Apply.Build - Terms & Conditions (Beta)

Last updated 16 June 2025

1 Parties

These Terms (“Agreement”) are between Codebite Oy (Business-ID FI-31350249), “Provider”, and the entity or individual accepting them (“Customer”, “Tenant”, “you”).

1.1 Definitions

• Service. The Apply.Build Platform and related APIs and dashboards.
• Resource Package. A predefined and limited amount of resources (e.g. 1 virtual CPU and 1 GiB memory) purchased per §3.
• Workspace. A Customer namespace in which Applications run.
• Application. A runnable container image deployed by Customer.
• Billing Period. One calendar month starting on the date of first charge (unless otherwise agreed).

2 Service description

Apply.Build is a managed application-hosting platform that lets you deploy containerised web services without operating your own infrastructure. Each customer application runs in its own isolated virtual environment with predefined CPU and memory allocations. All data and processing remain within the European Economic Area.

• Public access. Every application is reachable over HTTPS on a default sub-domain of {app}.apps.apply.build. You may also attach custom domains; the platform automatically provisions and renews trusted TLS certificates. Applications may initiate outbound connections to the Internet unless explicitly blocked by a prevailing policy.
• Resource packages. You purchase CPU / memory packages in advance and can distribute those resources across your applications at any time during the billing period.
• Security & isolation. Applications are strictly separated from one another, and traffic between customer environments is blocked by default. Only external traffic routed through a controlled ingress will be able to reach your service by default.
• Threat-detection. All inbound HTTP requests are inspected by an automated intrusion detection/prevention system. Suspicious requests may be blocked before they reach your Application.
• Monitoring & logs. Basic performance graphs and recent application logs are available in the dashboard for the last seven (7) days.
• Data location. Compute and observability data are stored on servers located in Finland; data will not be moved outside the EEA without notice.
• Back-ups. During the beta programme, no platform backups are provided. You are responsible for keeping external copies of any critical data.
• Beta status. The platform is offered in public beta: functionality may change, and no uptime guarantee or service-credit programme is currently in place.

3 Resource Packages, billing & payment

1. Each Resource Package (“Package”) provides 1 vCPU + 1 GiB RAM for one billing period (1 month).
2. Packages are billed in advance; unused Packages expire at month-end.
3. Cooling-off period: for new subscriptions (first purchase), unused Packages may be cancelled within 14 days of purchase for a full refund. After that, all sales are final.
4. Billed currency is Euro (EUR), unless otherwise and separately agreed.
5. Payments are processed by Stripe, Inc.; card data may be processed outside the EEA under Stripe's terms.
6. Grace period: 30 days to cure failed payment before suspension.
7. Over-provisioning: If Customer schedules workloads exceeding purchased Packages, deployment will be refused until additional Packages are purchased.

4 Service level & maintenance

• Target uptime: 99.97 % per calendar month (no SLA credits during beta).
• Maintenance: may be scheduled with 24 h notice; emergency work may occur without notice.
• Availability: Customer application reachable from public endpoint.

5 Support

• Standard support: 09:00 - 17:00 EET, Finnish business days.
• Support email: contact@codebite.fi.
• Enhanced support available under separate agreement.

6 Customer responsibilities

1. Legal compliance. You must follow all applicable Finnish, EU, and international laws.
2. Prohibited content & activities.
   
   • No illegal, defamatory, extremist, obscene, or pornographic content.
   • No unsolicited bulk e-mail (“spam”); no falsified headers.
   • No cryptocurrency mining, farming, plotting.
   • No attempt to scan, exploit, or otherwise harm the platform or other tenants.

   Provider may remove or disable any application, without notice, that in Provider's sole judgment violates these rules or otherwise negatively impacts the platform or its reputation.
3. Security telemetry. You acknowledge that security telemetry (including source IP address and request path) may be analysed by the Provider's threat-detection engine to protect the Service. Provider may retain security-telemetry related to confirmed malicious activity (including source IP address and request details) indefinitely in order to enforce permanent blocks and protect the Service.
4. Security configuration. You manage your own secrets, images, and must not deploy privileged workloads (including but not limited to privileged, hostNetwork, hostIPC, hostPID, hostPath volumes, or CAP_NET_RAW).
5. Custom domains. You must keep required CNAME records. If a certificate cannot be issued or renewed within 72 h, Provider may disable the hostname.
6. Fair-use bandwidth. Traffic that materially exceeds normal web-application usage may be rate-limited or suspended, solely determined at Provider's reasonable discretion. Provider will notify Customer and may require purchase of additional Resource Packages.
7. Sanctions compliance. Customer shall not provide the Service to, or use it for the benefit of, any individual or entity that is the target of EU restrictive measures or U.S. OFAC sanctions, including denial-list nationals and embargoed countries.
8. Export control. Customer shall not use the Service for activities subject to EU Dual-Use Regulation or U.S. EAR/ITAR without obtaining all required licences.

