Transmute
Legal Center
The documents that govern the Transmute API, effective July 14, 2026. The full suite is published here, and each document is available in full at its own URL.
Core Terms & Policies
Terms of Service
v1.0 · Effective July 14, 2026The agreement for using the Transmute API: plans, quotas and rate limits, metered overage where enabled, acceptable use, service disclaimers, and liability. SWIFT is a trademark of S.W.I.F.T. SCRL; Transmute is an independent product and is not affiliated with or endorsed by SWIFT.
- Plans, quotas, and overage
- Acceptable use and service terms
- Disclaimers and limitation of liability
Privacy Policy
v1.0 · Effective July 14, 2026How Transmute handles data, which is mostly a story about what it never holds: message bodies are processed in request-scoped memory, never persisted and never logged. Covers the usage metadata we do keep, account and billing data, EU-only processing, and your rights.
- Statelessness: what is and is not retained
- Usage metadata and account data
- EU-only processing and your rights
Data Processing Addendum
v1.0 · Effective July 14, 2026Our processor commitments for the personal data inside your messages: statelessness as a binding processing behavior, sub-processing, breach notice, and the EU/UK/Swiss transfer clauses. Auto-incorporated into the Terms; a countersignable copy is available.
- Controller / processor roles
- Security measures (Annex II) and sub-processors
- SCCs, UK IDTA, and Swiss adaptations
Sub-Processor List
v1.0 · Effective July 14, 2026The third-party services behind the Transmute API and what each does. Deliberately short: statelessness means message content never reaches a sub-processor at rest.
- Content-path providers (Cloudflare, Neon)
- Account-path providers and Stripe
- No message content at rest, anywhere
Acceptable Use Policy
v1.0 · Effective July 14, 2026The uses that are prohibited or restricted — including that the Service converts formats and does not screen content, so sanctions and AML compliance remain your obligation as the regulated party.
- No unlawful use; we do not screen
- No metering circumvention or abuse
- Service-bureau use and resale rules
Support & Availability Policy
v1.0 · Effective July 14, 2026Our support channels, first-response targets by plan, and the 99.9% monthly availability target. These are operational targets, not a warranty or SLA; credit-bearing SLAs are Enterprise-only.
- Email support and business hours
- First-response targets by plan
- Availability target and exclusions
Trust & Security
Security Overview
v1.0 · Effective July 14, 2026How the Service is built and operated, written for security and vendor-due-diligence teams: stateless-by-design architecture, encryption, EU residency, access control, and CI-enforced assurance.
- Stateless design and the two exceptions
- Encryption, access control, and residency
- Aligned with SOC 2, not yet certified
Vulnerability Disclosure Policy
v1.0 · Effective July 14, 2026How to report a security issue and the safe-harbor protections that apply to good-faith research. Covers scope, coordinated-disclosure timing, and the synthetic-test-data requirement.
- How to report to security@403fin.io
- Safe-harbor terms and scope
- 90-day coordinated disclosure
Exit & Termination Assistance Statement
v1.0 · Effective July 14, 2026Why leaving is simple: the stateless design means there is no data gravity to unwind. Explains what you can take with you, the wind-down mechanics, and Enterprise transition cooperation.
- No lock-in; open standards in and out
- Credential revocation and payload purge
- Usage-metadata export on request
Enterprise & Self-Hosted
Enterprise Master Services Agreement
v1.0 · Effective July 14, 2026The negotiated framework for enterprise use of the hosted API, ordered through one or more Order Forms. Replaces the self-serve Terms for customers who contract on this paper.
- Framework plus Orders structure
- Fees, term, and credit-bearing SLAs
- Auto-incorporated DPA and DORA option
Enterprise Self-Hosted License Agreement
v1.0 · Effective July 14, 2026The license for installing Transmute in your own environment. The license mechanism is fully offline — no telemetry, no phone-home, no remote kill — so the deployment is air-gap capable.
- Offline, signed license keys
- Exact expiry and grace semantics
- No data processing; no DPA required
DORA / ICT Outsourcing Addendum
v1.0 · Effective July 14, 2026For EU financial-entity customers: the Article 28 and 30 provisions (locations, security, incident reporting, audit, sub-contracting, and exit) that let you use the Service as an ICT third-party service.
- Service description and EU locations
- Incident reporting and audit rights
- Termination and exit for financial entities
Order Forms are issued per deal under an Enterprise agreement rather than published here. Executed, countersignable copies of the DPA, the Enterprise agreements, and any Order Form are available on request — email legal@403fin.io.
Looking for Forbidden Finance's policies? They live in theForbidden Finance legal center. Company-level information is on the 403 Finance legal hub. Questions: support@403fin.io.