Merchant Terms & Conditions

This legally binding Merchant Agreement (the “Agreement”) is entered into between:

1. Kashia Services Limited (“Cashia”, “we”, “us”, or “our”), a company incorporated under the laws of Kenya with its registered office in Nairobi, and a Payment Service Provider (PSP) licensed by the Central Bank of Kenya under the National Payment Systems Act, 2011; and

2. The Merchant Client (“Merchant”, “you”, or “your”), being the individual or legal entity completing Self-Onboarding and accepting this Agreement.

Each a “Party” and collectively the “Parties”.

a. Acceptance of Terms

● By completing Self-Onboarding on the Cashia website or mobile application including creating an account, submitting Onboarding Data, configuring your Stika, and clicking “I Accept” or “Submit”—you irrevocably confirm that:

● You are the duly authorized representative of the Merchant with full legal capacity to bind it;

● You have read, understood, and agree to be legally bound by:

I. This Agreement;

II. All Complementary Documents, including:

▪ AML/CFT/CPF Policies;

▪ Cyber Security and Data Protection Policies;

▪ Privacy Policy;

▪ Refund Policy;

▪ Acceptable Use Policy; and

▪ Any other policies published on www.cashia.com (as amended from time to time).

● You have had the opportunity to seek independent legal advice; and

● Your Electronic Acceptance constitutes a valid, binding, and enforceable electronic signature under the Kenya Information and Communications Act (as amended) and other applicable laws.

Any use of Cashia Services—including but not limited to account registration, self-onboarding, Stika activation, or execution of a transaction—shall be deemed full and unconditional acceptance of this Agreement and all Complementary Documents.

b. Account Requirement:

● To access any Cashia Service, a Cashia Merchant Account must be opened in your name. Self Onboarding enables digital initiation of this process, subject to Cashia’s verification and approval. Account activation and live transaction capability are not guaranteed and remain contingent upon:

a. Successful KYB verification;

b. Compliance with AML/CFT/CPF obligations; and

c. Cashia’s internal risk assessment.

c. Rejection of Terms:

● If you do not agree with any provision of this Agreement or the Complementary Documents, you must immediately cease use of the Cashia platform and not proceed with self-onboarding, account creation, or any transaction.

1. Introduction

● This Merchant Agreement, together with the Complementary Documents (including the AML/CFT/CPF Policies, Cyber Security and Data Protection Policies, Privacy Policy, Refund Policy, Acceptable Use Policy, and any other policies referenced herein), collectively referred to as the “Agreement”, governs the relationship between Kashia Services Limited (“Cashia”, “we”, “us”, or “our”) and the Merchant Client (“Client”, “Merchant”, “you”, or “your”), including its authorized representatives.

● By completing the self-onboarding process on the Cashia website or mobile application—including creating an account, providing owner and business details, uploading Know-Your-Business (KYB) documents, configuring your Stika, and clicking “I Accept” or “Submit”—you confirm that:

a. You are the authorized representative of the Merchant;

b. You have read, understood, and agree to be legally bound by this Agreement and all Complementary Documents (as may be amended from time to time);

c. You have had the opportunity to seek independent legal advice; and

d. Your acceptance constitutes a valid and binding electronic signature under applicable law.

● Any use of the Cashia Services, including but not limited to registration, self-onboarding, account activation, or execution of a transaction, shall be deemed full and unconditional acceptance of this Agreement.

● To use any Cashia service, a Cashia Merchant Account must be opened in your name. Self onboarding enables you to initiate this process digitally, subject to Cashia’s verification and approval. Account activation and access to live services are not guaranteed and remain subject to successful completion of KYB, compliance checks, and Cashia’s internal risk assessment.

● If you do not agree with any provision of this Agreement or the Complementary Documents, you must cease use of the platform immediately and not proceed with self-onboarding or any transaction.

● This Agreement applies to all services you access under your Cashia Merchant Account, including any future additions, modifications, or cancellations to your service plan—even in the absence of direct notification to Cashia.

● You confirm that any person you designate as an authorized representative has full authority to act on your behalf, including but not limited to onboarding, purchasing services, modifying plans, or terminating the account. Such actions shall be binding and final.

