Payment Security Policy

2.1 Overview

PawPass accepts the following payment methods for transactions processed through the Platform. All payment methods are subject to verification and eligibility checks prior to processing.

2.2 Credit and Debit Cards

PawPass accepts major credit and debit cards processed through Stripe, Inc., our primary payment processor. Accepted card networks include:

• Visa (credit and debit)
• Mastercard (credit and debit)
• American Express
• Discover (where supported by Stripe in the applicable jurisdiction)

Card transactions are processed in real time at the point of purchase. Card data is entered directly into Stripe's secure hosted payment fields and is never transmitted to or stored on PawPass's own servers. PawPass does not have access to full card numbers, card verification values (CVV/CVC), or magnetic stripe data at any point in the transaction process.

2.3 ACH Bank Transfer

ACH (Automated Clearing House) bank transfers are available as a payment method for eligible customers transacting in U.S. dollars. ACH payments are processed through Stripe's ACH payment infrastructure, which is compliant with NACHA (National Automated Clearing House Association) operating rules and standards. ACH payments are subject to bank verification requirements and standard ACH clearing timelines of one to three business days. ACH transactions are subject to reversal risk for a defined period following initiation. PawPass implements risk controls appropriate to ACH's reversal risk profile, including transaction limits and verification requirements for first-time ACH payers.

2.4 International Wire Transfer

International wire transfers are available for eligible high-value transactions and for Partner Payout disbursements to service providers located outside the United States. Wire transfers are processed through established banking channels and are subject to SWIFT network protocols, correspondent banking rules, and applicable sanctions screening requirements. Wire transfers require full beneficiary bank details and are subject to standard processing timelines of one to five business days depending on the originating and receiving financial institutions and applicable jurisdictions. Wire transfers are not reversible once initiated and processed by the banking system. PawPass conducts sanctions screening against applicable watchlists prior to initiating wire transfers.

2.5 Additional Payment Methods

PawPass may make additional payment methods available through Stripe's payment infrastructure, including but not limited to local payment methods, digital wallets, and buy-now-pay-later options, depending on the customer's jurisdiction and the applicable transaction type. The availability of additional payment methods is disclosed at the point of checkout and is subject to change based on Stripe's supported payment methods in each region.

2.6 Unsupported Payment Methods

PawPass does not accept the following as payment methods on the Platform:

• Cash payments of any kind.
• Checks or money orders.
• Cryptocurrency or digital asset payments.
• Prepaid cards where the cardholder's identity cannot be verified.
• Payments from third-party accounts where the payer is not the registered account holder.
• Payments made through informal money transfer systems or unregulated payment channels.

3.1 Stripe Overview

PawPass's primary payment processing infrastructure is provided by Stripe, Inc. ("Stripe"), a globally recognized payment technology company headquartered in San Francisco, California, United States. Stripe provides payment acceptance, payment processing, fraud detection, and disbursement services for the Platform. Stripe processes payments on behalf of PawPass as a payment service provider and merchant acquirer. The contractual relationship between customers and the payment processing system is governed by Stripe's Terms of Service, available at https://stripe.com/legal, and Stripe's Privacy Policy, available at https://stripe.com/privacy. By transacting on the Platform, customers acknowledge that their payment data will be processed by Stripe in accordance with Stripe's policies.

3.2 Stripe PCI-DSS Certification

Stripe is certified as a Payment Card Industry Data Security Standard ("PCI-DSS") Level 1 Service Provider — the highest level of PCI-DSS certification available. PCI-DSS Level 1 certification requires Stripe to undergo an annual on-site audit conducted by a Qualified Security Assessor (QSA), submit quarterly network scans conducted by an Approved Scanning Vendor (ASV), and maintain a comprehensive information security management program covering all aspects of cardholder data security. By routing all card payment processing through Stripe, PawPass significantly reduces the scope of its own PCI-DSS compliance obligations. PawPass does not store, process, or transmit cardholder data on its own infrastructure. Customers' card data is captured directly within Stripe's PCI-DSS-compliant hosted fields (Stripe Elements or Stripe.js), which means that card data does not pass through PawPass's servers at any stage of the transaction.

