Terms of Service

These Terms of Service ("Terms") constitute a binding agreement between you and Auth Flow, Inc. ("Auth Flow," "we," "us"). By accessing or using our identity infrastructure services, APIs, documentation, and website (collectively, the "Service"), you agree to these Terms. If you use the Service on behalf of an organization, you represent that you have authority to bind that organization.

Auth Flow provides modular identity infrastructure including:

• Authentication services (passwords, passkeys, magic links, social login, MFA)
• Session management and token services
• Authorization and role-based access control (RBAC)
• Identity data storage and management
• Multi-tenant organization support
• APIs, SDKs, and dashboard for configuration

You must provide accurate, complete information when creating an account. You are responsible for maintaining the confidentiality of your API keys and credentials, and for all activities under your account. Notify us immediately at security@auth-flow.com if you suspect unauthorized access.

You agree to use the Service in compliance with all applicable laws. You will not:

• Process data in violation of privacy laws (GDPR, CCPA, etc.) or without lawful basis
• Attempt to circumvent security measures, rate limits, or access controls
• Reverse engineer, decompile, or extract source code from the Service
• Transmit malware or engage in abusive behavior
• Resell or sublicense the Service except as expressly permitted
• Use the Service in a manner that degrades performance for other customers

Ownership: You retain all rights to Customer Data. We claim no ownership and process it only per your instructions and our Data Processing Addendum.

Your Responsibilities: You are the data controller for Customer Data. You must ensure lawful collection, obtain necessary consents, and respond to data subject requests. We will assist you as required by our DPA.

Our Role: We act as a data processor for Customer Data, implementing appropriate technical and organizational measures per GDPR Article 28.

We implement industry-standard security measures detailed in our Security documentation. However, no system is completely secure. You are responsible for:

• Securing your applications and implementing proper session handling
• Protecting API keys and never committing them to source control
• Implementing appropriate security measures for your use case

Auth Flow supports compliance with GDPR, CCPA, SOC 2, and HIPAA through audit logging, data residency options, and configurable policies. Achieving compliance for your application remains your responsibility.

Certain features require payment per your service plan. All fees are non-refundable except as stated. We may change pricing with 30 days' notice; continued use after a price change constitutes acceptance.

Our IP: Auth Flow owns all rights to the Service, including software, APIs, documentation, and trademarks. These Terms grant only a limited right to use the Service.

Your IP: You retain ownership of your applications, configurations, and Customer Data.

Feedback: If you provide suggestions about the Service, we may use them without obligation.

By You: Close your account at any time. We will assist with data export upon request.

By Us: We may suspend or terminate access for Terms violations, security risks, non-payment, or legal requirements, with notice when feasible.

Effect: Upon termination, your access ends. Customer Data is deleted per our retention policy unless you request earlier deletion or law requires retention.

Our total liability shall not exceed the greater of (a) amounts paid in the twelve months preceding the claim, or (b) $100. These limitations do not apply where prohibited by law.