● Kashia Services Limited is headquartered in Nairobi, Kenya, where its main operations are based and where performance of the Services shall be deemed to take place. Acceptance of this Agreement—whether via self-onboarding, electronic signature, or use of the Services—shall be deemed to have occurred in Kenya, regardless of your physical location.

All sections of this Agreement apply to any and all Services you subscribe to, now or in the future.

2. Definitions

Account or Cashia Account — The business web-based e-money account opened and maintained by Cashia in your name. This account allows you to execute transactions including payments, deposits, and withdrawals, and is used for both payment gateway processing and e-wallet functionalities.

Agreement — This agreement includes all subsequent amendments and any additional documentation that accompanies it and to which Clients must adhere, including Privacy Policy, Refund Policy, and Acceptable Use Policy.

Balance — Any e-money that you have in your Cashia Account.

Calendar year — 1 January to 31 December inclusive in any year.

Chargeback — A demand by a credit-card issuer for restitution of the loss on a fraudulent or disputed transaction by the Merchant. Details on the Chargeback and Refund Policy may be found online at [Cashia website].

Claim — A challenge to a payment that a sender of a payment files directly with Kashia Services Limited.

Client, Merchant, you or your — You and any other person or entity entering into this Agreement with Cashia or using the Service on your behalf as a retailer with a physical or online shop, who is selling goods and/or services and is using the services to receive payment through Cashia e-Wallet, in whose name the Cashia Merchant e-Wallet is registered. Natural persons must be above 18 years old to use the Services.

Corporate Account or Business Account — A legal entity account.

Cross Border — The ability to offer the Cashia services as provided by Cashia across the borders of their home state.

Customer Service — The customer support which can be accessed online by sending an email at support @cashia.com or +254 709 200 900.

Dispute — A dispute filed directly with Kashia Services Limited.

Electronic Acceptance — The act of agreeing to this Agreement by clicking “I Accept”, “Submit”, or any equivalent button during self-onboarding or account setup. Electronic Acceptance has the same legal effect as a wet-ink signature under the Kenya Information and Communications Act and other applicable laws.

Electronic Money or E money — Electronically, including magnetically, stored monetary value as represented by a claim on Kashia Services Limited, which is issued on receipt of funds for the purpose of making payment transactions and which is accepted by a natural or legal person other than the issuer of electronic money. The terms “E-money”, “money” and “funds” are used interchangeably in this Agreement.

Fees — Any fees, tariffs, and charges that may be charged by Cashia to you and which are agreed between you and Cashia in writing.

Funding Source — The payment method used to fund a Topping Up or Withdrawal transaction as indicated in the Agreement.

Information — Any confidential and/or personally identifiable information or other information related to an Account or Merchant, including but not limited to: name, email address, VAT, post/shipping address, phone

KYB or Know-Your Business — The verification process undertaken by Cashia to confirm the identity, legitimacy, and ownership of the Merchant, including review of business registration documents, tax identification, proof of address, beneficial owner details, and any other information or documents required under AML/CFT/CPF regulations or Cashia’s internal policies. KYB may be performed automatically, manually, or via a combination of both during or after self-onboarding.

Onboarding Data — All information, documents, and materials submitted by the Merchant during self-onboarding, including but not limited to: business name, registration number, tax ID, owner identity documents, proof of address, bank account details, and Stika configuration. The Merchant warrants that all Onboarding Data is accurate, complete, and legally obtained.

Payment Link — A unique, time-limited, secure URL generated via the Stika interface or Cashia merchant app, requiring a title, description, amount, and expiry date, directing to a Cashia-hosted checkout page for payment via e money, card, or mobile money.

Payment Order — A valid instruction by the Merchant to Cashia requesting the execution of a Transaction.

Payment Review — The process described in sections 5 and 6 of this Agreement.

Payment Service User (PSU) — Any verified, registered individual who holds an active Cashia e-Wallet in their name with Kashia Services Limited, may use the Cashia services, and transact with the Merchant.

Payment Transaction — Any transaction executed through the payments account of Cashia under which the User, as payer, pays a third party/payee, irrespective of underlying cause, the requested amount, while equally debiting the Balance of their Cashia Account.

Policy or Policies — Any policy or other agreement between you and Cashia that you entered into on the Cashia website(s), or in connection with your use of the Services.

