Terms of Service

By creating an account, storing API keys, or using Clevername in any way, you're agreeing to these terms and our Privacy Policy. If you're using Clevername on behalf of a company or team, you're confirming you have the authority to agree on their behalf. If you don't agree with any of this, please don't use the service.

Clevername is an AI governance and orchestration platform built and operated by Floyd Media LLC ("I", "me", "my" — it's just me, Alex). When I say "the Service", I mean everything Clevername offers: - A universal gateway that routes your AI requests to providers like Anthropic, OpenAI, and Google using your own API keys (BYOK) - Secure storage for those API keys in Google Cloud Secret Manager - Runtime security — content scanning, agent drift detection, guardrail enforcement - Agent Review — approval workflows for agent deployment - MCP tool gateway and integrations - Team features — organizations, roles, SSO, SCIM This is a one-person operation. I'm building Clevername because I believe AI agents need proper governance — not just identity, not just scanning, but continuous enforcement of what they're allowed to do. The service is provided "as is" — I do my best to keep it running and secure, but I can't make the same guarantees a company with hundreds of engineers can. I may modify or discontinue features with reasonable notice.

Keep your credentials safe — your password, session tokens, and any scoped API tokens (cnk_* keys) you create. You need to be at least 18 to use Clevername. Everything that happens under your account is your responsibility. That includes: - Actions your AI agents take (whether you clicked "approve" or set them to auto-approve) - API calls made with keys you stored here - Automated tasks from scheduled jobs or triggers - What your team members do if you invited them to your org If you think your account has been compromised, email [email protected] immediately and I'll help lock it down.

This is the most important section. Clevername stores your third-party API keys so it can route AI requests on your behalf. That's a serious responsibility, and I want to be completely transparent about how it works and what the risks are. How I store your keys: Your API keys (Anthropic, OpenAI, Google, etc.) go into Google Cloud Secret Manager, encrypted at rest. The database only stores a masked hint like "sk-...7x2f" — never the full key. Keys are pulled from Secret Manager only when needed to make a request, sent over HTTPS, and never logged or cached in plaintext. I will never use your keys for anything other than routing your requests. I will never share, sell, or give your keys to anyone. If I ever discover unauthorized access to the key storage, I will notify you immediately. When you delete a key or your account, the key material is permanently deleted from Secret Manager. What you need to do: - Only store keys you're authorized to use - Set spending limits directly with your AI providers — this is your best protection against runaway costs - Create dedicated keys for Clevername rather than reusing keys from other services - Rotate keys regularly and revoke any key you think might be compromised (at both Clevername and the provider) - Enable MFA on your accounts — both here and at your AI providers - Review your usage dashboard for anything unexpected You are responsible for all charges on your keys — whether from your direct use, your agents, scheduled tasks, or (worst case) unauthorized access. I strongly recommend provider-side spending caps as your primary financial safety net. I have to be honest about the risks: No system is perfectly secure, and I'm one developer, not a security team. Despite the encryption and best practices I've built in: - If my infrastructure were compromised, stored keys could be exposed - A bug could theoretically cause a key to be logged somewhere it shouldn't be - If someone gains access to your Clevername account, they can use (but not view) your stored keys - Keys in transit use TLS, but no encryption is theoretically unbreakable I take these risks seriously and I've built real protections. But I want you to go in with your eyes open.

When you deploy AI agents through Clevername — whether they're making API calls or calling MCP tools — those are your agents. Their actions are treated as your actions, period. This is true whether you explicitly approved something, set it to auto-approve, or gave the agent broad permissions. If you use Agent Review approval workflows, that's a governance checkpoint — it's not a guarantee that your agent is safe. The guardrail profiles I compile from the questionnaire are real security controls, but they can't prevent every possible bad outcome.