3.3 Stripe's Fraud Detection Infrastructure

Stripe operates a proprietary machine-learning-based fraud detection system called Stripe Radar, which is integrated into all payment processing workflows on the Platform. Stripe Radar analyzes hundreds of transaction signals in real time, including device fingerprinting, behavioral biometrics, IP geolocation, velocity checks, card history, and network-wide fraud intelligence derived from Stripe's global processing volume. Stripe Radar assigns a risk score to each transaction and applies configured rules to automatically block, review, or allow the transaction based on that score. PawPass has configured custom Stripe Radar rules appropriate to the Platform's transaction types and risk profile. These rules are reviewed and updated on a regular basis.

3.4 Stripe Connect for Partner Payouts

Partner Payout disbursements are processed through Stripe Connect, Stripe's platform-to-third-party payment disbursement product. Stripe Connect requires Partners to complete Stripe's identity verification and Know Your Customer (KYC) onboarding process, which includes collection of the Partner's legal name, address, date of birth, tax identification number, and bank account details. Stripe is responsible for performing KYC and identity verification on Partners enrolled in Stripe Connect, in accordance with applicable anti-money laundering (AML) and financial services regulations.

4.1 PawPass's Compliance Scope

PawPass operates under a reduced PCI-DSS compliance scope as a result of its exclusive use of Stripe-hosted payment fields for card data capture. PawPass has implemented PCI-DSS Self-Assessment Questionnaire A (SAQ A) controls, which are applicable to merchants who outsource all cardholder data processing to PCI-DSS-validated third-party processors and have no electronic storage, processing, or transmission of cardholder data on their own systems. This approach reflects industry best practice for online merchants and ensures that all cardholder data processing occurs exclusively within Stripe's certified and audited infrastructure.

4.2 Cardholder Data Handling — No Storage Policy

PAWPASS LLC does not store, log, or retain any cardholder data on its own servers, databases, or infrastructure at any time. This includes full card numbers (Primary Account Numbers / PANs), card expiry dates, CVV/CVC codes, cardholder names linked to card numbers, magnetic stripe data, and chip data. This no-storage policy applies without exception to all card transactions processed on the Platform, regardless of transaction type, amount, or recurring nature. For recurring subscription charges, PawPass uses Stripe's tokenization system, under which Stripe stores a secure payment token that references the customer's payment method. PawPass stores only the Stripe payment token and the last four digits of the card number for display purposes. The underlying card data remains exclusively within Stripe's PCI-DSS-certified vault.

4.3 Tokenization

Tokenization is the process by which a sensitive data element (such as a full card number) is replaced with a non-sensitive substitute (a "token") that has no exploitable value outside the specific processing context. PawPass utilizes Stripe's tokenization infrastructure for all payment method storage associated with recurring subscriptions and saved payment methods. Stripe-generated payment tokens cannot be reverse-engineered to obtain the original card data. Even in the unlikely event of unauthorized access to PawPass's systems, no exploitable cardholder data would be accessible, because PawPass holds only tokens, not card numbers or sensitive authentication data.

4.4 Secure Payment Page Architecture

PawPass's checkout and payment pages are implemented using Stripe Elements, a suite of prebuilt, PCI-DSS-compliant UI components provided by Stripe. Stripe Elements renders card input fields within an iframe that is hosted on Stripe's domain, not PawPass's domain. This architectural approach ensures that card data typed by the customer into the payment form is transmitted directly to Stripe's servers without passing through PawPass's web application server at any stage. PawPass's payment page implementation has been reviewed to ensure that no client-side scripts, browser extensions, or network interception mechanisms can capture card data entered into Stripe Elements fields.