Policy Update — Changes in the Cashia Policies for which you will be notified and may be made available to you in writing or through the Cashia website(s).

Receiving Payment Transaction — Any transaction executed through the Cashia Platform under which the Cashia or Merchant Account of the User as beneficiary of the payment is credited with electronic money of equal monetary value with the amount of the corresponding payment order by the payer to the User for any lawful cause (with supporting documentation), settled as to the transaction’s fees.

Restricted Activities — Those activities described in section 12 of this Agreement.

Self-Onboarding — The digital, merchant-initiated process available on the Cashia website or mobile application through which a Merchant creates a Cashia Merchant Account, submits owner and business information, uploads

Services — All products, services, content, features, technologies, or functions offered by Cashia and all related sites, applications, and services.

Stika — A unique merchant identifier, virtual store profile, or payment acceptance configuration created by the Merchant during self onboarding, used to receive payments via QR code, payment link, or embedded checkout. The Stika is linked to the Merchant’s verified Cashia Account and may include branding, product listings, or payment rules as configured by the Merchant.

Territory or Territories — The countries where the Services are offered.

Third Party e-Wallet — A web-based electronic money (e-money) account opened and maintained by Cashia in the name of a third party, including a PSU.

Topping Up Transaction — The transaction that aims to issue electronic money from Stores of Value with the payment to Cashia Platform or through the payment gateway of equal nominal value amount through approved Stores of Value and the subsequent crediting of the said amount to the Cashia Account. For any Topping Up Transaction to take place, all Funding Sources (credit cards, debit cards, bank accounts) must be verified as having you as the sole beneficiary.

Transaction — Any exchange of e-money initiated by the Merchant, either to make payments to third parties or receive payments from customers, through the Cashia payment gateway or e-wallet services. This can include deposits, withdrawals, or payments.

Unauthorized Transaction and Unauthorized Account Access — Has the meaning assigned to them in section 14 of this Agreement.

Verified — The status granted to a Merchant upon successful completion of KYB, whether through self-onboarding or assisted onboarding. Only Merchants with Verified Status may execute live transactions. Cashia reserves the right to suspend or revoke Verified Status at any time if risk, compliance, or fraud concerns arise.

Verified Bank Account — The active bank account held in the name of the User in a recognized credit institution, and of which the User has been identified as sole legal beneficiary.

Verified Card — The active prepaid, credit, and/or debit card, issued by a recognized financial entity in cooperation with international card schemes (indicatively VISA), of which the User has been identified as sole legal beneficiary.

Withdrawal Transaction or — Any transaction initiated and/or executed by the User with the aim to redeem part or the whole Balance available in the Cashia Account through the receipt of equal nominal value amount of money and the respective decrease of the Balance. For any Withdrawal Transaction to

Working Days or Workdays — A day (other than a Saturday, Sunday, or public/bank holiday) on which supporting banks in Kenya or other jurisdictions where the Services are provided are open for business (other than for the sole purpose of 24-hour electronic banking).

3. Provision of Services

3.1 Legal Status and Regulatory Framework

a. Kashia Services Limited (“Cashia”, “we”, “us”, or “our”) is a Payment Service Provider (PSP) licensed by the Central Bank of Kenya (CBK) under the National Payment Systems Act, 2011 (NPSA) to operate a Payment Gateway and Electronic Money (E-Money) Issuance Platform.

b. Cashia acts solely as an intermediary, facilitating digital payment transactions between Payment Service Users (PSUs) and Merchants. It does not control the legality, quality, or delivery of goods/services sold by Merchants, nor does it act as a bank, accept deposits, or provide credit.