Clevername includes runtime security features: content scanning, prompt injection detection, PII detection, secret leakage prevention, and agent drift detection. These are real, useful tools — but they're not perfect, and they shouldn't be your only line of defense. What to expect: - Scanning uses pattern matching and configurable rules. It will catch a lot, but it can miss things and it can flag things that aren't actually problems (false positives) - Guardrail enforcement is only as good as your configuration - Drift detection catches deviations from approved behavior, but there's always a gap between an agent doing something wrong and the system catching it - No scanner in the world can guarantee it will catch every prompt injection or every piece of PII I can't be liable for threats that get through the scanner, for false positives that block legitimate work, for security policies you misconfigured, or for things that happen in the gap between a violation and detection. I'm building the best security tools I can as a solo developer, but please treat them as one layer in your security approach, not the whole thing.

Pretty straightforward — don't use Clevername to: - Break the law - Violate other people's rights or privacy - Spread malware or harmful code - Try to hack into my systems or other users' data - Have AI agents do things you're not authorized to do yourself - Store API keys that aren't yours - Try to bypass security controls, rate limits, or guardrails (I built those for a reason) - Resell access to Clevername without asking me first - Generate content that's illegal, harmful, or violates AI provider policies

Clevername routes your requests to AI providers using your keys. You still need to follow their terms of service — I'm just the middleman. Some things to keep in mind: - Some providers may restrict using their APIs through intermediary services. Check their terms. - Providers can suspend or revoke your keys at any time, for any reason, and I can't do anything about it - Their rate limits, pricing, and quotas are their business — I don't control any of that - If a provider goes down or changes their API, it affects Clevername too - I'm not part of your relationship with any AI provider Make sure your use of each provider through Clevername complies with their terms. If Anthropic revokes your key or OpenAI suspends your account, that's between you and them.

The integrations directory lets you discover and install MCP servers and skills that extend what your AI tools can do. When you install an integration, you're giving it access to operate in your Clevername environment based on the permissions you configure. Look at what an integration does before you install it. Third-party integrations: Some integrations are built by other developers. I review submissions for basic security concerns, but I can't guarantee that every third-party integration is safe, accurate, or reliable. They have their own terms and privacy policies. Credentials for integrations (API keys, OAuth tokens) are stored in GCP Secret Manager with the same encryption as your AI provider keys. If you uninstall an integration or think its credentials are compromised, revoke them. I'm not liable for damage caused by third-party MCP servers or skills — data loss, unauthorized access, wrong outputs, or charges from services those integrations connect to.

Clevername provides programmatic API access, including an OpenAI-compatible chat completions endpoint and scoped gateway tokens for agent and application integration. SCOPED TOKENS: You may generate scoped API tokens (cnk_* keys) with restricted permissions including model allowlists, tool allowlists, and spend budgets. You are responsible for the security of these tokens and all API calls made using them. API COMPATIBILITY: The OpenAI-compatible API endpoints (/v1/chat/completions, /v1/embeddings) follow the OpenAI API format but route through Clevername's policy engine. Clevername is not affiliated with OpenAI. Compatibility is provided for convenience and may not cover all OpenAI API features. RATE LIMITS AND FAIR USE: API access is subject to rate limits that vary by plan. We reserve the right to throttle or suspend API access that degrades the Service for other users.

Organizations using Team or Enterprise plans have access to additional features with their own considerations. SCIM PROVISIONING AND SSO: If you configure SCIM 2.0 provisioning or SSO (SAML/OIDC) federation with Clevername, you are responsible for the accuracy and security of your identity provider configuration. Misconfigured SSO or SCIM can result in unauthorized access to your organization's Clevername resources. We are not liable for access control failures caused by misconfigured identity provider settings. ORGANIZATION ADMINISTRATION: Organization administrators are responsible for managing member roles, permissions, and security policies. Actions taken by organization members are the responsibility of the organization. We provide RBAC tools; enforcement of your internal policies is your responsibility. AUDIT LOGS: Audit logs are provided for compliance and security monitoring. While we employ tamper-evident hash chains, audit logs should not be treated as legally admissible records without independent verification. Audit log retention is configurable per organization, with a default of 365 days. PRIVILEGED ACCESS MANAGEMENT (PAM): Organizations may integrate external PAM providers (CyberArk, BeyondTrust, Delinea) for time-boxed elevated sessions. PAM sessions grant elevated permissions for a configurable duration (up to 8 hours). IP binding enforcement may operate in "warn" mode (log-only) depending on your configuration. You are responsible for configuring PAM session scopes, durations, and IP binding policies. We are not liable for unauthorized actions taken during PAM sessions or for privilege escalation resulting from misconfigured PAM provider integration.

