A-PAY COMPLIANCE, SECURITY, AND RISK MANAGEMENT POLICY

Effective Date: 30 May 2025

This Compliance, Security, and Risk Management Policy (“Policy”) sets forth the mandatory compliance standards, security controls, and risk management obligations governing the use of the A-Pay.one platform (“A-Pay”, “we”, “us”, or “our”). This Policy forms an integral part of the A-Pay Terms of Service and is binding upon all Users (“User”, “you”, or “your”) who access, integrate with, or otherwise engage with the A-Pay systems, APIs, services, or infrastructure (collectively, the “Platform”).

By accessing or using the Platform, you acknowledge and agree to be bound by the terms of this Policy.

1. Scope and Applicability

1.1. This Policy applies to all Users of the Platform, including but not limited to merchants, partners, service providers, contractors, employees, and any third parties entrusted with access to A-Pay systems or data.

1.2. This Policy governs A-Pay’s and Users’ respective obligations in relation to:

  • Anti-Money Laundering (AML) and Counter-Terrorist Financing (CTF);
  • Know-Your-Customer (KYC) and Customer Due Diligence (CDD);
  • Information security and cybersecurity governance;
  • Data confidentiality, classification, and data lifecycle management;
  • Incident detection, response, escalation, and breach notification;
  • Responsible disclosure of vulnerabilities;
  • Compliance with applicable statutory, regulatory, and industry standards.

1.3. Compliance with this Policy is a condition of continued access to, and use of, the Platform.

2. AML/CTF Obligations

2.1. A-Pay maintains a comprehensive AML/CTF compliance framework in accordance with:
(a) relevant EU legislation, including applicable AML Directives;
(b) Financial Action Task Force (FATF) Recommendations;
(c) national legislation and regulatory guidance applicable to A-Pay’s operations.

2.2. A-Pay’s AML/CTF framework includes:
(a) implementation of a risk-based approach to financial crime prevention;
(b) customer identification and verification obligations prior to account activation;
(c) continuous monitoring of transaction patterns and account behavior;
(d) automated and manual screening against sanctions, PEP, and risk lists;
(e) identification, escalation, and reporting of unusual or suspicious activity to competent authorities;
(f) periodic internal reviews and audits of AML/CTF controls;
(g) mandatory AML/CTF training for relevant personnel.

2.3. Users shall provide all information reasonably necessary to enable A-Pay to discharge its statutory obligations. A-Pay reserves the right to limit, suspend, or terminate access to the Platform for failure to comply with AML/CTF requirements.

3. KYC and Customer Due Diligence

3.1. A-Pay conducts KYC and CDD at onboarding and periodically throughout the business relationship to validate the identity, legitimacy, and risk profile of each User.

3.2. Users may be required to provide, without limitation:
(a) corporate registration documents;
(b) beneficial ownership and control information;
(c) identification documents for directors, shareholders, and UBOs;
(d) documents evidencing business activity, purpose, and operational legitimacy;
(e) proof of address and tax identifiers;
(f) additional documentation where required under Enhanced Due Diligence (EDD).

3.3. A-Pay may conduct EDD where Users present elevated risk factors, including high-risk industries, cross-border corporate structures, or activities in high-risk jurisdictions.

3.4. Users warrant that all information provided is complete, accurate, and current. A-Pay may withhold services pending satisfactory completion of KYC/CDD processes.

4. Ongoing Monitoring and Risk Management

4.1. A-Pay conducts ongoing monitoring to detect anomalies, red flags, and high-risk behaviors. Monitoring may include:
(a) transaction monitoring against established thresholds;
(b) behavioral analysis and risk scoring;
(c) periodic reassessment of User risk profiles.

4.2. Suspicious activities may be escalated for internal investigation and, where required by law, reported to Financial Intelligence Units or competent authorities.

4.3. Users shall cooperate fully and promptly with any A-Pay compliance inquiry.

5. Information Security Governance

5.1. A-Pay maintains an information security program aligned with recognized industry standards and applicable legal requirements.