3.2 Core Services Offered

● Cashia provides the following regulated services to Merchants with Verified Status:

Receive Payments — Accept e-money via Stika QR Codes, Payment Links, embedded checkouts, or API integrations. — NPSA, 2011; NPS Regulations, 2014; KE-QR Code Standard 2023

Make Payments — Initiate outgoing Payment Transactions by debiting your Account Balance. — NPSA, 2011; NPS Regulations, 2014

Top-Up (E-Money Issuance) — Convert fiat currency from Verified Funding Sources into e-money. — NPS Regulations, 2014; CBK E Money Guidelines

Withdraw (E-Money Redemption) — Redeem e-money to a Verified Bank Account or Verified Card. — NPS Regulations, 2014; Money Remittance Regulations, 2013

Balance Holding — Maintain e-money in your Account (non interest-bearing; not a deposit). — NPSA, 2011; Kenya Deposit Insurance Act, 2012

3.3 Access and Activation of Services

● Access to live Services requires:

1. Successful Self-Onboarding via the Cashia website or mobile app, including submission of Onboarding Data, Stika configuration, and Electronic Acceptance of this Agreement.

2. Verified Status following Know-Your-Business (KYB) verification.

3. Ongoing compliance with this Agreement, Complementary Documents, and applicable laws.

● Self-Onboarding does not guarantee activation. Cashia may delay, restrict, or deny access based on KYB outcomes, AML/CFT/CPF risk assessments, or regulatory concerns. Only Verified Merchants may process live transactions.

3.4 Stika QR Codes and Payment links

● You may use Stika QR Codes and Payment Links to collect e-money or fiat payments from PSUs, processed securely with PSU authentication (e.g., Pay with Cashia Strong Customer Authentication (SCA)), per NPS (E-Money) Regulations 2021, Regulation 20 and CBK Cybersecurity Guidelines (CBK/PSP/GUID/02). For example, a PSU scans a Stika QR Code to transfer e-money from their Cashia wallet, or clicks a Payment Link to initiate a card payment. Transaction details, including fees (Section 5.1) and risks (Section 3.8), are disclosed upfront via the merchant app or www.cashia.com , per NPS (E-Money) Regulations 2021, Regulation 4(2). You must ensure QR codes and links are used only for authorized purposes, per Section 11 (Restricted Activities).

a. Function and Purpose

● Stika QR Code: A scannable QR code generated via the Stika interface, representing the Merchant’s identity and payment configuration. QR codes may be:

o Static: Fixed merchant details for general use (e.g., “Pay to [Merchant Name]”).

o Dynamic: Encoded with Payment Link data (title, description, amount, expiry) for transaction-specific payments.

● Payment Link: A unique, time-limited, secure URL that directs a PSU to a payment interface for transaction completion using e-money, credit/debit cards, mobile money, or Pay with Cashia. Payment Links can be embedded in dynamic Stika QR Codes for a “scan-to-pay” experience or shared independently for a “click-to-pay” experience.

These features enable card-not-present (CNP) and in-person payments without physical POS infrastructure.

b. Payment Links – Creation Requirements

When generating a Payment Link, you must provide:

● Title: A concise, accurate name for the product/service (e.g., “Laptop Sale”, “Consulting Fee”).

● Description: Clear details of the goods/services, including specifications or delivery terms, compliant with the Consumer Protection Act, 2012.

● Amount: Exact transaction value in Kenyan Shillings (KES) or supported currency. The amount is non-editable after creation.

● Expiry Date (optional): You may set an expiry date and time of your choosing. If no expiry is set, the Payment Link will remain active until used or until Cashia automatically expires it (see below).

Cashia reserves the right to automatically expire any Payment Link that remains unused for more than 90 days or where fraud indicators are detected.For example, a PSU clicks a Payment Link to initiate payment for the described goods/services. Transaction details, including fees (Section 5.1) and risks (Section 3.8), are disclosed upfront via the merchant app or www.cashia.com, per NPS (E-Money) Regulations 2021, Regulation 4(2).

You must ensure Payment Links and Stika QR Codes are used only for authorised purposes, per Section 11 (Restricted Activities).

c. Features

● Integrated Workflow: Generate a Payment Link and embed it in a dynamic Stika QR Code within the merchant app for unified “scan-to-pay” or “click-to-pay” functionality.

● Pay with Cashia Integration: PSUs can select Pay with Cashia, input their Stika name, and authorize payments via app notification, enhancing security with Strong Customer Authentication (SCA).

● Branding: Displays your Stika profile (logo, business name) on the payment interface.

● Multi-Channel Sharing: Share Payment Links via secure channels (email, SMS, WhatsApp) or display QR Codes in-store, on websites, or printed materials (e.g., flyers, receipts).

