ExactFlow p.s.a.

PAYMENT PROCESSING & SECURITY POLICY

How ExactFlow handles payments, protects financial data, and secures transactions on the SaaS Platform

Effective Date: 1 April 2026  |  Version 1.0  |  Standards: PCI-DSS v4.0; GDPR; PSD2; Polish Payment Services Act

Document TypePayment Processing & Security Policy
Applies ToAll Platform Clients, Sellers, Buyers, and payment transaction participants
Payment Contactbilling@exactflow.com
Security Contactsecurity@exactflow.com
Fraud Reportingfraud@exactflow.com
Regulatory FrameworkPCI-DSS v4.0; EU PSD2 (Directive 2015/2366); Polish Payment Services Act (ustawa o usługach płatniczych); GDPR

1. Payment Infrastructure Overview

ExactFlow does not store, process, or transmit payment card numbers directly. All card payment processing is performed by ExactFlow's PCI-DSS Level 1 certified payment processing partners. ExactFlow's role in the payment chain is as follows:

StageActorExactFlow's RoleData Handled by ExactFlow
Payment initiationBuyer selects payment method at checkoutPresents payment UI; redirects to payment gateway tokenization widgetOrder amount, currency, Order reference — no card data
Card data capturePayment gateway (not ExactFlow)Zero — card data entered directly into the gateway's PCI-DSS compliant widgetNone — card data never touches ExactFlow servers
AuthorisationReceives authorisation result (approved/declined)Transaction status, authorisation code, tokenized card reference
SettlementReceives settlement confirmationSettlement amount, timestamp, transaction reference
Escrow holdingExactFlow Escrow (via regulated payment provider)Manages Escrow period; triggers release after Withdrawal PeriodTransaction identifiers, amounts, Seller/Buyer account references
Seller PayoutInitiates Payout after Escrow release; deducts CommissionPayout amount, Seller IBAN (encrypted), transaction reference

2. Accepted Payment Methods

Payment MethodAvailabilityProcessing StandardNotes
Visa / Mastercard / American ExpressAll marketsPCI-DSS; 3DS2 authentication required3D Secure 2 (Strong Customer Authentication) enforced per PSD2
BLIK (Poland)PolandPolish Payment Agent regulation; KNF oversightInstant payment; no 3DS required — BLIK PIN used
Bank Transfer (SEPA)EU / EEASEPA Credit Transfer; SEPA Instant where availableLonger settlement time; used for high-value B2B transactions
PayPalSelected marketsPayPal Merchant Agreement; PCI-DSSSubject to PayPal's own buyer/seller protection terms
Klarna / Buy Now Pay LaterSelected EU marketsPSD2; Consumer Credit DirectiveConsumer credit checks conducted by Klarna; B2C Marketplace only
CryptocurrencyNot acceptedN/AExactFlow does not accept cryptocurrency payments on any Marketplace

3. Strong Customer Authentication (SCA)

In compliance with PSD2 Article 97 and the EBA Guidelines on SCA, ExactFlow enforces Strong Customer Authentication for all electronic payment transactions processed on the Platform. SCA requires authentication using at least two independent factors from:

  • Knowledge — something the user knows (password, PIN)
  • Possession — something the user has (mobile device, hardware token)
  • Inherence — something the user is (biometric — where supported by the payment provider)

3D Secure 2 (3DS2) is enforced for all card transactions. BLIK authentication satisfies SCA through knowledge (BLIK PIN) and possession (mobile app). Transactions that fail SCA will be declined. Certain SCA exemptions may apply (low-value transactions below €30; merchant-initiated transactions; recurring transactions after SCA on initial setup) — these are managed by our payment processors in compliance with EBA guidelines.