5.2. Security controls include, without limitation:
(a) encryption of information in transit and at rest;
(b) multi-factor authentication and role-based access control;
(c) secure credential and API key management;
(d) continuous vulnerability scanning and penetration testing;
(e) intrusion detection and prevention systems;
(f) threat monitoring and logging of access and system activity;
(g) secure software development lifecycle (SDLC) processes;
(h) business continuity and disaster recovery planning;
(i) cybersecurity training for A-Pay personnel.

5.3. Users bear responsibility for securing their systems, access credentials, private keys, API integrations, and personnel access.

6. Data Governance and Confidentiality

6.1. A-Pay enforces strict data governance protocols, including classification, retention, access management, and secure disposal controls.

6.2. Access to data is granted strictly on a need-to-know basis and subject to technical and organizational safeguards.

6.3. All access and data handling activities are logged, monitored, and subject to audit.

6.4. Users shall take all necessary measures to preserve the confidentiality and integrity of information accessed via the Platform.

7. Incident Response and Breach Notification

7.1. A-Pay maintains a formal incident response framework encompassing:
(a) detection, containment, and mitigation procedures;
(b) forensic investigation and impact assessment;
(c) recovery and restoration protocols;
(d) post-incident review and remediation planning.

7.2. Where a security incident results in unauthorized access, alteration, loss, or disclosure of User or Platform data, A-Pay shall notify affected Users and, where required, relevant regulatory authorities in accordance with applicable law, including GDPR.

7.3. Users shall immediately notify A-Pay of any suspected compromise of their accounts, credentials, systems, or integrations.

8. Responsible Disclosure of Vulnerabilities

8.1. A-Pay encourages responsible reporting of potential vulnerabilities identified within the Platform.

8.2. Reports shall be submitted confidentially to:
[email protected] 

8.3. Submissions must include a detailed description, reproduction steps, and any relevant evidence.

8.4. Public disclosure without prior written authorization from A-Pay is strictly prohibited and may give rise to legal action.

9. Personnel, Contractors, and Third-Party Providers

9.1. A-Pay requires all employees, contractors, and third-party providers with access to systems or data to comply with this Policy.

9.2. Personnel are required to complete ongoing training related to AML/CTF, data protection, cybersecurity, and incident reporting.

9.3. A-Pay may impose sanctions, including contract termination, for violations.

10. Cooperation with Authorities

10.1. A-Pay fully cooperates with competent law enforcement, regulatory bodies, data protection authorities, and financial oversight entities.

10.2. Users may be required to provide information, documentation, or testimony in connection with regulatory audits, investigations, or enforcement actions.

11. Amendments and Periodic Review

11.1. This Policy is reviewed periodically and updated to reflect legal, regulatory, operational, or technological changes.

11.2. Amendments take effect upon publication on the Platform unless a later effective date is specified.

11.3. Continued use of the Platform constitutes acceptance of the revised Policy.

12. User Responsibilities

12.1. Users agree to:
(a) comply with all AML/KYC obligations imposed by A-Pay;
(b) provide accurate and up-to-date information;
(c) implement internal security and governance controls;
(d) maintain the confidentiality and security of all access credentials;
(e) report incidents or suspicious activity promptly;
(f) refrain from any activity that may compromise the Platform’s integrity, security, or compliance posture.

12.2. Non-compliance may result in limitations, suspension, or termination of services.

13. Governing Law and Jurisdiction

This Policy shall be governed by and construed in accordance with the laws of the European Union and the laws of the Member State in which A-Pay maintains its principal place of business.
Exclusive jurisdiction for all disputes lies with the competent courts of that Member State.

14. Language

This Policy is drafted in English. Translations, if provided, are for convenience only. In the event of conflict, the English version shall prevail.

15. Entire Agreement

This Policy forms part of the contractual framework between the User and A-Pay and shall be read together with the A-Pay Terms of Service, Privacy Policy, Cookie Policy, and any referenced guidelines. It supersedes all prior statements or agreements relating to the subjects herein.