Need help with your APIs? I offer API discovery, governance & evangelism services. Explore services →
API Evangelist API Evangelist
Learnings
Guidance
Toolbox
Alignment
API Evangelist LLC

Legal

The legal aspects of producing and consuming APIs can quickly derail even the best-laid plans for API producers and disrupt the roadmaps of developers building applications and integrations. Terms of service and privacy policies should always be prominently displayed wherever an API is distributed and included as part of supporting artifacts for documentation, onboarding, and discovery. While terms of service and privacy policies are the foundation of API legal considerations, other elements—such as licensing, codes of conduct, copyright, deprecation policies, and service level agreements—are becoming increasingly important. Legal requirements for APIs should always be reviewed by legal teams and ideally revisited with the release of any new API to ensure compliance and clarity.

Policies

Consent and DPA Provided

Every API that touches personal data must provide a data processing agreement and a clear record of the consent under which that data is handled. I require that the DPA be available to consumers be...

Consumer Rights Honored

Require that an API honors the rights of its consumers and the people its data represents, including access, correction, portability, and deletion. As APIs become the infrastructure of public and e...

Data Ownership Respected

Require that an API respects the ownership of the data it handles, treating consumer and end-user data as belonging to them rather than to whoever stores it. Ownership shapes what a provider may do...

Data Residency Enforced

I require that every API declares where the data it handles is stored and processed, and that those residency commitments are actually enforced rather than merely stated in a policy document. Consu...

Data Retention Defined

Require that every API declare a written retention policy stating how long each category of data is kept, why it is kept, and when it is destroyed. I expect this policy to be discoverable alongside...

Governance

Governance standardizes APIs across teams using a common platform and lifecycle, applying governance policies and rules, and keeping everyone moving in the same direction using common guidance.

API Licensing

Publishing a license for the interface, client code, server code, and data to ensure consumers understand the legal implications of using the API, code, and data into their own applications and int...

Privacy Policy

Publishing a privacy policy covering the producer and consumers of an API, as well as end-users of applications, adding to the legal resources that are available to 3rd party developers when puttin...

Standards

Internet, industry, market, and government standards help make APIs more consistent, but also save time and money for both producer and consumer, while keeping APIs better aligned with existing ind...

Terms of Service

Making sure that terms of service are front and center for API consumers, ensuring that the legal side of using API resources and capabilities in applications and integrations by 3rd party consumer...

Strategies

API Data Is Classified and Protected

All data exposed through APIs must be classified by sensitivity level, with appropriate protections applied based on classification, ensuring that PII, financial data, and other sensitive informati...

APIs Are Aligned with Industry Using Standards

All APIs must be using relevant Internet, industry, and government standards available, ensuring to properly research areas of operations to see what existing standards may exist before the creatio...

APIs Are Legally Covered

All APIs must be reviewed by legal council and posses terms of service, privacy policy, licensing, and other regulatory and compliance requirements, making sure all the legal bases are covered bef...

APIs Earn and Maintain Consumer Trust

All APIs must demonstrate trustworthiness through transparent service level commitments, consistent deprecation policies, reliable performance, proper security, and clear legal terms, building the ...

APIs Meet Regulatory and Compliance Requirements

All APIs must be mapped to applicable regulatory and compliance requirements including GDPR, SOC2, PCI-DSS, and HIPAA, ensuring that API designs, data handling, and operations satisfy legal obligat...

APIs Must Be Actively Governed

All APIs being produced must be governed as part of the overall strategy, using the platform, as well as a common API lifecycle, applying policies and rules, and keeping teams moving in the same di...

APIs Respect Data Privacy and Residency

I want privacy and residency to be built into how our APIs handle data, not bolted on after a regulator or a customer asks the hard question. That means we classify the PII moving through our APIs ...