4. PCI-DSS Compliance

ExactFlow maintains PCI-DSS compliance for its role as a merchant that accepts payment cards. ExactFlow's compliance scope is limited because card data is handled directly by our Level 1-certified payment processors. ExactFlow's specific PCI-DSS obligations include:

  • SAQ A compliance (Merchant Self-Assessment Questionnaire A) — applicable to merchants who outsource all card data functions
  • Ensuring all payment page integrations use the payment processor's hosted payment widget — no in-scope card data ever touches ExactFlow servers
  • Annual PCI-DSS compliance review and SAQ submission
  • Maintaining a list of all third-party payment-related vendors and their PCI-DSS certification status
  • Incident response procedures for any suspected card data breach

Clients who use ExactFlow's Platform to process card payments from their own customers through ExactFlow's payment infrastructure are subject to their own PCI-DSS compliance obligations based on their transaction volume and integration method.

5. Data Security for Payment Data

5.1 Data ExactFlow Stores

ExactFlow stores only the following payment-related data, and no more:

Data ElementHow StoredPurposeRetention
Transaction reference numberPlaintext — non-sensitive identifierOrder management, reconciliation7 years (accounting law)
Authorisation codePlaintext — non-sensitiveTransaction verification7 years
Last 4 digits of card numberPlaintext — non-sensitive per PCI-DSSDisplay to user in Account history5 years
Card expiry month/yearPlaintext — non-sensitive per PCI-DSSDisplay to user5 years
Card brand (Visa, Mastercard etc.)PlaintextDisplay to user5 years
Payment method tokenEncrypted — tokenized reference issued by payment processorRepeat purchases (with user consent)Until revoked by user or 3-year inactivity
Billing addressEncrypted at rest (AES-256)Fraud prevention; VAT compliance7 years
Seller IBAN for PayoutsEncrypted at rest (AES-256); access restricted to Payout processing systemsSeller Payout executionDuration of Seller relationship + 5 years

ExactFlow NEVER stores: full primary account numbers (PANs); CVV/CVC/CVC2 security codes; full magnetic stripe data; PIN or PIN block data. Any request to provide such data to ExactFlow or its staff is fraudulent and should be reported immediately to fraud@exactflow.com.

5.2 Encryption Standards

  • Data in transit: TLS 1.2 minimum (TLS 1.3 preferred); all payment-related API calls enforce TLS 1.3
  • Data at rest: AES-256 encryption for all sensitive financial data
  • Database-level encryption: transparent data encryption (TDE) on all production databases
  • Encryption key management: hardware security modules (HSMs) for payment-related key storage; key rotation every 12 months

5.3 Access Controls

  • Payment and financial data access restricted to named roles on a need-to-know basis
  • All payment system access logged and audited; logs reviewed monthly by security team
  • Privileged access to payment infrastructure requires just-in-time (JIT) authorization and dual-person approval
  • All production access by ExactFlow staff requires MFA; no shared credentials permitted

6. Escrow Service

ExactFlow's Escrow service holds Transaction funds between payment and Seller Payout. The Escrow process provides consumer and buyer protection:

  • Funds are collected from the Buyer at Order confirmation and held in a segregated Escrow account managed by a regulated payment institution
  • Funds are not commingled with ExactFlow's operating funds
  • Escrow is released to the Seller upon: (a) expiry of the statutory Withdrawal Period (B2C: 14 days; B2B: per contract) without a withdrawal or dispute; or (b) confirmed Buyer acceptance of delivery; or (c) resolution of a dispute in the Seller's favour
  • In the event of a Consumer withdrawal, Escrow funds are returned to the Buyer within the statutory refund deadline
  • Interest earned on Escrow balances (if any) is retained by the regulated payment institution and does not accrue to ExactFlow or the Seller
  • Escrow accounts are not part of ExactFlow's insolvency estate and are protected in the event of ExactFlow's insolvency

7. Seller Payouts

7.1 Payout Timeline

EventTimelineNotes
Order placedDay 0Transaction funds collected from Buyer and held in Escrow
Delivery confirmedDay 0 of confirmationWithdrawal period begins (B2C: 14 days)
Withdrawal period expires (no claim)Day 14 (B2C) or per contract (B2B)Escrow release triggered
Escrow release to Payout poolWithin 24 hours of release triggerCommission and fees deducted
Payout disbursed to Seller IBANWithin 7 days of Escrow releaseRolling 7-day Payout cycle
Payout statement issuedSame day as disbursementItemized via Seller dashboard and email