7 Data location, privacy & backups

• All data remains within the European Economic Area.
• No backups are provided while the platform is in Beta status; you must maintain your own backups.

8 Data protection (GDPR)

• Provider = Processor; Customer = Controller.
• Data Processing Agreement available on request by emailing contact@codebite.fi.
• Provider will notify Customer of any personal-data breach without undue delay and within GDPR timeframes.
• Provider maintains a list of authorised sub-processors, the technical-and-organisational measures (TOMs), and the record of processing activities as required by GDPR Art. 28 and will provide them to Customer on request. Provider will give at least 30 days' notice before adding or replacing a sub-processor.
• The platform uses CrowdSec in offline mode for application-layer threat detection. HTTP request metadata (IP address, headers, path) is copied to an internal CrowdSec database for up-to-7-day analysis. Metadata about requests that are deemed malicious may be stored indefinitely in order to help secure the platform and prevent future misuse. No data is transmitted to CrowdSec SAS or any other third party. Should Provider enable the optional community threat-intelligence feed in the future, Provider will update the Sub-processor list and notify Customers 30 days in advance.

9 Confidentiality

Each party (“Receiving Party”) shall keep confidential and not disclose to any third-party any non-public information disclosed by the other party (“Disclosing Party”) that is marked or reasonably understood as confidential, except to employees, contractors and advisers who need to know and are bound by similar obligations. The Receiving Party shall protect such information with the same degree of care it uses for its own confidential information, and not less than reasonable care. These obligations survive five (5) years after termination, except for trade secrets which remain protected as long as they qualify as trade secrets.

10 Intellectual property

• You retain ownership of your code, images, data.
• Provider retains ownership of platform software, documentation & trademarks.
• Customer grants Provider a non-exclusive, worldwide, royalty-free licence for the term of this Agreement to copy, store, execute and transmit Customer's images and data solely for the purpose of providing the Service.
• Customer grants Provider a perpetual, irrevocable, royalty-free licence to use any feedback or suggestions regarding the Service.

11 Suspension & termination

• Provider may suspend or delete workloads that breach §6 or remain unpaid > 30 days.
• You may cancel at any time; service continues until period-end. Unused Packages are non-refundable except during the initial 14-day cooling-off period.
• Provider will delete all Customer data and logs 30 days after effective termination. Customer may export data during this period via the dashboard or manual request. Administrative records required for tax, accounting, or otherwise legal purposes may be retained per statutory law.

12 Limited warranty & liability

1. Service is provided “as is” during beta; no warranties.
2. Exclusion of consequential damages.
3. Liability cap: Provider's aggregate liability in any twelve-month period shall not exceed the fees actually paid by Customer in the three (3) months immediately preceding the event giving rise to the claim.
4. In no event shall Provider be liable for lost profits, business interruption, lost data or any indirect, special or consequential damages, including but not limited to any loss of data resulting from Customer's failure to maintain external backups.
5. Nothing limits liability for gross negligence or liabilities that cannot be limited under Finnish law.

13 Governing law & dispute resolution

The Parties shall first attempt in good faith to settle any dispute through mediation in Helsinki under the Rules of the Finnish Bar Association. If the dispute is not resolved within 90 days of a mediation request, either party may refer the matter to the courts specified below. Costs of mediation shall be shared equally.

This Agreement is governed by Finnish law. Jurisdiction: courts of Helsinki, Finland.

14 Changes to these Terms

Provider may amend these Terms with 30 days' notice by e-mail or dashboard banner. Continuing to use the Service after the effective date constitutes acceptance. If Customer does not agree to the revised Terms, Customer may terminate the Service within the 30-day notice period by e-mailing contact@codebite.fi; no further use of the Service will be allowed after the effective date.

15 Force-majeure

Neither party is liable for failure to perform due to events beyond its reasonable control, including natural disasters, war, strikes, power or network outages, or governmental action. Either party may terminate the Agreement with written notice if the force-majeure event continues beyond 30 days.

16 Survival clause

Clauses on Intellectual Property, Confidentiality, Limitation of Liability, Governing Law, and Survival shall survive termination.

17 Order of precedence

If a conflict exists between these Terms and a separately executed Master Service Agreement (MSA) or Data Processing Agreement (DPA), the MSA/DPA shall prevail for the conflicting subject matter.

18 Severability

If any provision of these Terms is deemed invalid, illegal, void or unenforceable, then that provision will be deemed severed from these Terms and will not affect the validity or enforceability of the remaining provisions of these Terms.

© 2025 Codebite Oy - All rights reserved.