Loan Limit API — Terms of Use

Terms of use for the Desata Loan Limit API.

Effective date: July 7, 2026

These terms govern access to and use of the Desata Loan Limit API. By requesting API credentials, or by accessing or using the API, your institution agrees to these terms. The individual requesting credentials or accepting these terms on behalf of an institution represents that they are authorized to bind that institution.

Desata Analytics, Inc. (“Desata,” “we,” “us”) is a Delaware corporation that provides compliance tools for financial aid offices at Title IV institutions. These terms apply to paid API access only. The free web calculator at loanlimit.app is governed by separate terms of use available on that site.

1. Service description

The Loan Limit API provides the following capabilities:

  • (a) Individual student lookup — accepts enrollment parameters and returns the federal loan limit calculated under the applicable schedule of reductions.
  • (b) Bulk validation — accepts a batch of enrollment parameter sets and returns calculated loan limits for each record in the batch.

The capabilities available to your institution are those made available under your subscription, as confirmed in writing when your API credentials are issued.

The API performs calculations based on the schedule of reductions published by the U.S. Department of Education under the One Big Beautiful Bill Act.

2. License grant; single institution

We grant the subscribing institution a limited, non-exclusive, non-transferable license, revocable only as provided in Section 17, to access and use the API for the financial aid operations of that institution and its students.

The subscribing institution is the single institution identified when API credentials are issued. Personnel of the institution’s parent company or affiliates, and the institution’s service providers, may use the API under the institution’s credentials solely on behalf of and for the benefit of the subscribing institution and its students, and the subscribing institution remains responsible for their compliance with these terms. Use of the API or its outputs for the operations or students of any other institution, including any affiliate of the subscribing institution or its parent, requires a separate subscription.

3. No resale or redistribution

You may not resell, sublicense, or redistribute API access or API outputs as a service to third parties. You may not build a product or service on top of the API for use by other institutions or organizations without our prior written consent.

Using API outputs in the normal course of your institution’s financial aid operations, including sharing results with auditors, accreditors, or the Department of Education, is permitted.

4. Intellectual property; your data

The API, including all calculation logic, algorithms, documentation, and related materials, is and remains the property of Desata Analytics, Inc. Nothing in these terms transfers any intellectual property rights to you.

As between the parties, your institution retains all rights in the data it submits to the API, and may use API outputs generated for it in its internal operations without restriction other than Section 3.

If your institution provides feedback, suggestions, or ideas regarding the API, your institution grants Desata a perpetual, irrevocable, royalty-free license to use them without obligation or attribution.

5. API key responsibility

Each subscribing institution receives one or more API keys. You are responsible for keeping your API keys secure and confidential. Do not share API keys with individuals outside your institution (except as permitted by Section 2) or embed them in client-side code, public repositories, or other locations accessible to unauthorized parties.

You are responsible for activity that occurs under your API keys, except to the extent such activity results from Desata’s breach of these terms or a failure of Desata’s systems. If you believe a key has been compromised, notify us immediately at [email protected] and we will promptly disable it and issue a replacement.

6. Rate limits and usage restrictions

The API does not currently enforce rate limits. Desata may introduce or adjust reasonable rate limits on thirty (30) days’ notice to your institution’s designated contact. Exceeding published rate limits may result in throttled or temporarily suspended access.

You agree not to: (a) attempt to circumvent rate limits or access controls; (b) use the API in a way that disrupts or degrades service for other subscribers; (c) reverse-engineer the API or attempt to extract the underlying calculation logic; or (d) use automated tools to probe, test, or attack the API infrastructure.

7. Data accuracy and reliance

The API returns calculated results based on the enrollment parameters you provide and the regulatory framework in effect at the time of the request. The accuracy of results depends on the accuracy of your inputs.

Your institution bears sole responsibility for any disbursement, award, or compliance decision made using API results. The API is a calculation tool. It does not replace the professional judgment of your financial aid staff, and it does not constitute a determination of student eligibility, award amounts, or disbursement timing.

You are responsible for verifying API outputs against applicable regulations before acting on them.

8. Regulatory basis

The API’s calculations reflect federal regulations as published by the U.S. Department of Education and implemented in the API in accordance with Desata’s published methodology. The regulatory basis for the API’s calculations is identified in the API documentation and will be provided on request.

