Code of Conduct

Paybyrd is trusted with something simple and valuable — other people's money, as it moves. This Code describes the standards every Paybyrd employee, contractor, officer and director is expected to hold, whatever their role, wherever they work from.

It is not a list of rules for their own sake. It reflects the behaviour we owe to the merchants who integrate with us, to the cardholders and shoppers whose data passes through our systems, to the regulators and scheme owners we answer to, and to each other. If anything in our day-to-day choices conflicts with this Code, this Code wins.

This Code sits alongside Paybyrd's Merchant Terms & Conditions and Privacy Policy. Where a specific policy is more stringent — for example, PCI DSS requirements around cardholder data — the specific policy applies.

Five principles steer every decision we make:

• Merchant-first. Our product exists to make merchants' lives easier and their businesses stronger. If a decision helps Paybyrd at the merchant's expense, it's the wrong decision.
• Integrity in every transaction. We are honest in pricing, accurate in reporting, and clear about what we can and cannot do. We do not promise what we cannot deliver.
• Security by default. Cardholder and merchant data are treated as radioactive. Access is on a need-to-know basis; encryption and logging are always on.
• Transparent dealing. Fees, contracts, policies and system status are published, not hidden. Changes are announced, never sprung.
• Accountability. Mistakes get owned, documented, and fixed. Near-misses are shared, not buried. Every quarter, the leadership team reviews this Code in practice.

Paybyrd operates under the supervision of financial-services regulators across the markets we serve. Compliance is not a department — it is an operating constraint that shapes what we build and how we behave.

Every Paybyrd employee and contractor is expected to understand, at a working level, the obligations relevant to their role, including:

• Payment Services Directive (PSD2) and its successor regimes — strong customer authentication, open banking interfaces, dispute timelines.
• PCI DSS Level 1 — the Payment Card Industry Data Security Standard, which governs how cardholder data is stored, processed and transmitted through our systems.
• GDPR (EU) 2016/679 and the Dutch Algemene verordening gegevensbescherming (AVG) — lawful bases for processing, data-subject rights, breach notification, cross-border transfer safeguards.
• Anti-Money Laundering and Counter-Terrorist Financing — the Wet ter voorkoming van witwassen en financieren van terrorisme (Wwft) and equivalent national regimes across the EU.
• Scheme rules published by Visa, Mastercard, American Express, Discover and other card networks, as updated from time to time.
• Sanctions regimes — OFAC (United States), the EU consolidated sanctions list, UK HMT, and UN Security Council resolutions.

Where a Paybyrd employee becomes aware of any actual or suspected breach of these obligations, they must notify the Compliance team immediately via compliance@paybyrd.com. Failure to escalate is itself a breach of this Code.

Merchants choose Paybyrd because they believe we will treat them fairly. We honour that trust in five concrete ways:

• Pricing is honest. We publish our rates. We do not introduce hidden fees, surprise surcharges, or unexplained adjustments to settlement. Where rates change, merchants are notified in writing with at least 30 days' notice.
• Contracts are clear. Merchant Terms & Conditions are written to be read, not to hide behaviour. Material changes follow the notice procedure in the Terms.
• Disputes are resolved, not ignored. Chargebacks, technical incidents and billing disagreements are investigated in good faith and answered within the timelines published in our Service Level Agreement.
• Data is for service. Merchant data is used to provide the service, meet our legal obligations, and (with consent) improve the product. It is never sold.
• Customer-facing surfaces are respectful. Every checkout, payment link, terminal flow or chat message that Paybyrd touches carries the same standard of honesty and clarity we expect of ourselves.

Paybyrd has zero tolerance for bribery and corruption in any form, in any jurisdiction, regardless of whether local practice appears to tolerate it.

Paybyrd employees and contractors must not, directly or through intermediaries:

• offer, promise, give, request, agree to receive or accept any financial or other advantage to induce or reward improper behaviour;
• make or accept facilitation payments — small unofficial payments to expedite routine government action — even where such payments are informally tolerated locally;
• make political contributions on behalf of Paybyrd without the prior written approval of the CEO and CFO.