5.1 Transport Layer Security

All data transmitted between customers' browsers or applications and PawPass's servers is encrypted using Transport Layer Security (TLS) protocol, version 1.2 or higher. PawPass enforces HTTPS across all pages of the Platform and implements HTTP Strict Transport Security (HSTS) headers to prevent protocol downgrade attacks and to ensure that browsers only connect to the Platform over encrypted connections. TLS encryption protects all data in transit, including login credentials, personal data submitted in forms, session data, and all communication between PawPass's application servers and third-party APIs. PawPass does not permit unencrypted HTTP connections to any authenticated or payment-related Platform functionality.

5.2 Data at Rest Encryption

Sensitive data stored by PawPass, including personal data, account credentials, and transaction records, is encrypted at rest using industry-standard encryption algorithms. Password credentials are stored exclusively as salted cryptographic hashes using a strong hashing algorithm (bcrypt or equivalent), such that original passwords cannot be recovered even by PawPass personnel with database access. PawPass's cloud infrastructure providers maintain encryption of all data stored on their servers, including database storage, file storage, and backup systems. Encryption key management follows industry best practices, including separation of encryption keys from encrypted data and periodic key rotation.

5.3 API Security

Communication between PawPass's application layer and Stripe's payment APIs is authenticated using Stripe's API key authentication system. Stripe API keys are stored securely in PawPass's server-side environment and are never exposed in client-side code, public repositories, or application logs. PawPass uses restricted Stripe API keys configured with the minimum permissions necessary to perform required payment operations, following the principle of least privilege. All API communications between PawPass and Stripe are made over TLS-encrypted connections to Stripe's API endpoints. PawPass validates Stripe webhook events using Stripe's webhook signature verification to prevent processing of tampered or spoofed webhook payloads.

5.4 Certificate Management

PawPass maintains valid SSL/TLS certificates issued by a trusted Certificate Authority (CA) for all Platform domains and subdomains. Certificates are monitored for approaching expiry and are renewed proactively to prevent certificate-related service interruptions or security warnings. PawPass does not use self-signed certificates for any customer-facing Platform functionality.

6.1 Cloud Infrastructure Provider

PawPass's Platform is hosted on a reputable cloud infrastructure provider operating enterprise-grade data centers with physical security controls, redundant power systems, climate control, and multi-zone availability to support service continuity. PawPass's hosting infrastructure is located in data centers that maintain compliance with internationally recognized security certifications, including ISO/IEC 27001 and SOC 2 Type II.

6.2 Physical Security Controls

PawPass's cloud hosting provider maintains the following physical security controls at its data center facilities:

• Perimeter security with 24/7 on-site security personnel.
• Multi-factor physical access controls including biometric verification and access card systems.
• Closed-circuit surveillance systems monitoring all areas of the data center.
• Visitor access logging and escorted access policies for non-authorized personnel.
• Environmental monitoring systems for temperature, humidity, and fire suppression.

6.3 Network Security

PawPass's network infrastructure incorporates the following security controls:

• Firewall protection: Application and network-layer firewalls are deployed to control inbound and outbound traffic based on defined security rules. Only necessary ports and services are exposed to the public internet.
• DDoS mitigation: Distributed denial-of-service protection is provided at the network layer by PawPass's hosting provider and, where applicable, by Cloudflare or equivalent DDoS protection services, to maintain Platform availability during volumetric attacks.
• Intrusion detection and prevention: Network-level and host-level intrusion detection systems (IDS/IPS) monitor traffic and system events for indicators of compromise and generate alerts for security review.
• Network segmentation: Production systems, including payment processing components, are logically separated from development, testing, and administrative networks. Access between network segments is restricted and monitored.
• VPN-protected administrative access: Administrative access to production systems is restricted to authorized personnel connecting through a virtual private network (VPN) with multi-factor authentication.

