Aggregator Agreement

1. Purpose & Scope

This Aggregator Agreement ("Agreement") describes the terms under which PAYSERV LLC ("PayServ") provides software aggregation and ISV middleware services that facilitate the technical integration between Merchants and their chosen downstream Payment Service Providers (each, a "PSP").

PayServ is not a Payment Facilitator (PayFac), money transmitter, or acquiring bank. This Agreement defines the limited technical and software scope of PayServ's role.

2. PayServ's Role as ISV Aggregator

PayServ operates exclusively as a software layer. Our services include: API normalisation across multiple PSPs; intelligent routing rule management; universal token vault management; automated testing and certification workflows; and webhook event normalisation.

PayServ does not: acquire, process, or settle payment transactions on behalf of Merchants; hold or transmit cardholder data; underwrite merchant risk; or establish credit terms or make credit decisions.

All settlement funds flow directly between Merchants and their PSP(s). PayServ has no access to, or interest in, settlement funds at any point in the transaction lifecycle.

3. Merchant Credential Handling

Merchants provide PayServ with their PSP API credentials solely to enable routing and integration services. These credentials are: encrypted at rest using AES-256-GCM; stored in a credential vault with strict access controls; transmitted to the authorised downstream PSP over TLS 1.3; and never logged in plaintext or shared with any third party.

Merchants retain full ownership and control of their PSP relationships and credentials. PayServ acts as a neutral technical intermediary.

4. PCI-DSS Compliance Scope

PayServ's architecture is designed to qualify under PCI-DSS SAQ A — the lowest possible compliance scope. Raw cardholder data (PAN, CVV, expiry) is captured exclusively within PSP-controlled Hosted Fields (iFrame-isolated SDKs served directly from PSP CDNs).

PayServ's servers are entirely outside the Cardholder Data Environment (CDE). PayServ receives and stores only the resulting opaque payment token generated by the PSP.

Compliance documentation, data flow diagrams, and network architecture documentation are available to PSP compliance teams, acquiring banks, and card network reviewers upon written request under mutual NDA.

5. PSP Relationships

Merchants are responsible for maintaining their own agreements with their PSPs. PayServ does not represent, warrant, or guarantee the availability, performance, or compliance of any downstream PSP.

PayServ will make commercially reasonable efforts to maintain integration compatibility with supported PSPs. Changes to PSP APIs may require platform updates, which PayServ will deliver on a reasonable schedule.

6. Representations & Warranties

PayServ represents that it: maintains appropriate information security controls; does not process cardholder data in its infrastructure; and operates in compliance with applicable laws governing software service providers.

Merchant represents that it: has valid PSP agreements in place; has the authority to provide PSP credentials to PayServ; and will use the platform only for lawful purposes.