API & Developer Terms

Hive Bastion LLC · Version 1.0 · Effective 24 June 2026

0. About This Document

These API and Developer Terms (the "API Terms") govern access to and use of any application programming interface, integration endpoint, webhook, software development kit, sample code, or related developer-facing capability (collectively, the "API") that Hive Bastion LLC ("Hive Bastion," "we," "us," or "our") makes available.

These API Terms are a supplement to, and are incorporated by reference into, the Hive Bastion Terms of Service. They do not replace the Terms of Service. Where these API Terms address a topic also addressed in the Terms of Service, these API Terms control only as to API use; in all other respects the Terms of Service govern. Capitalized terms not defined here have the meanings given in the Terms of Service.

These API Terms also incorporate by reference the Hive Bastion Acceptable Use Policy, Privacy Policy, and — where personal data is processed on a customer's behalf — the Data Processing Addendum.

Published terms are a gateway, not the contract. These published API Terms state a good-faith baseline for use of the API. Any paid engagement, enterprise integration, or custom API arrangement is governed by a separate signed written agreement between the parties, which controls in the event of any conflict with these published API Terms.

Order of precedence. Unless a signed agreement states otherwise, in the event of conflict the order of precedence is: (1) any signed written agreement between the parties; (2) the Data Processing Addendum as to processing of personal data; (3) these API Terms as to API use; (4) the Acceptable Use Policy; and (5) the Terms of Service and Privacy Policy.

This document contains AI-related provisions where the API conveys AI-generated output. See the AI-output disclosure in Section 14.

1. Definitions

2. License to Use the API

2.1 Grant

Subject to your continuous compliance with these API Terms, the Terms of Service, the Acceptable Use Policy, and any applicable signed agreement, Hive Bastion grants you a limited, non-exclusive, non-transferable, non-sublicensable, revocable license to access and use the API and Documentation solely to develop, test, and operate your Customer Application and to interact with the Hive Bastion services to which you are authorized.

2.2 Reservation of Rights

All right, title, and interest in and to the API, the Documentation, and the underlying services — including all intellectual property — remain with Hive Bastion and its licensors. No rights are granted by implication, estoppel, or otherwise except as expressly stated. Nothing in these API Terms transfers ownership of the API to you.

2.3 Restrictions

You will not, and will not permit any third party to:

1. copy, modify, translate, or create derivative works of the API or Documentation except as expressly permitted;
2. reverse engineer, decompile, or disassemble any non-public portion of the API, or attempt to derive source code, models, or training data, except to the extent this restriction is prohibited by applicable law;
3. use the API to build a product or service that is substantially similar to, or competitive with, the Hive Bastion services, where the API is used as a primary input to that competing product;
4. circumvent or attempt to circumvent any rate limit, quota, access control, or security mechanism;
5. remove, obscure, or alter any proprietary notice, disclosure, or attribution conveyed through the API; or
6. use the API in violation of the Acceptable Use Policy or any applicable law.

3. Authentication and API-Key Security Obligations

This section is written in the two-layer posture used across Hive Bastion security documentation: a committed standard, an honest description of current implementation, and a roadmap for maturation.

3.1 Standard / Commitment

• API access is authenticated using API Credentials issued to the Integrator. You are solely responsible for all activity that occurs under your API Credentials.
• You will treat API Credentials as confidential information and protect them with commercially reasonable safeguards designed to prevent unauthorized access — at minimum, storage in a secrets manager or equivalent protected store, never in client-side code, public repositories, logs, URLs, or distributed binaries.
• You will transmit and use API Credentials only over encrypted channels (TLS).
• You will scope credentials to the minimum access required (least privilege) where the API supports scoped credentials, and you will rotate credentials promptly upon suspected compromise, personnel change with access, or on a periodic cadence.
• You will notify Hive Bastion without undue delay (contact: david@hivebastion.com) upon learning of any actual or suspected compromise, exposure, or misuse of API Credentials.

3.2 Current Implementation Status

• API Credentials, where issued, are managed using individual accounts with multi-factor authentication where supported and a password/secrets manager.
• The API is served over TLS inherited from Hive Bastion's hosting and edge providers (Google Cloud Platform; Cloudflare).
• Credential revocation today is performed manually by Hive Bastion upon notice.

3.3 Roadmap

• Self-service credential rotation and scoped-key issuance for Integrators.
• Automated detection of leaked credentials (e.g., secret-scanning on connected repositories) and proactive revocation.
• Formalized key-rotation cadence documented in the Password & Credential Policy and enforced operationally.

