A Big One

Runway Agent launched this week, and three legal documents moved together to support a single shift. Runway now defines itself as a service that other software connects to and calls, not only a site a person opens. The consumer Terms of Use, the Enterprise Terms of Use, and the Privacy Policy were each rewritten around the Model Context Protocol (MCP), the connector standard that lets AI tools call other applications and lets other applications call AI tools.

Read as one revision, they do a single thing: they move Runway from a destination you visit to a service your pipeline talks to, and they assign the new risk that rides along to whoever opens the connection. Runway is the first creative-AI platform we cover to write MCP into its terms on both the consumer and enterprise side.

In human terms: A VFX studio connects Runway to its pipeline so an agent can pull shot data from ShotGrid, run a Runway model against the plate, and write the result back to the production tracker. No one opens a browser. The agent runs the loop on its own. Under the rewritten terms, switching on that connection authorizes Runway to move the studio's account data to ShotGrid, and it makes the studio, not Runway, answerable for the data and actions that come back across the link. The pipeline got faster, and the VFX studio inherited a category of liability they were not carrying last week.

Why this matters: A destination and a piece of infrastructure are not priced, governed, or secured the same way, and this revision is Runway agreeing to be the second kind of thing - infrastructure. The contract language is the leading edge of that change. It defines what a connected agent may do, who answers when it does something wrong, and what counts as data once a third party is feeding the system on your behalf. Those questions are being settled now, ahead of the parts of the platform that users feel most directly, such as how access is metered and rate-limited. When a platform rewrites its terms to behave like infrastructure, the rest of the platform tends to follow. The pricing and rate-limit surface is the next place to watch.

The mechanics: Consumer Terms of Use, new Section 17.3, Non-Runway Services. The clause governs tools that connect to Runway “via a model context protocol (MCP) server or other tool-calling interfaces.” Enabling one carries three consequences. You authorize the data transfer: “By enabling a Non-Runway Service, you authorize Company to transfer data from your Account to the applicable provider.” You take on the responsibility: you are “solely responsible for the Non-Runway Services you enable, any API keys or other credentials provided, and any data and actions originating from” them. And you accept a conduct rule that is a first in our coverage: you “may not use Non-Runway Services to circumvent rate limits,” “override system instructions,” or “exfiltrate data through prompt injection or similar techniques.”

Read that prohibition precisely. It binds Runway's own users, and it gives Runway grounds to act against an account that breaks it. It does not make a connected pipeline safe, and it does not reach a third party or an injection that originates outside Runway's user base. What it marks is that prompt injection has reached the contract layer of a creative-AI platform, which we have not seen before. Runway also reserves the right to “throttle, suspend, or terminate Non-Runway Services access at its sole discretion.”

Enterprise Terms of Use, Section 5, Connected Accounts, rewritten. The prior version required the customer to warrant that it was entitled to disclose its log-in credentials and that it was in good standing with the third-party provider. Both warranties were removed. In their place sits one broader line: “Customer is solely responsible for any data and actions originating from the Connected Accounts.” The enterprise side picked up the same MCP support the consumer side did, and the customer picked up more of the downstream risk. Shorter on the page, heavier on the customer.

Privacy Policy, user-content definition expanded. What Runway counts as user content now explicitly includes “prompts, photos, images, music, videos, audio, screen sharing,” along with “content or information from third party applications you choose to connect with our Services and transcripts and recordings generated through the Service.” That list reads as the operational profile of an MCP-connected agent. The definition now also reaches content submitted by “third parties acting on your behalf,” which captures data arriving through MCP-mediated workflows. Japan, Indiana, Kentucky, and Rhode Island joined the jurisdictions with extra privacy rights.

Also in this revision, and not MCP-driven: Two changes rode along that are worth recording but are not the story. Runway added a Stock Avatars and Custom Avatars framework in which Section 3.1 treats Custom Avatars as the user's content while Section 4.1 lists them among what Runway owns. We are treating the conflict as a likely drafting error, and either way Custom Avatar ownership is not settled enough to quote. Separately, Runway's liability disclaimers now carve out “intentional misconduct or gross negligence” by Runway itself, which cuts against the year's general drift and modestly strengthens the user's hand.