This Buildvox Service Addendum ("Addendum") supplements the Nimvox Terms of Service ("Terms"). It governs your use of Buildvox, Nimvox's managed Backend-as-a-Service (BaaS) platform.
In the event of a conflict between this Addendum and the main Terms, this Addendum governs for Buildvox-specific matters. All other provisions of the main Terms remain in full force and effect.
2. Definitions
In addition to the definitions in the main Terms, the following terms apply to Buildvox:
"Project" means an isolated environment within Buildvox that contains its own users, configuration, credentials, and data. Each Project operates independently.
"API Key" means the authentication credential (Project ID and secret key pair) used to access Buildvox services programmatically.
"Gateway" means the Buildvox API Gateway that routes requests to the appropriate backend service and enforces rate limits and authentication.
"SDK" means the software development kits (TypeScript and Python) provided by Nimvox for integrating with Buildvox services.
"Service" means one of the backend microservices provided by Buildvox: Authentication, Email, Payments, Notifications, or Messaging.
"Webhook" means an HTTP callback sent by Buildvox to your application's endpoint when specific events occur (e.g., payment completed, user registered).
"End User" means a user of your application who interacts with Buildvox services indirectly through your integration.
3. Platform Service Description
Buildvox is a managed Backend-as-a-Service platform that provides the following services through a unified REST API:
Authentication: User registration, login (email/password and OAuth), email verification, password reset, JWT session management, and user management.
Payments: Stripe and PayPal checkout integration, subscription management, billing history, webhook processing, and customer portal sessions.
Notifications: In-app notification delivery, read status tracking, and unread count queries.
Messaging: End-to-end encrypted messaging between users, with thread management and participant controls.
API Gateway: Unified entry point for all services with per-project authentication, tier-based rate limiting, and usage metering.
Buildvox services are accessible via the REST API and through official TypeScript and Python SDKs provided by Nimvox.
4. Multi-Tenancy & Project Isolation
Each Buildvox Project is logically isolated with its own database records, API credentials, and configuration. You acknowledge and agree that:
There is no cross-project data access — data from one Project cannot be read or modified by another Project
You are solely responsible for how you use Buildvox APIs within your own applications
You are responsible for maintaining your own terms of service and privacy policy with your End Users
Nimvox is not responsible for the products, services, or experiences you build using Buildvox
You must ensure your use of Buildvox complies with all applicable laws and regulations in your jurisdiction
5. Payment Processing (Shared Responsibility)
Buildvox's Payment Service proxies Stripe and PayPal transactions on behalf of your application. The following shared responsibility model applies:
5.1 Nimvox's Responsibilities
Secure webhook signature verification for both Stripe and PayPal events
Tokenized payment interactions — credit card data never touches Nimvox servers
Transaction logging and billing history
Idempotent webhook event processing
5.2 Your Responsibilities
Configuring your own Stripe and/or PayPal credentials via Project settings
Managing your checkout flow and End User payment experience
Handling payment disputes, refunds, and chargebacks with your End Users
Maintaining PCI compliance for any payment data you handle outside of Buildvox
Ensuring your payment processing complies with applicable financial regulations
Nimvox is not liable for payment disputes between you and your End Users. Buildvox operates under PCI SAQ A compliance — card data is handled entirely by Stripe and PayPal through their tokenized/redirect models.