When a final rule published in the Federal Register changes the schedule-of-reductions framework implemented by the API, Desata will use commercially reasonable efforts to update the API promptly and to notify your institution’s designated contact when the change is published and again when the API has been updated to reflect it.

Between publication of a final rule and completion of the API update, results will reflect the prior regulatory framework. The API documentation identifies which framework is in effect. During this window, your institution is responsible for independently verifying whether current outputs remain appropriate before acting on them. Desata’s updating of the API in accordance with this section is your institution’s sole and exclusive remedy in respect of regulatory change.

The API is a compliance support tool for financial aid professionals. It is not legal advice, regulatory guidance, or a substitute for consultation with qualified counsel. Desata does not guarantee that API outputs will satisfy any particular audit, program review, or regulatory standard.

10. Your institution’s responsibility

Under 34 CFR Part 668, the institution participating in Title IV programs is responsible for administering those programs in accordance with federal requirements. This responsibility cannot be delegated to a vendor or calculation tool.

Your use of the API does not change your institution’s obligations under federal student aid regulations. Your institution remains solely responsible for determining student eligibility, calculating award amounts, and making disbursement decisions, regardless of whether those decisions are informed by API outputs.

Desata certifies that it is not debarred, suspended, or otherwise excluded from participation in federal programs.

11. No student personal data; record references

The API is designed for data minimization. Its schema accepts only de-identified enrollment and loan calculation parameters and contains no fields for names, Social Security numbers, dates of birth, or contact information.

Do not include personal data in API requests. The only identifier permitted in any API request is a Permitted Record Reference: a randomized or pseudonymous value generated by your institution solely to match bulk request rows to results, which is not, and does not contain or encode, a name, Social Security number, date of birth, institutionally assigned student identification number, or any other value from which Desata could identify an individual. Desata processes Permitted Record References only as reasonably necessary to process the request and return results, and for no other purpose.

Any personal data submitted contrary to this section is unauthorized. Upon discovering such data, or upon your notice, Desata will promptly delete or irreversibly de-identify it and confirm to you; that deletion is Desata’s sole obligation, and your institution’s sole remedy, with respect to such data, and prompt remediation under this paragraph is not a breach of these terms by either party. Inadvertent submission does not make Desata a processor of personal data on your institution’s behalf.

Desata does not receive or maintain education records and does not perform an institutional service or function for which it would be considered a “school official” under FERPA (34 CFR 99.31(a)(1)).

12. Availability

The API is provided without a service level agreement. We will make reasonable efforts to maintain availability, but we do not guarantee uninterrupted or error-free access.

We will provide reasonable advance notice before making breaking changes to the API’s request or response format. Planned downtime for scheduled maintenance will be communicated in advance when feasible.

If the API is materially unavailable for more than ten (10) consecutive business days, your institution may terminate its subscription and receive a pro-rata refund of prepaid, unused fees as its exclusive remedy for the unavailability.

The API is a machine-to-machine service with no student-facing or end-user interface; WCAG and Section 508 conformance documentation (VPAT) is therefore not applicable to the API itself. Developer documentation targets WCAG 2.1 AA.

13. Limited warranty; disclaimer

Desata warrants that (a) the API will materially conform to its published documentation and will implement the schedule-of-reductions framework identified in that documentation, and (b) Desata will not knowingly introduce any virus or other malicious code into the API. Your exclusive remedy, and Desata’s sole obligation, for breach of this warranty is correction or re-performance of the affected calculations or, if Desata cannot correct the nonconformity within thirty (30) days of notice, termination of your subscription with a pro-rata refund of prepaid, unused fees.

EXCEPT AS EXPRESSLY STATED ABOVE, THE API IS PROVIDED “AS IS” AND “AS AVAILABLE” WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, AND NON-INFRINGEMENT. TO THE EXTENT APPLICABLE LAW PROHIBITS EXCLUSION OF ANY IMPLIED WARRANTY, SUCH WARRANTY IS LIMITED TO THE MINIMUM PERIOD AND SCOPE PERMITTED BY LAW.

