DRAFT — requires legal review. This document is an engineering-authored draft intended to capture how the CybrLink service actually works so that qualified legal counsel can turn it into a binding agreement. It has not been reviewed or approved by a lawyer. Do not publish, link from the product, or rely on it as a contract until counsel has reviewed and adapted it for the operating entity's jurisdiction(s). Bracketed placeholders such as [LEGAL ENTITY] must be completed before use.

CybrLink — Terms of Service (DRAFT)

Last updated: 2026-06-12 Status: DRAFT — not legally binding until reviewed and published.

1. Who we are and what these terms cover

These Terms of Service ("Terms") are a contract between you ("you", "Customer", "user") and [LEGAL ENTITY] ("CybrLink", "we", "us"), governing your use of the CybrLink website, dashboard, API key system, and Model Context Protocol ("MCP") endpoint at [NEXT_PUBLIC_APP_URL]/api/mcp (together, the "Service").

By creating an account, signing in, generating an API key, or connecting a third-party account, you agree to these Terms. If you do not agree, do not use the Service.

2. What the Service does

CybrLink is a credential-vault and integration platform. In plain terms:

• You connect your own third-party accounts (for example Slack, Gmail, an LLM provider — roughly 370 providers are supported) once, through our self-hosted Nango connection flow.
• CybrLink issues you a personal API key (prefixed cbl_) and an MCP URL.
• Any AI agent or automation you authorize can then act through those connections — calling the third-party APIs on your behalf — without ever receiving the underlying provider credentials.

The product principle is: connect once, use everywhere, revoke anytime.

CybrLink is a conduit. We do not control, endorse, or take responsibility for the third-party services you connect, the data they return, or the actions an agent takes through them. Your use of each connected provider remains subject to that provider's own terms.

3. Eligibility and accounts

• You must be at least the age of majority in your jurisdiction (and at least 18) to use the Service. The Service is a business-to-consumer ("B2C") product: each account is for a single individual. Team, shared-key, and developer-app features are not offered at this time.
• Sign-in is OAuth-first: GitHub, Google, or a single-use email magic link. We never set, store, or process a password for your CybrLink account.
• Account linking is conservative: the same verified email across providers maps to one CybrLink identity. We only link accounts on a provider-asserted verified email and never silently merge a magic-link sign-in into an existing OAuth account without re-authentication.
• You are responsible for maintaining control of the identity provider (GitHub, Google, or email inbox) you use to sign in, and for all activity under your account and API keys.

4. API keys and agent access

• API keys are generated server-side, shown to you exactly once, and stored only as a salted keyed hash (HMAC-SHA-256). We cannot recover or re-display a key after creation — if you lose it, revoke it and create a new one.
• You are responsible for safeguarding your API keys. Treat a cbl_ key like a password. Anyone holding it can act through your connected accounts, within the providers that key is scoped to.
• Keys are least-privilege by default: a key can call only the providers you have explicitly opted that key into.
• You can revoke any key at any time from the dashboard; revocation is effective immediately and cascades to any agent sessions minted from that key. A "revoke all" control is available.
• We may rate-limit, throttle, suspend, or revoke keys or access to protect the Service, other users, connected providers, or the integrity of the platform.

5. Acceptable use

You agree not to use the Service to:

• access, connect, or act on accounts or data you are not authorized to use;
• circumvent, probe, or attack the Service's authentication, rate limiting, proxy guards, or other security controls;
• exceed published rate limits, or use the Service to launch denial-of-service, scraping-at-scale, or abusive automation against third-party providers;
• send the Service requests designed to reach internal, link-local, or private network ranges, or to make the Service act as an open proxy;
• violate any connected provider's terms, or any applicable law, sanctions regime, or third-party right;
• transmit malware, or content that is unlawful, infringing, or harmful.

You are solely responsible for the instructions you (or your agents) give the Service and for the consequences of actions taken through your connections, including actions an agent takes after reading data from a connected provider.

6. AI agents and prompt injection (important risk disclosure)

The Service lets AI agents read data from, and take actions through, your connected accounts. Data returned from a connected provider (for example the body of an email or a chat message) is untrusted external content and may contain instructions intended to manipulate an AI agent ("prompt injection").