6.4 Access Control and Privileged Access Management

PawPass enforces a strict access control policy governing who may access production systems and sensitive data:

• Access to production systems is granted on a need-to-know, least-privilege basis.
• All administrative accounts require multi-factor authentication (MFA).
• Privileged access is logged and subject to periodic review and recertification.
• Former employees and contractors have their access revoked promptly upon termination of engagement.
• Shared or generic administrative accounts are not permitted on production systems.

6.5 Vulnerability Management and Patching

PawPass maintains a vulnerability management program that includes regular scanning of Platform infrastructure for known vulnerabilities, prioritized patching of critical and high-severity vulnerabilities within defined remediation timelines, and monitoring of security advisories for third-party software components used in the Platform. PawPass conducts periodic penetration testing by qualified security professionals to assess the Platform's security posture against simulated attack scenarios.

6.6 Business Continuity and Disaster Recovery

PawPass maintains business continuity and disaster recovery plans designed to ensure the availability and integrity of the Platform and customer data in the event of a significant infrastructure failure, data loss event, or disaster. These plans include: regular automated backups of all customer and transaction data; geographically distributed backup storage; defined recovery time objectives (RTOs) and recovery point objectives (RPOs) for critical Platform components; and periodic testing of recovery procedures.

7.1 Multi-Layer Fraud Prevention

PawPass implements a multi-layered fraud prevention framework that combines automated detection, manual review processes, and post-transaction monitoring to identify and respond to fraudulent activity across all transaction types.

7.2 Real-Time Transaction Screening

Every transaction initiated on the Platform is subject to real-time automated screening that evaluates the following risk signals:

• Device intelligence: Device fingerprinting and browser characteristic analysis to identify devices associated with prior fraudulent activity or that display characteristics inconsistent with legitimate use.
• IP geolocation analysis: Comparison of the transaction IP address against the cardholder's billing address country, detection of VPN or proxy server usage, and identification of IP addresses associated with known fraud sources.
• Velocity checks: Detection of abnormally high transaction frequency from a single account, device, IP address, or card within defined time windows, which may indicate card testing, account takeover, or systematic fraud.
• Email address analysis: Assessment of the registration email address's age, domain reputation, and history of association with fraudulent transactions.
• Behavioral biometrics: Analysis of user interaction patterns during checkout (typing speed, mouse movement, form completion time) to detect bot-driven or scripted transaction attempts.
• Card BIN analysis: Verification that the card BIN (Bank Identification Number) is consistent with the stated card type, issuing country, and transaction details.
• Address Verification Service (AVS): For applicable card transactions, verification of the cardholder's billing address against the card issuer's records. Transactions with AVS mismatches are subject to additional review.
• Card Verification Value (CVV) matching: All card-present-equivalent transactions require CVV verification. Transactions with CVV failures are declined.

7.3 Machine Learning Fraud Detection

In addition to rule-based screening, PawPass benefits from Stripe Radar's machine learning fraud detection, which continuously analyzes transaction data across Stripe's global network of millions of businesses to identify emerging fraud patterns and apply predictive risk scores to individual transactions. Stripe Radar's models are trained on a vast dataset that enables detection of sophisticated fraud patterns that may not be apparent from individual transaction data alone. Transactions that exceed defined risk thresholds are automatically declined or flagged for manual review before processing. PawPass's operations team reviews flagged transactions and makes final determinations based on all available information.

7.4 Account Takeover Prevention

PawPass implements the following controls to prevent unauthorized access to customer accounts, which is a common precursor to payment fraud:

• Mandatory strong password requirements enforced at account creation and password change.
• Detection and notification of login attempts from unrecognized devices or unusual geographic locations.
• Rate limiting of login attempts to prevent brute-force credential attacks.
• Secure account recovery processes that verify the customer's identity before allowing password reset.
• Session management controls including automatic session expiry after periods of inactivity and single-session enforcement options.
• Logging of all authentication events for audit and investigation purposes.

