Compliance, Security, and Risk Management

This Compliance, Security, and Risk Management Policy (“Policy”) sets forth the principles, obligations, and operational protocols under which A-Pay.one (“A-Pay”, “we”, “our”, or “us”) manages compliance with financial and data protection regulations, ensures robust information security, promotes ethical behavior, and facilitates responsible reporting of vulnerabilities across the A-Pay.one platform (“Platform”). By engaging with the Platform, users (“User”, “you”, or “your”) acknowledge and agree to the provisions outlined herein, recognizing that adherence to this Policy is essential for the integrity, security, and lawful operation of our services.

1. Scope and Applicability. This Policy applies to all Users of the Platform, including clients, partners, contractors, employees, vendors, and any third parties authorized to access or support the Platform. It governs practices related to anti-money laundering (AML), counter-terrorist financing (CTF), know-your-customer (KYC) and customer due diligence (CDD), information security management, data governance, business continuity, incident response, and responsible disclosure of security vulnerabilities. Users are required to comply fully with this Policy and any associated procedures communicated by A-Pay.

2. Anti-Money Laundering and Counter-Terrorist Financing (AML/CTF) Compliance. A-Pay maintains a comprehensive AML/CTF framework aligned with EU Directives, Financial Action Task Force (FATF) Recommendations, and applicable national laws. Our compliance measures include but are not limited to the implementation of risk-based policies, robust customer identification and verification procedures, continuous transaction monitoring to detect suspicious activity, escalation protocols for unusual or suspicious transactions, employee training programs designed to foster awareness of financial crime risks, maintenance of comprehensive records of transactions and client documentation, and regular internal audits to assess the effectiveness of our AML/CTF controls. Users acknowledge that A-Pay may request additional information or documentation as needed to fulfill AML/CTF obligations and that refusal to cooperate or provision of false or misleading information may result in denial, suspension, or termination of services.

3. Know-Your-Customer (KYC) and Customer Due Diligence (CDD) Procedures. To comply with legal and regulatory obligations, A-Pay conducts thorough KYC and CDD checks at the outset of a client relationship and on an ongoing basis. Required documentation may include legal entity registration certificates, beneficial ownership declarations, identification documents for directors and controlling persons, proof of business address, verification of tax identification numbers, and documentation substantiating the nature and intended purpose of the business relationship. Enhanced due diligence (EDD) may be applied where heightened risk factors are identified, such as involvement in high-risk industries, complex ownership structures, or operations in jurisdictions recognized as high-risk or non-cooperative. Users are obliged to provide complete, accurate, and current information at all times. Failure to satisfy KYC/CDD requirements may lead to delayed onboarding, restricted access to services, or termination of the business relationship.

4. Ongoing Monitoring and Reporting. A-Pay implements continuous monitoring of transactions and client behavior to identify and assess potential risks, anomalies, and suspicious activities. Automated and manual systems are used to flag transactions that exceed pre-defined thresholds, exhibit unusual patterns, or otherwise deviate from established norms. Detected anomalies are escalated for further investigation, and reports are filed with relevant financial intelligence units or regulatory bodies as required by law. Users agree to cooperate fully with any such investigations, including providing supplementary information upon request.

5. Information Security Management. A-Pay employs a comprehensive information security framework based on industry best practices and standards. Our security measures encompass encrypted transmission and storage of data, multi-factor authentication and access controls, regular system vulnerability assessments and penetration tests, intrusion detection and prevention systems, continuous network monitoring, disaster recovery and business continuity planning, staff training on cybersecurity best practices, and strict data governance protocols governing the handling of sensitive information. Users share responsibility for maintaining secure access to the Platform and are expected to implement appropriate internal controls within their systems.

6. Data Governance and Confidentiality. A-Pay enforces strict data governance policies to ensure that all information processed on the Platform, including User data, remains confidential and secure. Access to data is granted on a need-to-know basis, subject to role-based controls, and governed by detailed access management procedures. All data handling activities are logged and subject to regular review. Data retention and deletion are performed in accordance with regulatory requirements and internal policies, ensuring that no data is retained beyond the period necessary for operational or legal purposes.

7. Incident Response and Breach Notification. In the event of a security breach or incident, A-Pay follows a structured incident response plan that includes containment, eradication, recovery, and post-incident analysis. Users must report any suspected incidents or breaches immediately upon discovery, providing sufficient details to enable timely investigation. If a breach is determined to have affected User data or compromised Platform integrity, A-Pay will notify affected parties and relevant authorities in compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR).

8. Responsible Disclosure of Security Vulnerabilities. A-Pay encourages responsible reporting of potential vulnerabilities in the Platform by security researchers, ethical hackers, and other stakeholders. Submissions should be directed confidentially to с[email protected], accompanied by a detailed description of the issue, reproduction steps, and supporting evidence. A-Pay commits to acknowledging reports within a reasonable timeframe, assessing their validity, and implementing necessary corrective actions. Public disclosure without prior coordination with A-Pay is strictly prohibited and may result in legal action.

9. Employee and Contractor Obligations. All employees, contractors, and agents of A-Pay are required to adhere to this Policy and complete mandatory training on AML/CTF compliance, information security practices, data protection obligations, and incident reporting procedures. Violations of this Policy by internal personnel may result in disciplinary action, up to and including termination of employment or engagement.

10. Cooperation with Authorities and Regulatory Bodies. A-Pay cooperates fully with financial regulators, law enforcement agencies, and data protection authorities in the investigation and prosecution of financial crimes, data breaches, and other legal matters. Users may be required to provide information, documentation, or testimony in connection with such proceedings.

11. Periodic Review and Updates. This Policy is reviewed and updated periodically to reflect changes in legal, regulatory, and operational requirements, industry best practices, and evolving threat landscapes. Updates become effective upon publication on the Platform. Users are responsible for reviewing the current version of this Policy and complying with its terms.

12. User Responsibilities. Users agree to cooperate fully with A-Pay’s compliance and security measures, including providing accurate and complete information for AML/KYC purposes, implementing appropriate internal controls, promptly reporting suspected security issues or breaches, and refraining from any conduct that may compromise the integrity or security of the Platform.

13. Legal Framework and Jurisdiction. This Policy shall be governed by and construed in accordance with the laws of the European Union and the jurisdiction of the Member State in which A-Pay maintains its principal place of business. Any disputes arising from or relating to this Policy shall be resolved exclusively before the competent courts of that jurisdiction.

14. Language. This Policy is drafted and executed in English. Any translations provided are for convenience only. In the event of inconsistencies, the English version shall prevail.

15. Entire Agreement. This Policy, together with the Terms of Service and Privacy Policy, constitutes the entire understanding between the User and A-Pay regarding compliance, security, and risk management and supersedes all prior agreements, communications, or representations relating to the subject matter herein.

Effective Date. May 30, 2025