7.2 Payout Deductions

The following deductions are made from gross Transaction value before Seller Payout:

  • Platform Commission (per Schedule A of the Seller Agreement or applicable subscription tier)
  • Payment Processing Fee (passed through at cost from payment processor — typically 1.4–2.9% + fixed per transaction)
  • Any outstanding Platform Fee invoices where Seller has consented to deduction from Payout
  • Chargeback reserves (where applicable — see Section 8)

7.3 Payout Withholding

ExactFlow may withhold Payouts where: (a) a dispute or withdrawal is pending; (b) a chargeback has been initiated; (c) fraud or AML concerns are under investigation; (d) a court or regulatory order requires withholding. ExactFlow will notify the Seller in writing with reasons within 2 business days of withholding a Payout.

8. VAT and Invoicing

ExactFlow issues VAT-compliant invoices for Platform Fees and Commission in accordance with the Polish VAT Act (ustawa o podatku od towarów i usług) and EU VAT Directive (2006/112/EC). Key invoicing practices:

  • Platform Fee invoices are issued monthly in arrears (or annually for annual plans) and delivered electronically to the Client's registered billing email
  • Invoices display ExactFlow's NIP, registered address, Client's NIP, invoice date, service period, net amount, VAT rate, VAT amount, and gross amount
  • Polish VAT at the current standard rate (23%) applies to Platform Fees for Polish-registered Clients. EU B2B reverse charge applies for EU Clients not established in Poland. Non-EU clients: VAT per applicable bilateral arrangement
  • Sellers are responsible for their own VAT obligations on Transactions with Buyers — ExactFlow's invoices cover Platform Fees only
  • For EU B2C cross-border sales subject to the EU VAT One Stop Shop (OSS) regime, Sellers are solely responsible for OSS registration and reporting

9. Security Incident — Payment Related

In the event of a security incident affecting payment data, ExactFlow's Payment Security Incident Response procedure is activated immediately:

  • Incident contained by ExactFlow security team — all affected systems isolated within 1 hour of detection
  • Payment processors notified within 4 hours — card scheme reporting initiated if card data is in scope
  • UODO notified within 72 hours if personal data is at risk (GDPR Article 33)
  • Affected Clients notified within 24 hours of confirmation that their Transaction data is involved
  • Affected individuals (Buyers/Sellers) notified without undue delay if high risk to rights and freedoms (GDPR Article 34)
  • Card scheme forensic investigation (PFI) commissioned within 5 business days if card data breach is confirmed
  • Post-incident report with root cause analysis and remediation steps provided to affected Clients within 30 days

Report suspected payment fraud or security incidents to: fraud@exactflow.com or security@exactflow.com. We operate a 24/7 security incident hotline for critical issues: details provided in the Client onboarding pack.

10. Contact

Billing & Payoutsbilling@exactflow.com
Payment Securitysecurity@exactflow.com
Fraud Reportingfraud@exactflow.com
DPOprivacy@exactflow.com
Registered AddressExactFlow p.s.a., Stanisława Bodycha 87, 05-816 Reguły, Poland
Supervisory (Payments)Komisja Nadzoru Finansowego (KNF) — www.knf.gov.pl
Supervisory (Data)UODO — www.uodo.gov.pl

This Payment Processing & Security Policy complies with: PCI-DSS v4.0; EU PSD2 (Directive 2015/2366) and EBA SCA Guidelines; Polish Payment Services Act; GDPR; Polish VAT Act; EU VAT Directive (2006/112/EC); and EU Directive 2023/2225 (Consumer Credit, where applicable). Independent review recommended before publication.

— END OF PAYMENT PROCESSING & SECURITY POLICY — EXACTFLOW P.S.A. —

Payment Processing & Security Policy | ExactFlow