Gifts and hospitality. Reasonable business entertainment is part of normal commercial life. It becomes inappropriate when it is excessive, secret, or creates a sense of obligation. Any gift or hospitality with a value above €150 per person per year (aggregate, per counterparty) must be declared to the Compliance team before acceptance or offer.

Paybyrd reports bribery and corruption concerns via the channels described in section 10 (Speaking up). Retaliation against a good-faith report is itself a breach of this Code.

A conflict of interest is any situation in which a private interest could compromise, or appear to compromise, the judgement we owe to Paybyrd or its merchants. We manage conflicts by disclosing them early and recusing from decisions where necessary.

Paybyrd employees and contractors must disclose, in writing to their manager and to the People team:

• any ownership, board role or paid advisory role in a competitor, merchant, partner, vendor, scheme owner or acquirer;
• close family or personal relationships with anyone working for any of the above;
• outside paid work that overlaps with Paybyrd's business, or consumes time that would materially affect Paybyrd responsibilities;
• any personal financial interest — direct or indirect — in a transaction Paybyrd is considering entering.

Disclosed conflicts are managed, not automatically prohibited. What is never acceptable is a concealed conflict.

Confidential information — merchant commercial data, pricing, pipelines, product roadmaps, customer PAN/CHD, authentication secrets — is handled only on a need-to-know basis, only within authorised systems, and only for the purposes for which it was collected.

Specific obligations every Paybyrd employee must meet:

• Never store, transmit or process Primary Account Number (PAN) data outside the PCI DSS-scoped environment. When in doubt, ask Security Engineering before touching the data.
• Encrypt data at rest and in transit. Disable TLS 1.1 and below. Rotate secrets and access keys on the published cadence.
• Use Paybyrd-issued devices for Paybyrd work. Do not email confidential data to personal accounts or copy it to unapproved cloud drives.
• Report any suspected security incident — phishing attempt, lost device, unexpected system behaviour, vendor breach notice — to the Security team within one hour of becoming aware. Do not investigate on your own.
• Respect data-subject rights under GDPR/AVG. Requests for access, rectification, erasure and portability are routed to the Data Protection Officer at dpo@paybyrd.com.

Access to production systems is logged. Logs are reviewed. Unusual access is investigated.

Paybyrd competes on the merits — price, reliability, security, service, speed of integration — and nothing else.

• No anti-competitive agreements. We do not agree, tacitly or otherwise, with competitors on pricing, customer allocation, market division, or bid rigging.
• No abuse of dominance. Where Paybyrd is strong in a particular corridor or vertical, that strength is not used to foreclose merchants or partners from choosing alternatives.
• Respect for intellectual property. Paybyrd builds on open-source and licensed code responsibly, honouring licence obligations. We do not misappropriate competitor trade secrets, technical documentation or merchant lists.
• Truthful marketing. Public claims about performance, savings, or uptime are based on verifiable data. Comparative claims about competitors are fact-checked before publication and reviewed on request.
• No market manipulation. Employees with access to non-public information about Paybyrd, its investors, or its merchants do not trade on that information, tip others, or discuss it outside the minimum circle required.

Paybyrd expects every person to be treated with respect, regardless of role, seniority, background, identity or belief. Harassment, bullying and discrimination have no place in our offices, our remote workplaces, our customer meetings, our events or our digital channels.

• Non-discrimination. Decisions about hiring, compensation, promotion and assignment are based on skill, contribution and fit — never on race, colour, ethnic or national origin, sex, gender identity or expression, sexual orientation, religion, age, disability, marital or family status, or any other protected characteristic.
• No harassment. Harassment includes unwelcome conduct of a sexual nature, verbal or physical, as well as any hostile or intimidating behaviour that creates an abusive environment. It does not become acceptable because the context is a social or after-work setting.
• Health and safety. Physical workspaces and remote work arrangements are designed to be safe. Safety concerns are raised immediately; they are not a low-priority backlog item.
• Substance use. Employees do not report for work — including work on video calls — while impaired by alcohol or drugs in a way that affects judgement or safety.
• Social and customer-facing conduct. Behaviour at Paybyrd offsites, industry events, and customer dinners is held to the same standard as behaviour in the office.