Clevername provides optional integration with the Ad-Response Content Protocol (ARCP) and AI Negotiation Control Protocol (ANCP). These are external protocol networks with their own participants and rules. ARCP: Content discovery and syndication. When you use ARCP tools through Clevername, you interact with the ARCP network and its participants. You are responsible for complying with ARCP network policies. ANCP: Agent marketplace negotiations, auctions, and bidding. ANCP operations may involve financial commitments (bids, auction participation). High-risk ANCP operations require explicit human approval. You are responsible for all financial obligations arising from ANCP transactions initiated through your account. We act as a gateway to these protocol networks. We are not a party to transactions conducted through ARCP or ANCP and are not liable for the actions of other network participants.

Clevername provides workflow orchestration features including agentic flows, pipelines, scheduled tasks, event-triggered hooks, and emergency kill-switch controls. WORKFLOW LIFECYCLE: Workflows may execute multi-step sequences of AI calls, tool invocations, and browser actions. Each step may trigger subsequent steps automatically based on your configuration. You are responsible for the design, testing, and monitoring of your workflows. KILL-SWITCH: Organization administrators may use emergency kill-switch controls to immediately terminate all active workflows and agent sessions. Kill-switch activation is irreversible for in-progress operations — partially completed workflows cannot be resumed. We are not liable for data loss or incomplete operations resulting from kill-switch activation. PIPELINES AND HOOKS: Event-triggered pipelines execute automatically based on conditions you define. You are responsible for ensuring trigger conditions are correctly configured. We are not liable for pipeline failures, infinite loops, orphaned state, or unintended executions caused by misconfigured triggers. SIGNED DECISIONS: Workflow decisions may be cryptographically signed for audit integrity. Signature verification is provided as a tamper-detection mechanism, not a legal guarantee of authenticity.

Clevername uses a BYOK (Bring Your Own Key) model. Your subscription covers the governance platform — your AI provider charges you directly for LLM usage. Subscriptions: The Free plan is free forever. Team is a monthly or annual per-seat subscription. Enterprise uses annual licensing. All plans include unlimited BYOK routing — Clevername never marks up your LLM costs. What your subscription covers: Access to the governance platform, CleverGuard scanning, Agent Review approval workflows, audit logging, and all other platform features at your plan tier. Your AI provider costs are separate and billed directly by Anthropic, OpenAI, Google, or whichever providers you use. Your responsibility for provider costs: You are responsible for all charges incurred on your BYOK keys — whether from direct use, your agents, scheduled tasks, or org members using shared org-level keys. Set spending limits directly with your AI providers. That is your primary protection against runaway costs. I strongly recommend doing this before connecting any key. Payment processing: All subscription payments are processed by Stripe. Your payment information is handled by Stripe and never stored on Clevername servers. Upgrades take effect immediately with prorated billing. Downgrades take effect at the start of the next billing cycle. Refunds: Subscription refunds are considered on a case-by-case basis within 7 days of a charge. Contact [email protected].

Clevername processes user-uploaded documents and generates vector embeddings for semantic search. DOCUMENT PROCESSING: When you upload documents (PDF, DOCX, XLSX, images), Clevername extracts text content and stores it in our database for context injection into AI conversations. Documents are stored in Google Cloud Storage. You are responsible for ensuring you have the right to upload and process any document you provide. VECTOR EMBEDDINGS: Text content from documents may be converted into vector embeddings for semantic search. Embeddings are mathematical representations of your content and are stored alongside the source data. Embeddings are deleted when the source document is deleted. CONTEXT INJECTION: When project context is injected into AI requests, the full content is sent to the AI provider processing your request (using your BYOK key or managed key). Content injection is subject to the same security scanning as direct user input.