4. Rate Limits and Fair Use

4.1 Standard / Commitment

• We may apply rate limits, quotas, concurrency caps, and payload-size limits to the API to protect availability, security, and equitable access for all users.
• Published rate limits, where stated in the Documentation, are targets designed to balance performance and stability; they are not a guaranteed throughput level and may change.
• You will design your Customer Application to respect rate-limit responses, to back off and retry responsibly (e.g., honoring Retry-After semantics where provided), and to avoid patterns that degrade the service for others.

4.2 Current Implementation Status

• Rate limiting and edge protections are applied at the hosting/edge layer (Cloudflare; Cloud Run request handling).
• We do not commit to a fixed numeric throughput on this public page; specific limits, if any, are stated in the Documentation or a signed agreement.

4.3 Roadmap

• Per-Integrator quota tiers and usage dashboards.
• Documented, versioned rate-limit policy published alongside the API reference.

5. Acceptable Use

Your use of the API is subject to the Hive Bastion Acceptable Use Policy, which is incorporated by reference. Without limiting the AUP, you will not use the API to:

1. transmit unlawful, infringing, deceptive, or harmful content;
2. attempt to gain unauthorized access to any system, account, or data;
3. interfere with or disrupt the integrity or performance of the API or the underlying services;
4. submit data you are not authorized to submit, or use the API in a manner that violates the privacy or rights of any individual; or
5. use the API in connection with a prohibited use described in the AUP.

We may investigate suspected violations and take action consistent with Section 9 (Suspension).

6. Data Handling for Passed-Through Data

This section describes how data submitted to or returned through the API is handled. It applies the Hive Bastion data-minimization / transient pass-through default.

6.1 Data-Minimization Default

Hive Bastion is designed to store no Passed-Through Data it does not need to provide the requested function. Where the API's function is to validate, transform, classify, or route data into the Integrator's own system or a Third-Party Platform, that data is designed to pass through to the Integrator's own destination without retention by Hive Bastion beyond what is operationally necessary (for example, transient processing in memory and short-lived operational logging); see the Data-Flow & Architecture document.

6.2 Roles and Privacy Documents

• Where Passed-Through Data includes personal data and Hive Bastion processes it on the Integrator's or its customer's behalf, Hive Bastion acts as a processor/service provider, and processing is governed by the Data Processing Addendum under a signed agreement. The Privacy Policy describes our general handling of personal data.
• You are responsible for ensuring you have the necessary rights, notices, and lawful basis to submit any Passed-Through Data through the API, including any personal data of your customers or consumers.
• Consumer-contact consent. Where Passed-Through Data is used by your Customer Application to contact consumers (including calls, texts/SMS, fax, or email), you are solely responsible for obtaining and maintaining all consents required under the Telephone Consumer Protection Act (TCPA), CAN-SPAM, state telemarketing and mini-TCPA statutes, and applicable do-not-call requirements, and for honoring opt-outs. Hive Bastion does not obtain or verify such consents and is not a sender, caller, or marketer with respect to your communications.

6.3 No Model Training; Data Residency

• No model training. Hive Bastion does not itself use customer or consumer personal data, or client confidential data, submitted through the API to train, fine-tune, or otherwise improve any AI model. For third-party AI providers, Hive Bastion selects and configures each provider so that, under the provider's then-current terms, submitted content is not used by the provider to train its models by default, and Hive Bastion does not opt into any program that would change that posture. Hive Bastion does not warrant the conduct of third-party providers beyond their published terms; where an engagement requires a contractual no-training commitment stronger than a provider default, that term is captured in the governing Data Processing Addendum.
• Data residency. Hive Bastion is designed to process and store Passed-Through Data in the United States. Certain global infrastructure providers (for example, Google, Cloudflare, and GitHub/Microsoft) may process limited operational or transit metadata outside the United States in the ordinary operation of their global networks. Where an engagement requires strict US-only processing or restricts international transfers, that requirement is addressed in the governing Data Processing Addendum, including any applicable transfer mechanism (such as the EU Standard Contractual Clauses or the UK IDTA).

6.4 Logging

We maintain operational logs (e.g., request metadata, error events) as needed for security, debugging, and abuse prevention, consistent with the Logging & Monitoring Policy and the Data Retention & Destruction Policy. We strive to minimize personal data in logs.