6. Email Delivery
Buildvox provides transactional email delivery through its Email Service. You acknowledge that:
Email delivery is provided on a best-effort basis. Nimvox does not guarantee delivery to all recipients
Nimvox is not liable for emails being filtered as spam, rejected by recipient mail servers, or delayed in delivery
You are responsible for ensuring the content of emails sent through Buildvox complies with applicable laws, including CAN-SPAM (which requires a physical mailing address in commercial emails) and GDPR (which requires appropriate consent for marketing communications)
You must verify your sending domain (DKIM, SPF, DMARC) for optimal deliverability. Nimvox provides tools to facilitate domain verification but cannot guarantee domain reputation
Email volume limits apply per tier. Exceeding your tier's monthly email limit may result in email delivery being throttled or suspended until the next billing cycle
7. SDK & API Usage
Nimvox provides official TypeScript and Python SDKs for integrating with Buildvox services. You acknowledge that:
SDKs are provided "as-is" without warranty. They are not covered by any service-level agreement
Breaking API changes will be communicated with reasonable advance notice
Nimvox may deprecate API endpoints with at least 60 days' notice
You are responsible for keeping your SDK version up to date and adapting to API changes
API rate limits are enforced by the Gateway. Exceeding your tier's rate limits will result in HTTP 429 (Too Many Requests) responses
8. Webhook Security
Buildvox sends Webhooks to your application's endpoints when certain events occur. You are responsible for securing your webhook integration:
Signature verification is mandatory: You must verify the cryptographic signature on every incoming Webhook using the shared secret provided in your Project settings
Nimvox is not liable for any actions your application takes based on unverified Webhook payloads, including forged or replayed events
Each Webhook event includes an idempotency key. You should implement deduplication logic to handle potential retries
Nimvox may retry failed Webhook deliveries. Your endpoint should return a 2xx HTTP status code to acknowledge receipt
9. Secure Messaging
Buildvox's Messaging Service provides end-to-end encrypted communication between End Users of your application. You acknowledge that:
Messages are encrypted using AES-256-GCM encryption. Nimvox cannot access, read, or decrypt message content
Secure Messaging is available on higher-tier plans only
You are solely responsible for the content of messages sent between your End Users
The Messaging Service is not intended for communications subject to industry-specific regulatory requirements (such as HIPAA for healthcare or SOX for financial reporting) unless you independently ensure compliance with those regulations
Nimvox is not responsible for message delivery failures, latency, or message content
10. Data Processing & GDPR Data Processor Role
When you use Buildvox to process data of your End Users, the following data protection framework applies:
10.1 Roles
You are the data controller: You determine the purposes and means of processing your End Users' personal data
Nimvox is the data processor: Nimvox processes End User data solely as instructed by you through your API calls and Project configuration
10.2 Your Obligations
Obtaining appropriate consent or establishing a lawful basis for processing your End Users' personal data
Maintaining your own privacy policy that accurately describes your data processing activities
Responding to data subject requests from your End Users (access, correction, deletion, portability)
Notifying Nimvox promptly if you become aware of a data breach involving End User data processed through Buildvox
10.3 Nimvox's Commitments
Processing End User data solely in accordance with your instructions via the API
Maintaining appropriate technical and organizational security measures, including: bcrypt (cost factor 12) password hashing, SHA-256 hashed email verification tokens, JWT session tokens in httpOnly/Secure/SameSite cookies, and HTTPS encryption in transit
Notifying you promptly if Nimvox becomes aware of a data breach affecting your End Users' data
Deleting or returning End User data upon termination of your account, subject to the retention periods described in the main Terms
10.4 Data Processing Agreement
A formal Data Processing Agreement (DPA) is available on request for Enterprise-tier customers. To request a DPA, contact us at contact@nimvox.dev.
11. Service Tiers, Rate Limits & Billing
Buildvox is offered in multiple tiers (Starter, Pro, Team, and Enterprise), each with different limits on the number of Projects, End Users, monthly email volume, and features available. Current pricing, limits, and feature availability are listed at nimvox.dev.
11.1 Rate Limits
The Buildvox API Gateway enforces rate limits on a per-Project, per-tier basis. If your application exceeds the rate limits for your tier, the Gateway will return HTTP 429 (Too Many Requests) responses. You are responsible for implementing appropriate retry logic and backoff strategies in your application.
11.2 Billing
Subscriptions are billed monthly via Stripe
No refunds are provided for partial months
Pricing may change with 30 days' notice as described in Section 15 of the main Terms