14. Limitation of liability

TO THE MAXIMUM EXTENT PERMITTED BY LAW, EACH PARTY’S TOTAL AGGREGATE LIABILITY ARISING OUT OF OR RELATING TO THE API, THE SERVICES, OR THE SUBJECT MATTER OF THESE TERMS — REGARDLESS OF THE NUMBER OF CLAIMS OR THE THEORY OR FORM OF ACTION — SHALL NOT EXCEED THE GREATER OF (A) THE TOTAL FEES PAID OR PAYABLE BY THE SUBSCRIBING INSTITUTION TO DESATA IN THE TWELVE (12) MONTHS PRECEDING THE EVENT GIVING RISE TO THE CLAIM AND (B) THE ANNUAL SUBSCRIPTION FEE FOR THE THEN-CURRENT TERM. THIS CAP IS A SINGLE AGGREGATE CAP, SHARED WITH AND NOT IN ADDITION TO ANY LIMITATION OF LIABILITY IN ANY OTHER AGREEMENT BETWEEN DESATA AND THE SUBSCRIBING INSTITUTION OR ANY OF ITS AFFILIATES.

IN NO EVENT SHALL EITHER PARTY BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, INCLUDING DAMAGES FOR INCORRECT DISBURSEMENTS, AUDIT FINDINGS, REGULATORY PENALTIES, LOSS OF DATA, OR BUSINESS INTERRUPTION, REGARDLESS OF THE CAUSE OF ACTION OR THEORY OF LIABILITY.

The limitations in this section do not apply to: (a) a party’s willful misconduct, fraud, or gross negligence; (b) your institution’s payment obligations; or (c) a party’s indemnification obligations under Section 15.

15. Indemnification

By the institution. Your institution will defend and indemnify Desata and its officers, directors, employees, and agents against third-party claims, and resulting damages, losses, costs, and reasonable attorneys’ fees, to the extent arising from: (a) your institution’s eligibility, award, or disbursement decisions, including decisions informed by API outputs; (b) your institution’s knowing and uncured violation of Section 11; or (c) resale or redistribution of the API or its outputs in violation of Section 3.

By Desata. Desata will defend and indemnify your institution against third-party claims alleging that the API, as provided by Desata and used in accordance with these terms, infringes a United States patent, copyright, or trademark, or misappropriates a trade secret, and will pay resulting damages, losses, costs, and reasonable attorneys’ fees finally awarded or agreed in settlement. This obligation does not apply to claims arising from: combination of the API with systems or data not provided by Desata, where the claim would not have arisen but for the combination; modifications not made by Desata; use in violation of these terms; or use after Desata has notified you of a claim and provided a non-infringing alternative. If an infringement claim arises or is likely, Desata may procure the right for you to continue using the API, modify it to be non-infringing without material loss of functionality, or terminate your subscription and refund prepaid, unused fees. This section states Desata’s entire liability, and your institution’s exclusive remedy, for infringement claims.

Procedures. The indemnified party must give the indemnifying party prompt written notice of the claim, tender sole control of the defense and settlement (except that no settlement imposing an admission of liability or non-monetary obligation on the indemnified party may be made without its consent, not to be unreasonably withheld), and provide reasonable cooperation at the indemnifying party’s expense.

16. Fees and payment

Subscription fees, the subscription term, and the subscribing institution are stated in the written subscription confirmation or invoice issued when API credentials are provided. Invoices are payable net thirty (30) days. Except as expressly provided in these terms, fees are non-refundable.

Terms printed on or attached to a purchase order, vendor portal, or similar procurement document do not modify these terms, and are rejected, unless expressly agreed to in a writing signed by Desata.

17. Term and termination

The subscription term is twelve (12) months from issuance of API credentials, unless a different term is stated in the subscription confirmation. Subscriptions renew for successive twelve-month terms upon payment of the renewal invoice; either party may elect not to renew by written notice before the end of the then-current term.

Either party may terminate for material breach if the breach is not cured within thirty (30) days of written notice. Desata may suspend or terminate access immediately, with notice, if your API keys are compromised and not reported, or if your use of the API poses a security risk to our infrastructure or other subscribers. Desata may also terminate for convenience on sixty (60) days’ written notice. If Desata terminates for convenience, or for any reason other than your institution’s uncured breach or the security grounds described above, Desata will refund prepaid fees pro-rata for the unused portion of the term.