7. No Resale or Sublicensing

1. You may not resell, redistribute, rent, lease, sublicense, or otherwise make the API available to any third party as a standalone product or service.
2. You may not provide access to the API, or use your API Credentials, on behalf of an entity other than the one to which the Credentials were issued, except as expressly permitted in a signed agreement.
3. You may use the API solely within your own Customer Application to serve your own end users. Exposing a thin pass-through wrapper whose primary value is reselling Hive Bastion API access is prohibited.
4. Any use of the API as part of a multi-tenant or reseller arrangement requires a separate signed written agreement with Hive Bastion.

8. Service Changes and Deprecation Policy

8.1 Standard / Commitment

• The API is evolving. We may add, modify, version, or deprecate API features, endpoints, fields, or behaviors.
• For backward-incompatible (breaking) changes to a generally available API, we will use commercially reasonable efforts to provide advance notice through the Documentation, a changelog, or direct communication to active Integrators, and to provide a reasonable deprecation window, designed to give Integrators time to adapt.
• Beta, preview, experimental, or clearly-labeled non-GA features may change or be withdrawn at any time without the deprecation window above. We do not guarantee their availability.

8.2 Current Implementation Status

• Change communication today is operator-driven (changelog and/or direct notice to known active Integrators).

8.3 Roadmap

• Published, versioned changelog and a documented deprecation-window standard.
• Programmatic deprecation signals (e.g., sunset headers) for affected endpoints.

We do not guarantee that any API feature will be maintained, uninterrupted, or error-free. See Sections 12 and 13.

9. Suspension for Violation

1. We may suspend or revoke your access to the API, or specific API Credentials, in whole or in part, where we reasonably believe: (a) you have violated these API Terms, the Terms of Service, or the Acceptable Use Policy; (b) your use poses a security, legal, or stability risk to the API, the services, or other users; (c) your API Credentials are compromised; or (d) suspension is required by law or by a Third-Party Platform's requirements.
2. Where practicable and where it does not increase risk, we will use commercially reasonable efforts to notify you of a suspension and, where the underlying issue is curable, to describe what is needed to restore access.
3. For urgent security or abuse situations, we may suspend access immediately and notify you as soon as practicable.
4. Suspension does not relieve you of obligations accrued before suspension, including payment obligations under any signed agreement.

10. Integrator / Customer Responsibility for Third-Party Platforms

This is a material obligation. Read it carefully.

When your Customer Application connects the API to any Third-Party Platform — for example, a CRM, MLS/IDX feed, transaction-management system, brokerage platform, email/calendar provider, or payment processor — you, the Integrator, are solely responsible for that connection and its compliance. Specifically, you represent, warrant, and agree that:

1. You hold all required developer approvals, API access rights, and credentials for each Third-Party Platform you connect, and you will maintain them in good standing for the duration of your use.
2. You comply with each Third-Party Platform's terms, developer agreements, API policies, data-use rules, branding/display requirements, and any platform-specific data-handling or display obligations (for example, MLS/IDX display rules, brokerage data-use restrictions, or CRM platform terms).
3. You have the necessary authorization and lawful basis to route Passed-Through Data to and from each Third-Party Platform, including any personal data of your customers or consumers.
4. You are responsible for the configuration and security of your Third-Party Platform connections, including the credentials you use to authenticate to those platforms.
5. Hive Bastion is not a party to, and assumes no responsibility for, your agreements with any Third-Party Platform. Hive Bastion does not warrant the availability, accuracy, or continued accessibility of any Third-Party Platform, and is not responsible for changes a Third-Party Platform makes to its own API, terms, or access policies.
6. You will indemnify Hive Bastion for claims arising from your failure to comply with a Third-Party Platform's terms or to hold required platform approvals, as set out in Section 10A (Indemnification by Integrator), the Terms of Service, and any signed agreement.

10A. Indemnification by Integrator

You will defend, indemnify, and hold harmless Hive Bastion LLC, its members, contractors, and agents from and against any third-party claim, demand, loss, liability, damage, cost, or expense (including reasonable attorneys' fees) to the extent arising from or related to:

1. your Customer Application or your use of or access to the API;
2. any Passed-Through Data you submit, route, or process, including any claim that you lacked the rights, consents, notices, or lawful basis to do so;
3. your violation of these API Terms, the Acceptable Use Policy, the Terms of Service, or applicable law (including the TCPA, CAN-SPAM, and consumer-protection, privacy, and communications laws);
4. compromise, loss, or misuse of your API Credentials;
5. your failure to comply with any Third-Party Platform's terms or to hold required platform approvals; or
6. your end users' claims arising from your Customer Application.