7.5 Transaction Monitoring and Suspicious Activity Review

PawPass conducts ongoing post-transaction monitoring to identify patterns indicative of fraud, money laundering, or other financial crimes. Monitoring activities include:

• Review of transactions that trigger automated risk alerts but were not declined at the point of authorization.
• Analysis of refund and chargeback patterns to identify systematic abuse.
• Monitoring of account activity for unusual patterns, including large volume of bookings followed by cancellations, or rapid changes to payment methods or account details.
• Periodic reconciliation of transaction records against Payout disbursements to identify discrepancies.

Where suspicious activity is identified, PawPass may: place a temporary hold on the relevant account pending investigation; require additional identity verification from the account holder; reverse transactions where fraud is confirmed; and report suspected financial crimes to relevant authorities where required by applicable law.

7.6 Sanctions Screening

PawPass screens customers and Partners against applicable sanctions lists, including the U.S. Office of Foreign Assets Control (OFAC) Specially Designated Nationals and Blocked Persons list, the EU and UK consolidated sanctions lists, and other applicable watchlists, prior to activating accounts and processing transactions. PawPass does not process transactions involving individuals or entities on applicable sanctions lists and takes appropriate steps when a match is identified, including account suspension and notification to relevant authorities where required.

7.7 Anti-Money Laundering Controls

PawPass implements anti-money laundering (AML) controls proportionate to the nature and scale of its business activities, including Know Your Customer (KYC) verification of Partner accounts through Stripe Connect, monitoring of transaction patterns for characteristics associated with layering or integration of illicit funds, and cooperation with financial intelligence requests from authorized law enforcement and regulatory authorities.

8.1 Chargeback Prevention

PawPass implements proactive measures to minimize the occurrence of chargebacks, which benefits both customers and the integrity of the payment ecosystem:

• Clear transaction descriptors: All charges on customer payment statements appear with a clearly identifiable merchant name and transaction reference, reducing instances of legitimate transactions being disputed as unrecognized.
• Immediate transaction confirmation: Customers receive an email confirmation of every transaction within minutes of payment, including the transaction amount, description, and reference number.
• Subscription renewal notices: Customers with active subscriptions receive advance email notification at least seven (7) days before each renewal charge is processed, including the renewal amount and instructions for cancellation.
• Accessible customer service: PawPass provides a readily accessible customer support channel at office@pawpass.rs to resolve billing concerns before they escalate to chargebacks.
• Transparent refund policy: PawPass's Refund and Returns Policy is clearly displayed at the point of purchase and in all transaction confirmation communications.

8.2 Chargeback Response Process

When a chargeback is received from a customer's issuing bank or payment network, PawPass follows a structured response process:

• PawPass is notified of the chargeback by Stripe within the timeframe specified by the applicable payment network rules.
• The relevant transaction records, including order details, delivery confirmation, customer communications, and prior dispute correspondence, are assembled by PawPass's operations team.
• PawPass submits a formal representment package to the payment network through Stripe, including all available evidence supporting the legitimacy of the transaction.
• Where the chargeback involves a service booking dispute, the relevant Partner's documentation and service delivery records are included in the representment package.
• PawPass tracks chargeback outcomes and uses dispute data to refine fraud prevention rules and customer communication processes.

8.3 Chargeback Rate Monitoring

PawPass actively monitors its chargeback rate against the thresholds set by major card networks (Visa, Mastercard, American Express). PawPass's operational target is to maintain a chargeback rate well below the network-defined thresholds that trigger merchant monitoring programs. Elevated chargeback rates by specific Partners are addressed through the chargeback reserve and Partner account review processes described in the Partner Terms and Conditions.

8.4 Friendly Fraud Mitigation

Friendly fraud (the filing of a chargeback for a transaction that was genuinely authorized and fulfilled) is addressed through comprehensive evidence preservation and a clear internal dispute resolution process. Customers are required under PawPass's Terms of Service and Refund Policy to contact PawPass before initiating a chargeback. This requirement is communicated at the point of purchase and in all relevant customer-facing policies. Where friendly fraud is identified, PawPass pursues representment and may take appropriate action against the account, including restriction or termination.