Clevername integrates with several external services. The availability and behavior of these services are outside our control. SIGNEDAPPROVAL: High-risk agent actions may be routed through SignedApproval (signedapproval.net), an external approval service that delivers push notifications to your iOS device. SignedApproval is a separate service with its own infrastructure. If SignedApproval is unavailable, approval-gated actions will remain pending until the service recovers or the request times out. We are not liable for delays or failures in approval delivery. N8N INTEGRATION: If you connect Clevername to an n8n instance, webhook tokens are used to authenticate requests between the services. You are responsible for the security of your n8n instance and webhook tokens. We are not liable for actions executed by n8n workflows triggered through Clevername. SIEM LOG FORWARDING: Organizations may configure audit log forwarding to external SIEM services (Datadog, Splunk, Elasticsearch) or webhook endpoints. Forwarded logs may contain metadata about user activity, API calls, and security events. You are responsible for the security and compliance of your SIEM destination. Log forwarding uses a buffered delivery system — under extreme load, events may be dropped if the buffer capacity is exceeded. We do not guarantee lossless log delivery. WEBHOOK NOTIFICATIONS: Task completion and security event notifications may be delivered via webhooks to URLs you configure (Slack, Discord, custom endpoints). Webhook payloads may contain task results and metadata. You are responsible for securing your webhook endpoints. We sign webhook deliveries with HMAC but are not liable if payloads are intercepted or if your endpoint is compromised.

Clevername provides tools to help you meet compliance obligations, but the Service itself is not certified under any compliance framework. COMPLIANCE REPORTS: Auto-generated compliance evidence reports (SOC 2 format) are provided as a convenience for your internal compliance programs. These reports are self-generated summaries of platform configuration and activity — they are not independently audited certifications. Do not represent Clevername compliance reports as third-party audit results. DATA SUBJECT ACCESS REQUESTS (DSAR): You may submit data access or erasure requests through the dashboard or by contacting [email protected]. We will process erasure requests within 30 days. Erasure removes your personal data, conversation history, stored keys, and project files. Audit logs associated with organizations are anonymized rather than deleted. DATA PORTABILITY: You may export your data at any time through the dashboard. Exported data includes project files and configuration. API keys are not included in exports for security reasons — you must record your keys separately. NO LEGAL COMPLIANCE GUARANTEE: Clevername provides security and governance infrastructure. It does not guarantee compliance with any specific regulation (GDPR, HIPAA, SOC 2, etc.). You are responsible for evaluating whether the Service meets your regulatory requirements.

The Guard API (/v1/guard/*) allows external AI agents and frameworks (LangChain, CrewAI, AutoGen, or any HTTP client) to use Clevername's runtime security services without MCP or an SDK. HOW IT WORKS: External agents register with Clevername, receive a scoped cnk_* token, start a guarded session, and pass the session ID on their regular /v1/chat/completions calls. Clevername then scans all inputs and outputs, enforces guardrail profiles, tracks tool drift, and monitors spend — all inline and transparent to the agent. YOUR RESPONSIBILITIES AS A GUARD API USER: - You are responsible for registering agents accurately and providing truthful review questionnaire answers (if applicable) that determine the guardrail profile - You are responsible for securing your Guard API tokens. Anyone with your token can make API calls on your behalf, incurring charges against your BYOK keys - You are responsible for ending sessions when work is complete. Idle sessions consume monitoring resources and may be terminated automatically - You must not use the Guard API to proxy requests for third parties or resell access to Clevername's security services without written permission GUARDRAIL PROFILES: If you provide review questionnaire answers during agent registration, a guardrail profile is auto-compiled and enforced for all sessions. Sessions without a profile operate with reduced enforcement (no tool allowlists, no drift detection). You are responsible for the accuracy of your answers. STANDALONE SCANNING: The Guard API also offers standalone content scanning (/v1/guard/scan) and tool checking (/v1/guard/check-tool) endpoints. These are subject to the same limitations described in Section 6 (Security Services) — scanning is best-effort and not guaranteed to detect all threats. WE ARE NOT LIABLE FOR: Actions taken by external agents using Guard API sessions, security threats that bypass guard scanning, agent behavior between scan calls, or charges incurred through tokens issued via the Guard API.