This obligation supplements, and is in addition to, the indemnification provisions of the Terms of Service; where both apply, the broader obligation controls. The procedure (notice, cooperation, control of defense, and no settlement imposing non-monetary obligations on the indemnified party without consent) in the Terms of Service applies.

11. Your Application's Obligations to End Users

1. Privacy and notice. Your Customer Application must provide its own end users with a privacy notice and obtain any consents required by law for the data it collects and routes through the API. Without limiting the foregoing, where your Customer Application contacts consumers (including calls, texts/SMS, fax, or email), you are solely responsible for obtaining and maintaining all consents required under the TCPA, CAN-SPAM, state telemarketing and mini-TCPA statutes, and applicable do-not-call requirements, and for honoring opt-outs; Hive Bastion is not a sender, caller, or marketer with respect to your communications.
2. AI-output handling. Where the API returns AI-generated output, your Customer Application must present that output consistent with the AI-output disclosure in Section 14 and must not represent AI output as a regulated determination, professional advice, or a guaranteed result.
3. Support. You are responsible for first-line support of your own end users. Hive Bastion supports the Integrator, not the Integrator's end users, except as set out in a signed agreement.
4. Security of your application. You are responsible for the security of your Customer Application, including secure handling of API Credentials and Passed-Through Data on your side of the integration.

12. Documentation; Sample Code; Feedback

1. Documentation is provided to assist integration and may change. The API's actual behavior controls over any inconsistent Documentation; report discrepancies to david@hivebastion.com.
2. Sample code is provided "as is," for illustration only, and you are responsible for reviewing, testing, and securing any code you adopt.
3. Feedback. If you provide suggestions or feedback about the API, you grant Hive Bastion a perpetual, irrevocable, royalty-free license to use it without restriction or obligation to you. Feedback is provided voluntarily and on a non-confidential basis; you should not include in Feedback any information you consider confidential or proprietary. This license does not grant Hive Bastion any rights in your pre-existing intellectual property or Confidential Information except as embodied in the Feedback you choose to disclose, and Hive Bastion is under no obligation to use any Feedback.

13. Disclaimer and Limitation of Liability

13.1 Disclaimer

THE API, SDKs, SAMPLE CODE, AND DOCUMENTATION ARE PROVIDED "AS IS" AND "AS AVAILABLE." To the maximum extent permitted by law, Hive Bastion disclaims all warranties, whether express, implied, statutory, or otherwise, including any implied warranties of merchantability, fitness for a particular purpose, title, and non-infringement. We do not warrant that the API will be uninterrupted, timely, secure, or error-free, or that defects will be corrected. We use commercially reasonable efforts to provide a reliable API; we do not guarantee any specific availability, throughput, or result.

13.2 Limitation of Liability

The limitation of liability set out in the Terms of Service governs your use of the API and is incorporated here by reference. For convenience, the operative limitation is restated below; in the event of any conflict, the version in a signed agreement (if any), then the Terms of Service, controls. Because the API may be offered without charge, the restated limitation includes a fixed-dollar floor for unpaid use so that the limitation remains enforceable rather than reducing to zero.

"TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, AND EXCEPT FOR (i) BREACHES OF CONFIDENTIALITY, (ii) INDEMNIFICATION OBLIGATIONS, AND (iii) WILLFUL MISCONDUCT OR FRAUD, HIVE BASTION'S TOTAL CUMULATIVE LIABILITY ARISING OUT OF OR RELATING TO THESE API TERMS OR YOUR ACCESS TO OR USE OF THE API SHALL NOT EXCEED THE GREATER OF (A) THE AMOUNTS PAID OR PAYABLE BY THE INTEGRATOR TO HIVE BASTION FOR THE API IN THE TWELVE (12) MONTHS PRECEDING THE EVENT GIVING RISE TO LIABILITY, OR (B) ONE HUNDRED U.S. DOLLARS (US$100). WHERE ACCESS TO THE API IS PROVIDED WITHOUT CHARGE, HIVE BASTION'S TOTAL CUMULATIVE LIABILITY SHALL NOT EXCEED ONE HUNDRED U.S. DOLLARS (US$100). NOTHING IN THESE API TERMS LIMITS OR EXPANDS EITHER PARTY'S LIABILITY BEYOND WHAT A SEPARATE SIGNED AGREEMENT PROVIDES; IN THE EVENT OF ANY CONFLICT, THE SIGNED AGREEMENT CONTROLS. TO THE EXTENT PERMITTED BY LAW, HIVE BASTION WILL NOT BE LIABLE FOR INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, EXEMPLARY, OR PUNITIVE DAMAGES."