9.1 Internal Dispute Resolution

PawPass operates an internal payment dispute resolution process that is accessible to all customers and Partners before any formal chargeback or legal process is initiated. To submit a billing dispute, customers and Partners should:

• Contact PawPass at office@pawpass.rs with the subject line "Payment Dispute - Transaction [Reference Number]".
• Provide the account email address, transaction date, transaction amount, and a clear description of the dispute.
• Include any supporting documentation, such as order confirmations, communications with Partners, or evidence of service non-delivery.

PawPass will acknowledge receipt of the dispute within two (2) Business Days and will provide a substantive determination within seven (7) Business Days. Where additional investigation is required, PawPass will notify the customer of the extended timeline and provide a status update within seven (7) Business Days.

9.2 Escalation to Payment Processor

Where PawPass's internal dispute resolution process does not produce a satisfactory outcome for the customer, the customer retains the right to escalate the dispute to Stripe or to their issuing bank, subject to the timelines and procedures of the applicable payment network or card scheme. PawPass will cooperate fully with any formal payment network dispute process and will provide all relevant documentation requested by Stripe or the payment network.

9.3 Regulatory Escalation

Customers who believe that a payment dispute has not been adequately resolved and involves a potential violation of applicable consumer protection or financial services law may contact the relevant regulatory authority. In the United States, customers may contact the Consumer Financial Protection Bureau (CFPB) or state-level consumer protection agencies. EU and UK customers may contact their national financial regulator or consumer protection authority. PawPass cooperates fully with regulatory inquiries and investigations.

9.4 Dispute Resolution for Subscription Charges

Disputes relating to subscription charges, including alleged unauthorized renewals or charges following cancellation, are handled through the same internal dispute process described in Section 9.1. PawPass maintains complete records of all subscription enrollment confirmations, renewal notices, and cancellation requests. Where a cancellation request was validly submitted prior to a renewal charge, PawPass will refund the charge in full. Where the cancellation was submitted after the renewal date, the matter will be assessed in accordance with the Refund and Returns Policy.

10.1 Stripe's Independent Liability

Payment processing services on the Platform are provided by Stripe, Inc. as an independent third-party service provider. Stripe operates its own payment infrastructure, risk management systems, and compliance programs independently of PawPass. Any failure, delay, error, or security incident occurring within Stripe's payment processing infrastructure is subject to Stripe's own terms of service and liability framework, and PawPass is not liable for such events to the extent they result from factors within Stripe's control. PawPass is not liable for: (a) failures of Stripe's payment processing systems that result in declined transactions; (b) delays in transaction processing or settlement caused by Stripe; (c) Stripe's fraud detection decisions to decline transactions that the customer believes are legitimate; or (d) any loss or damage arising from a security incident within Stripe's systems. Customers who experience issues directly attributable to Stripe's systems may contact Stripe directly at https://stripe.com/contact.

10.2 Banking Partner Liability

Wire transfers and ACH payments are processed through banking institutions that operate under their own terms, processing timelines, and liability frameworks. PawPass is not responsible for delays, errors, or failures caused by the customer's bank, the beneficiary bank, or any correspondent bank in the wire transfer chain, provided that PawPass has correctly submitted the payment instruction with the information provided by the customer or Partner.

10.3 PawPass's Liability for Payment Processing

PawPass's liability for payment processing errors directly attributable to PawPass's systems or personnel is limited to: (a) the correct amount of any charge incorrectly processed due to PawPass error, which will be refunded or credited promptly upon confirmation; and (b) the refund of any duplicate charges caused by PawPass's systems. PawPass's total liability for payment processing errors shall not exceed the amount of the transaction in dispute. This limitation does not apply where prohibited by applicable mandatory consumer protection law.