If something you do with Clevername causes legal trouble for me — a lawsuit, a claim, damages — I need you to have my back. Specifically, you agree to cover losses and legal costs arising from: - Your use of the service or activity under your account - API charges from keys you stored here - Things your AI agents did (including scheduled tasks) - Breaking these terms or any law - Violating an AI provider's terms of service - Violating the terms of services your agents interact with - Content you generate, upload, or process through Clevername - Automated workflows you set up that cause problems for others - Data you export via SIEM or webhooks that gets mishandled on your end I'm not trying to be adversarial here. This is standard protection that lets me keep running the service without the risk that one user's misuse puts the whole platform (and me personally) in jeopardy. This survives if you close your account.

I need to be direct here: Clevername is built and run by one person. I don't have the resources to absorb large financial losses, and these terms reflect that. Clevername is provided without warranty of any kind — no guarantees of merchantability, fitness for a particular purpose, or non-infringement. I do my best, but I can't promise the service will be perfect, uninterrupted, or error-free. I am not liable for indirect, incidental, special, consequential, or punitive damages, including: - Financial losses from compromised API keys or site credentials - Charges from AI providers (your keys, your responsibility for spending limits) - Things your AI agents do, whether you approved them or they were auto-approved - Data loss or unintended exposure through documents, memory, or log forwarding - Business interruption or lost profits - Security scanning missing a threat or blocking something it shouldn't have - Kill-switch or emergency actions disrupting your workflows - AI provider cost overruns from keys you stored here - External services (SignedApproval, n8n, your SIEM) being down - PAM sessions, SSO, or SCIM issues from misconfiguration The maximum total I can be liable for is the greater of what you've paid me in the last 12 months or $100. If you're on the free plan and haven't paid anything, the cap is $100. I know that sounds small, but I'm a solo developer — I genuinely cannot take on open-ended financial liability for a service that handles other people's API keys and AI agents. Please set spending limits with your AI providers. That's the real protection. To be clear: your AI agents are your responsibility. I provide the pipes, the scanning, and the guardrails. I don't evaluate whether any individual agent action is safe or appropriate.

Use of the Service is governed by our Privacy Policy, which is incorporated into these Terms by reference. Your conversation content, AI request/response data, and project files are stored to provide the Service and enforce your security policies. We do not use your data to train AI models, sell to third parties, or for any purpose beyond providing and securing the Service. You retain ownership of your data and may export or delete it at any time. Upon account deletion, all your data — including stored API keys, conversation history, project files, and configuration — will be permanently deleted within 30 days. Audit logs associated with organizations may be anonymized rather than deleted to preserve organizational security records.

You can cancel anytime from the dashboard or by emailing me. If you violate these terms, I may suspend or close your account — immediately if there's a security concern, with notice otherwise. When your account closes (however it happens): - All your API keys are permanently deleted from Secret Manager - Your data is deleted per the Privacy Policy - Any running agent sessions or scheduled tasks are stopped immediately - Your scoped API tokens (cnk_* keys) are revoked The sections about API key custody (4), indemnification (19), liability limits (20), and privacy (21) still apply after your account is closed.

These terms are governed by the laws of the State of Georgia, USA. If we end up in a dispute (I hope we don't), it'll be handled in the state or federal courts in Georgia.

I may update these terms as the platform evolves. For anything significant — changes to how I store keys, liability limits, or indemnification — I'll email you at least 30 days before the change takes effect. You'll also see an acceptance prompt in the dashboard when terms change. If you keep using Clevername after changes take effect, that counts as accepting the new terms. If you disagree with an update, you'll need to stop using the service.

Questions about these terms: [email protected] Security concerns: [email protected] Privacy or data requests: [email protected] All of these go to me — Alex Floyd, Floyd Media LLC, Georgia, USA.