13.3 No Personal Liability

"You acknowledge that you are dealing solely with Hive Bastion LLC. To the maximum extent permitted by law, you waive, and agree not to assert, any claim against any individual member, manager, officer, employee, agent, or contractor of Hive Bastion in such individual's personal capacity for the obligations of Hive Bastion under these API Terms, except for liability arising from such individual's own willful misconduct or fraud. This Section does not limit Hive Bastion LLC's own liability."

14. AI-Output Disclosure

Where the API conveys content generated, in whole or in part, by AI systems, the following disclosure applies and must be honored by your Customer Application:

"This document contains content generated, in whole or in part, by AI systems operated by Hive Bastion LLC. AI can make mistakes. Every result herein is an estimate produced for the named recipient's professional review - not a regulated determination, not an underwriting decision, not a rate quote, not legal advice, not medical advice, not investment advice. The named recipient is responsible for the final decision and for verifying any factual claim before acting on it."

15. Governing Law and Dispute Resolution

"These API Terms are governed by, and shall be construed in accordance with, the laws of the State of Tennessee, without regard to its conflict-of-laws provisions."

"Any dispute arising out of or relating to these API Terms shall be resolved by binding arbitration administered by the American Arbitration Association under its Commercial Arbitration Rules (and, where they apply, its Consumer Arbitration Rules); the seat of arbitration shall be Nashville, Tennessee."

"Notwithstanding the foregoing, either party may seek temporary, preliminary, or permanent injunctive or other equitable relief in a state or federal court located in Tennessee to protect its intellectual property, Confidential Information, API Credentials, or the security and integrity of the API, without first submitting the matter to arbitration and without waiving the right to arbitrate the remainder of the dispute. Either party may also bring an individual action in small-claims court."

"Class-action and mass-arbitration waiver. To the maximum extent permitted by applicable law, disputes will be resolved only on an individual basis; you and Hive Bastion each waive any right to bring or participate in a class, collective, consolidated, or representative action. The arbitrator may rule on the arbitrability of claims, except that the enforceability of this class-action waiver is for a court to decide; if the class-action waiver is held unenforceable as to any claim, that claim shall proceed in court and the remainder in arbitration."

16. Changes to These API Terms

We may update these API Terms from time to time. We will provide notice of material changes to active Integrators (by email to the address associated with your API Credentials, an in-Documentation notice, or a changelog entry) at least thirty (30) days before they take effect, except that changes required for security, legal compliance, or to address an active threat may take effect immediately. Material changes apply prospectively only. If you continue to access the API after the effective date of a change, you accept it; if you do not agree, your remedy is to stop using the API before the effective date. The date of last update is shown at the top of these API Terms. These published API Terms are a good-faith baseline; any signed agreement between the parties controls in the event of any conflict.

16A. Survival

Sections 2.2 (Reservation of Rights), 2.3 (Restrictions), 6 (Data Handling for Passed-Through Data), 7 (No Resale or Sublicensing), 10A (Indemnification by Integrator), 12.3 (Feedback license), 13 (Disclaimer and Limitation of Liability), 15 (Governing Law and Dispute Resolution), and any accrued payment obligation survive any expiration, suspension, revocation, or termination of your API access, together with any provision that by its nature should survive.

17. Contact

Notices to Hive Bastion:

Hive Bastion LLC

1556 Hankook Rd PMB 1021

Clarksville, TN 37043

18. Frameworks and Controls Referenced

These API Terms support and reference the following control frameworks (mapped in detail in the Control-Framework Crosswalk):

• SOC 2 Trust Services Criteria — CC6 (Logical & Physical Access Controls: authentication, API-key security, least privilege), CC7 (System Operations: monitoring, suspension), CC8 (Change Management: deprecation/versioning), and the Confidentiality criterion (Passed-Through Data handling).
• NIST CSF 2.0 — GV (Govern: API governance), ID (Identify: assets/integrations), PR (Protect: access control, data-in-transit, data minimization), DE (Detect: logging/monitoring), RS (Respond: suspension, credential-compromise notification).
• ISO/IEC 27001:2022 Annex A — A.5 (Organizational: supplier/third-party platform responsibilities), A.8 (Technological: access control, cryptography in transit, logging, secure development of integrations).
• CMMC Level 1 (FAR 52.204-21) — access control and authentication practices applied to API Credentials, where federal use applies.