A Code is only as strong as the willingness of the people under it to speak up when it is broken. Paybyrd protects and encourages good-faith reporting.

Where to report. Concerns about actual or suspected breaches of this Code, of law, or of internal policy can be raised through any of the following channels, in increasing order of independence:

• your direct manager or skip-level;
• the People team at people@paybyrd.com;
• the Compliance team at compliance@paybyrd.com;
• the Data Protection Officer at dpo@paybyrd.com for data-related concerns;
• the confidential whistleblowing inbox speakup@paybyrd.com, which is read only by the Audit Committee and the DPO.

Non-retaliation. Paybyrd will not tolerate retaliation — firing, demotion, exclusion, threat or any other adverse action — against anyone who raises a concern in good faith, takes part in an investigation, or refuses to participate in suspected wrongdoing. Retaliation is itself a disciplinary offence.

Anonymity. Reports can be made anonymously. Anonymous reports are investigated with the same seriousness as named ones, subject to the practical limits of acting on information that cannot be verified with the reporter.

External rights preserved. Nothing in this Code prevents a Paybyrd employee from reporting suspected unlawful conduct to a regulator, law-enforcement authority or the Dutch Huis voor Klokkenluiders (Whistleblowers' Authority).

Paybyrd does not do business with sanctioned persons, entities or jurisdictions, and the people, products and merchants we connect to our network are screened on that basis.

• Screening. Every merchant, principal and counterparty is screened against the OFAC, EU consolidated, UK HMT and UN sanctions lists at onboarding and on an ongoing basis. Hits are escalated to the Compliance team and cleared or rejected before service continues.
• Prohibited jurisdictions. Paybyrd does not knowingly facilitate payments into or out of jurisdictions subject to comprehensive sanctions (Cuba, Iran, North Korea, Syria, and the non-government-controlled regions of Crimea, Donetsk, Kherson, Luhansk and Zaporizhzhia), and restricts activity in partially-sanctioned jurisdictions in line with the applicable regime.
• Vendor standards. Every vendor or partner with access to Paybyrd systems, merchant data or cardholder data is subject to due diligence, a written agreement including data-protection and security terms, and a review cadence proportionate to their risk profile. Vendors of material services are named in Paybyrd's Terms & Conditions.
• Outsourcing oversight. Where Paybyrd outsources any service, accountability for the outcome remains with Paybyrd. Outsourced work is monitored on the same standards Paybyrd holds itself to.

This Code is overseen by the Paybyrd Compliance team, with sponsorship at board level. The CEO and Chief Compliance Officer are jointly responsible for ensuring it is applied in practice.

Training. Every Paybyrd employee completes initial Code-of-Conduct training during onboarding and annual refresher training thereafter. Role-specific training (PCI DSS, AML/CFT, sanctions) is additional to — not a substitute for — this baseline.

Consequences of breach. Breaches of this Code are addressed through Paybyrd's disciplinary process, which is proportionate to the seriousness and context of the breach. Consequences range from remediation plans to termination of employment or engagement. Certain breaches — including bribery, data theft, serious harassment and sanctions-list violations — are grounds for immediate termination and may be reported to law-enforcement or regulatory authorities.

Annual review. This Code is reviewed at least once per year by the Compliance team, and updated as regulation, scheme rules and our own business evolve. Material updates are communicated to all employees and published on paybyrd.com/code-of-conduct.

Questions. Any employee, merchant, partner or member of the public who has a question about this Code, a concern to raise, or a situation they are unsure about can write to compliance@paybyrd.com. The Compliance team commits to a substantive response within five working days.