/
API Terms of Use

API Terms of Use

  • Verified

    • These Terms of Use (“Terms”) govern access to and use of the Umbrella Faces APIs (the On Demand API and the Sync API) provided by Umbrella Organisation U+O AG, Wetzikon, Switzerland (“Umbrella”, “we”, “our”, “us”). By using the APIs, you (“Client”, “you”, “your”) agree to be bound by these Terms.

    Access and Authentication

    The On Demand API requires authentication via OAuth 2.0. Clients must reuse valid tokens rather than requesting a new token for each call.
    The Sync API requires authentication using either a shared secret or username/password.

    Clients are responsible for safeguarding their credentials and ensuring they are not misused. Clients should ensure integration is implemented by engineers familiar with standard authentication and security practices such as OAuth 2.0 authentication flows and calculating HMAC SHA-256 signatures.

    Permitted and Prohibited Use

    The APIs may only be used for lawful business purposes and in accordance with the official documentation.

    For the On Demand API, Clients must not send “non-update” updates (i.e., updates without actual changes) or use the search function to export all profiles instead of performing targeted lookups.

    For both APIs, Clients are expected to use the APIs responsibly to maintain overall system performance and security. Activities such as penetration testing or vulnerability scanning should only be performed with Umbrella’s prior written approval. Repeated updates of unchanged profiles or automated bulk operations that could degrade performance should be avoided.

    Umbrella reserves the right to monitor use of the APIs and to suspend or terminate access in cases of misuse.

    Rate Limits and Stability

    Umbrella may impose rate limits or other restrictions on API calls to protect system stability. Clients must respect such limits as documented or communicated. Excessive or abusive traffic may result in throttling, suspension, or additional charges.

    Data Ownership and Processing

    Umbrella retains all rights, title, and interest in the APIs and associated technology. Data accessed through the APIs belongs to the owning travel agency.

    Clients are solely responsible for ensuring that all necessary consents, agreements, and data protection measures are in place, including execution of appropriate Data Processing Agreements. Umbrella may act as a processor or subprocessor under applicable data protection laws, including GDPR and Swiss law.

    Fees and Misuse

    API usage fees are invoiced monthly to the Travel Agency in accordance with its contract with Umbrella. Costs related to implementation support, certification, or recertification are invoiced to the party implementing the API integration, such as the technology provider or third-party partner.

    For the On Demand API, the Excessive Transactions clause applies only to GET, POST, PATCH, and DELETE calls on profile endpoints.
    The API is designed to support normal operational usage patterns, including occasional repeated updates to individual profiles (for example, user-initiated changes). In aggregate, usage is expected to remain proportionate to the number of managed profiles and the nature of the integration.

    To ensure platform stability, Umbrella may review usage patterns that generate sustained or disproportionate transaction volumes relative to the overall dataset. Where usage materially exceeds what would reasonably be expected for the applicable use case, Umbrella may, in consultation with the Client, define appropriate thresholds or mitigation measures.

    For integration scenarios such as HR feeds, Umbrella acknowledges that an initial bulk load of profile data may result in elevated transaction volumes. Subsequent synchronizations are expected to reflect incremental changes. Repeated mass updates of largely unchanged profiles may be deemed excessive unless explicitly agreed in advance.

    If excessive usage persists after notice, Umbrella may apply excess usage charges at USD 0.01 per excess API call. Umbrella will provide a warning notice and a reasonable opportunity to address the usage pattern before any charges are applied.

    Service Levels and Availability

    The APIs are provided on an ‘as-is’ and ‘as-available’ basis. While Umbrella strives to maintain stable and reliable operation, no specific uptime or performance guarantees are provided under these Terms.

    Additional Terms

    On Demand API

    Clients using the On Demand API must not issue unnecessary update calls or attempt bulk export of profile data. Any changes to the scope of queried data must be communicated to Umbrella and may have to undergo recertification before being used in production.

    Webhook endpoints configured to receive updates from the On Demand API must support HTTPS with a valid, generally-trusted SSL/TLS certificate and a complete certificate chain. Umbrella may reject connections that fail certificate validation. Connections that fail certificate validation may be rejected.

    Sync API

    When using the Sync API, Umbrella will actively send profile updates to Client endpoints via HTTPS POST. Clients are expected to process updates promptly, ideally within a few seconds and in any case within a maximum of thirty (30) seconds. If Umbrella observes repeated timeouts or slow responses, it may suspend delivery until corrective action is taken.

    Endpoints receiving updates must support HTTPS with a valid, generally-trusted SSL/TLS certificate and a complete certificate chain. Connections that fail certificate validation may be rejected.

    Termination and Suspension

    Umbrella will generally provide a warning notice and a reasonable opportunity for the Client to address issues before applying any additional charges or restrictions. However, if Umbrella detects activity posing a serious risk to system stability or security, it may apply immediate protective measures such as temporary throttling or suspension. Umbrella will notify the Client as soon as feasible and work jointly to identify and resolve the issue.

    If reactivation requires additional verification steps, Umbrella may request a brief technical review or revalidation of the integration to ensure compliance. Any associated costs or timelines will be communicated transparently in advance.

    Umbrella may decline reactivation if prior misuse or repeated non-compliance indicates a material risk to system stability or security.

    Disclaimers and Liability

    The APIs are provided without warranties of any kind, whether express or implied, including but not limited to warranties of merchantability, fitness for a particular purpose, accuracy, or uninterrupted availability.

    Umbrella does not guarantee the accuracy, completeness, or timeliness of API data. The provisions regarding liability and remedies are governed by the terms of the main contract executed between Umbrella and the Client, which shall take precedence over these Terms.

    Governing Law and Jurisdiction

    These Terms are governed by the laws of Switzerland. Any disputes shall be subject to the exclusive jurisdiction of the courts of Zurich, Switzerland.

    Modifications

    Umbrella may update these Terms from time to time to reflect changes in legal, technical, or business requirements. Significant updates will be communicated in advance through appropriate channels, and continued use of the APIs after such notice constitutes acceptance of the revised Terms.