12.1 Payment Services Compliance

PawPass operates its payment collection activities in compliance with applicable payment services regulations, including compliance with card network rules issued by Visa, Mastercard, and American Express; applicable U.S. federal and state money transmission laws (to the extent applicable to PawPass's business model); and applicable EU and UK payment services directives and regulations (PSD2/PSR) as they apply to Platform operations in those jurisdictions. PawPass does not operate as a licensed money transmitter, payment institution, or e-money issuer. All regulated payment processing activities are conducted through Stripe, Inc., which holds the necessary licenses and registrations in applicable jurisdictions to provide payment processing services.

12.2 Anti-Money Laundering and Know Your Customer

PawPass implements AML and KYC controls appropriate to its business model and risk profile. For Partner accounts, Stripe Connect's identity verification and KYC onboarding process satisfies applicable customer due diligence requirements. For consumer transactions, PawPass applies transaction monitoring and fraud prevention controls that are designed to detect and prevent the use of the Platform for money laundering or other financial crimes. PawPass cooperates fully with requests from authorized law enforcement and regulatory authorities, including compliance with lawful orders requiring the provision of transaction data or account information.

12.3 Tax Compliance

PawPass complies with applicable tax reporting and withholding obligations in connection with payments made through the Platform. Where required by applicable law, PawPass issues tax reporting documents (such as Form 1099-K for U.S. recipients) and withholds taxes from payments to the extent required. PawPass maintains transaction records sufficient to support its own tax compliance and to assist customers and Partners with their own tax reporting obligations.

12.4 Consumer Protection Law Compliance

PawPass's payment practices are designed to comply with applicable consumer protection laws, including the Electronic Fund Transfer Act (EFTA) and Regulation E (for ACH transactions), the Fair Credit Billing Act (FCBA) (for credit card transactions), applicable EU and UK consumer rights regulations governing distance selling and digital service contracts, and GDPR and UK GDPR provisions applicable to payment data processing.

12.5 Record Retention

PawPass retains transaction records, payment authorizations, and related financial documentation for a minimum of seven (7) years from the transaction date, in compliance with applicable U.S. federal and state recordkeeping requirements and international tax and financial reporting obligations. Transaction records are stored securely with access controls limiting access to authorized personnel only.

13.1 Incident Response Program

PawPass maintains a documented security incident response program that establishes procedures for identifying, containing, investigating, and remediating security incidents that may affect payment data or customer personal data. The incident response program is reviewed annually and updated following significant changes to Platform infrastructure or the threat landscape.

13.2 Detection and Containment

Security incidents are detected through a combination of automated monitoring systems, third-party security tooling, internal audit processes, and responsible disclosure by external researchers. Upon detection of a potential security incident, PawPass's incident response team is activated and takes immediate steps to contain the incident, assess its scope and impact, and prevent further unauthorized access or data exposure.

13.3 Notification Obligations

In the event of a security incident that affects payment data or personal data, PawPass will fulfill its notification obligations as follows:

• Regulatory notification: Where required by applicable law (including GDPR Article 33), PawPass will notify the relevant supervisory authority within 72 hours of becoming aware of a qualifying personal data breach.
• Customer notification: Where a security incident poses a high risk to customers' rights and freedoms, PawPass will notify affected customers without undue delay in accordance with GDPR Article 34 and equivalent applicable law. Notification will include: a description of the nature of the incident; the categories and approximate volume of data affected; the likely consequences of the breach; and the measures PawPass has taken or proposes to take to address the breach.
• Payment network notification: Where a security incident involves or potentially involves cardholder data, PawPass will notify Stripe and the applicable payment networks in accordance with PCI-DSS incident response requirements.

13.4 Post-Incident Review

Following the resolution of a significant security incident, PawPass conducts a post-incident review to identify root causes, assess the effectiveness of the response, and implement improvements to prevent recurrence. Where applicable, PawPass will engage an independent security firm to conduct a forensic investigation and provide recommendations.