performance issues; (c) you are responsible for validating API outputs before presenting them to your users. Build defensively.

12. Contact

API and developer questions: api@dyva.ai

Security issues: security@dyva.ai

Legal matters: legal@dyva.ai

For API bugs and feature requests, use the developer portal or email api@dyva.ai with your API key prefix (first 8 characters only -- never send the full key).