Upon termination, your API keys will be deactivated and your license will end. On written request following termination, Desata will delete inputs submitted by your institution that remain in its systems, retaining only de-identified, aggregated data as described in Section 19. The following sections survive termination or expiration: No resale or redistribution (3), Intellectual property; your data (4), Data accuracy and reliance (7), Not legal or compliance advice (9), Your institution’s responsibility (10), No student personal data; record references (11), Limited warranty; disclaimer (13), Limitation of liability (14), Indemnification (15), Fees and payment (16, as to accrued obligations), Publicity (18, as to the period of subscription), De-identified aggregate data (19), Assignment (21), No third-party beneficiaries (22), Governing law and disputes (23), and Entire agreement; notices; severability (26).

18. Publicity

Neither party will issue a press release, use the other’s logo, or publish a case study or other public marketing statement about the relationship without the other’s prior written approval. Desata may identify the subscribing institution by name in customer lists and in confidential communications with bona fide prospective investors, acquirers, and professional advisers who are bound by confidentiality obligations, in each case to the extent not restricted by a separately signed confidentiality agreement between the parties. Neither party will state or imply the other’s endorsement of its products or services.

19. De-identified aggregate data

Desata may collect, retain, and use de-identified, aggregated usage and calculation data that does not identify the subscribing institution, any other institution, or any individual, to operate, maintain, and improve its services and in aggregate statistics across its customer base (for example, total calculations performed). This section survives termination.

20. Security

Desata maintains commercially reasonable administrative and technical safeguards for the API, including encryption in transit, per-institution credentials, and schema-level data minimization, and maintains cyber liability insurance of at least $1,000,000 per claim during the subscription term. Desata will notify your institution’s designated contact without undue delay of any confirmed security incident affecting your institution’s use of the API or data submitted by your institution. Desata will respond to one reasonable written security questionnaire from your institution per subscription year, in lieu of any audit right under these terms.

21. Assignment

Your institution may not assign its subscription or these terms, in whole or in part, including by operation of law, change of control, or internal reorganization, without Desata’s prior written consent; any purported assignment without consent is void. Consent will not be unreasonably withheld, conditioned, or delayed for an internal reorganization in which the subscribing institution’s operations and scope of use under these terms are unchanged. Desata may assign these terms without consent to a successor in connection with a merger, acquisition, financing, or sale of all or substantially all of its assets. These terms bind and benefit the parties’ permitted successors and assigns.

22. No third-party beneficiaries

These terms are for the sole benefit of Desata and the subscribing institution. Nothing in them confers any right or remedy on any third party, including any affiliate of the subscribing institution or its parent, or any student, borrower, or applicant, except that the persons indemnified under Section 15 may benefit from the indemnities stated there.

23. Governing law and disputes

These terms are governed by the laws of the State of Delaware, without regard to conflict of law principles.

Any dispute arising out of or relating to these terms or the API shall first be submitted to good-faith negotiation between the parties for thirty (30) days, and shall thereafter be resolved exclusively in the state or federal courts located in Delaware, and each party waives any objection to venue in those courts. Either party may seek injunctive or other equitable relief in those courts at any time, without first completing the negotiation period.

24. Modification of terms

We may update these terms from time to time. If we make material changes, we will notify your institution’s designated contact by email at least thirty (30) days before the changes take effect; the notice will include the revised terms and their effective date. Material changes that reduce the capabilities of a paid subscription will not take effect until the start of the next subscription term. If your institution objects to a material change, it may terminate its subscription by written notice before the change takes effect and receive a pro-rata refund of prepaid, unused fees. Continued use of the API after the effective date of revised terms constitutes acceptance.

25. Force majeure

Neither party shall be liable for any failure or delay in performance, other than obligations to pay fees, resulting from causes beyond its reasonable control, including acts of God, natural disasters, pandemic, government action, internet or infrastructure disruption, or other events that could not reasonably be anticipated or prevented.

26. Entire agreement; notices; severability

These terms, together with the subscription confirmation or invoice, are the entire agreement between the parties regarding access to and use of the API and supersede prior communications regarding API access. They do not amend any separately signed agreement between Desata and your institution or its affiliates. The parties do not intend that any personal data be submitted to the API; any personal data submitted contrary to Section 11 is handled as provided in Section 11.

Legal notices to Desata must be sent to [email protected]. Legal notices to your institution will be sent to the designated contact provided when API credentials are issued. Email notice is effective one business day after transmission without a delivery failure.

If any provision of these terms is found to be unenforceable, the remaining provisions will remain in full force and effect.

27. Contact

Desata Analytics, Inc. Questions about these terms: [email protected]