We reduce the blast radius of this risk (provider scoping, write-gating, marking external data as untrusted, metadata-only logging), but this category of risk cannot be fully eliminated at the vault layer. You are responsible for the agents you connect, the scopes and providers you grant them, and for reviewing sensitive or irreversible actions. Do not connect providers or grant write access beyond what you are comfortable having an autonomous agent exercise.

7. Your data and credentials

• We never receive, store, or have access to your third-party provider credentials (OAuth tokens, API keys, passwords for connected services). Those live exclusively inside the self-hosted Nango credential vault. CybrLink receives only API responses when proxying a call you authorized.
• What CybrLink stores about you is limited to: account identity (name, email, profile image, sign-in provider linkage), salted hashes of your API keys and session tokens, connection metadata (which providers you connected and their status), and an append-only activity log of metadata about proxied calls (provider, endpoint, method, status, timestamp — never request or response bodies).
• How we handle this data is described in the Privacy Policy and Retention Policy, which are incorporated into these Terms by reference.

8. Third-party providers and sub-processors

The Service depends on third-party providers (our sub-processors) and on the third-party accounts you choose to connect. We are not responsible for the availability, accuracy, security, or conduct of any third party. A current list of sub-processors is maintained in the Privacy Policy.

9. Service availability and changes

The Service is provided on an "as available" basis. We may modify, suspend, or discontinue all or part of the Service, including specific connectors or tools, at any time. We will use reasonable efforts to give notice of material changes where practical. The Service currently has no paid tier; usage-based billing may be introduced later, in which case additional commercial terms will apply.

10. Intellectual property

CybrLink, its software, branding, and documentation are owned by [LEGAL ENTITY] and protected by intellectual-property laws. We grant you a limited, non-exclusive, non-transferable, revocable license to use the Service in accordance with these Terms. You retain all rights in your own data and in the content returned from your connected providers.

11. Disclaimers

The disclaimer and liability sections below are commercial-risk terms and must be drafted or approved by counsel for the operating jurisdiction.

THE SERVICE IS PROVIDED "AS IS" AND "AS AVAILABLE" WITHOUT WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED, OR STATUTORY, INCLUDING WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, AND ANY WARRANTY THAT THE SERVICE WILL BE UNINTERRUPTED, SECURE, OR ERROR-FREE. WE DO NOT WARRANT THE RESULTS OF ANY ACTION TAKEN BY AN AI AGENT THROUGH YOUR CONNECTIONS.

12. Limitation of liability

TO THE MAXIMUM EXTENT PERMITTED BY LAW, [LEGAL ENTITY] WILL NOT BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, OR FOR ANY LOSS OF DATA, PROFITS, OR GOODWILL, ARISING FROM OR RELATED TO YOUR USE OF THE SERVICE — INCLUDING ACTIONS TAKEN BY AN AGENT THROUGH YOUR CONNECTIONS, COMPROMISE OF A CONNECTED PROVIDER, OR PROMPT-INJECTION-INDUCED BEHAVIOR. OUR TOTAL AGGREGATE LIABILITY WILL NOT EXCEED [AMOUNT / FEES PAID IN PRIOR 12 MONTHS].

13. Indemnification

You agree to indemnify and hold harmless [LEGAL ENTITY] and its operators from claims, damages, and expenses arising out of your use of the Service, your connected accounts, the actions of agents you authorize, or your breach of these Terms or any third-party right.

14. Termination

You may stop using the Service and delete your account at any time. We may suspend or terminate your access for breach of these Terms, suspected abuse, or to protect the Service or third parties. On termination, your data is handled as described in the Retention Policy; revoking keys and deleting connections takes effect immediately, and deleting your account cascades to your keys, sessions, and connection metadata.

15. Governing law and disputes

These Terms are governed by the laws of [GOVERNING LAW JURISDICTION], without regard to conflict-of-laws rules. [DISPUTE RESOLUTION / VENUE / ARBITRATION CLAUSE — counsel to complete.]

16. Changes to these Terms

We may update these Terms from time to time. Material changes will be reflected by a new "Last updated" date and, where appropriate, additional notice. Continued use of the Service after changes take effect constitutes acceptance.

17. Contact

Questions about these Terms: [LEGAL/SUPPORT CONTACT EMAIL].

---

This is a DRAFT prepared by the engineering team to reflect the actual behavior of the Service. It is not legal advice and is not binding until reviewed, completed, and approved by qualified counsel.