● Real-Time Tracking: Monitor scans, clicks, and payment completions via the merchant app dashboard.

● Interoperability: Compliant with the Kenya Quick Response Code Standard 2023 (KE-QR Code Standard), ensuring secure, EMVCo-based transactions.

d. Legal and Regulatory Framework

Stika QR Codes, Payment Links, and Pay with Cashia are regulated payment instruments under:

● National Payment Systems Act, 2011 (NPSA): Governs PSP operations and transaction integrity.

● National Payment System Regulations, 2014 (Reg. 34): Mandates secure CNP transaction processing and consumer protection.

● Kenya Quick Response Code Standard 2023 (Clause 7.2): Ensures interoperable, secure dynamic QR codes and links.

● Data Protection Act, 2019: Protects PSU data during scan/link/app interactions.

● Guideline on Cybersecurity for PSPs (CBK/PSP/GUID/02): Requires monitoring, encryption, and 24-hour breach reporting.

● Proceeds of Crime and Anti-Money Laundering Act, 2009 (as amended): Enforces customer due diligence (CDD) and suspicious transaction reporting.

● Anti-Money Laundering and Combating of Terrorism Financing (Amendment) Act, 2023: Enhances reporting obligations.

● Consumer Protection Act, 2012: Mandates transparent pricing and dispute resolution.

e. Merchant Obligations

You must:

1. Provide accurate and truthful title, description, amount, and expiry date, aligning with your Stika profile and Consumer Protection Act, 2012 requirements.

2. Secure Usage:

o Stika QR Codes: Display only in controlled environments (e.g., verified website, in-store signage, printed materials); prohibit public posting that enables unauthorized scans.

o Payment Links: Share only via private, secure channels (e.g., direct customer email/SMS); public sharing (e.g., social media, forums) is prohibited.

3. Set a maximum 7-day expiry for dynamic QR Codes and Payment Links to mitigate fraud.

4. Prohibited Activities: Do not use for high-risk transactions (e.g., gambling, adult content, cryptocurrency) unless pre-approved by Cashia in writing.

5. Comply with PCI DSS standards; never request or collect PSU card details via QR scans, email, SMS, or other non-secure methods.

6. Monitor and Report: Track usage via the merchant app and report suspicious activity (e.g., excessive scans/clicks, unauthorized Pay with Cashia attempts) to Cashia at support@cashia.com immediately.

7. Ensure compliance with AML/CFT obligations and Cashia’s Acceptable Use Policy. f. Cashia Technical and Risk Controls

Cashia implements:

1. Validation: Verifies Merchant and PSU identity (via Stika name for Pay with Cashia) for all QR scans, link clicks, and app authorizations.

2. Tokenization: Dynamic QR Codes and Payment Links use secure tokenization to prevent tampering.

3. Real-Time Monitoring: Tracks scans, clicks, and Pay with Cashia authorizations for fraud, AML/CFT red flags, or unusual patterns (e.g., high click volume, geolocation anomalies).

4. Automatic Expiry: Dynamic QR Codes and Payment Links self-deactivate after the set expiry.

5. Strong Customer Authentication (SCA): Pay with Cashia requires PSU app-based authorization, enhancing security.

6. Audit Trail: Logs all interactions (timestamp, IP, device data, Stika name, transaction outcomes) for 7 years per NPS Regulations, 2014.

7. Revocation Rights: Cashia may block, disable, or revoke any QR Code, Payment Link, or Pay with Cashia transaction without notice for suspected fraud, misuse, or regulatory violations.

8. Suspension: Cashia may suspend QR Code/Payment Link/Pay with Cashia functionality for Accounts with repeated violations or high chargeback rates.

g. Liability and Chargebacks

● You are solely liable for chargebacks, refunds, or disputes arising from Stika QR Code, Payment Link, or Pay with Cashia transactions, including those caused by inaccurate data or non-delivery of goods/services.

● Cashia may deduct disputed amounts from your Account Balance immediately, as per the Schedule of Fees.

● You indemnify Cashia against losses, fines, or regulatory penalties resulting from misuse or non compliance.

h. Data Protection and Security

● PSU data (e.g., Stika name, payment details) collected via QR scans, Payment Links, or Pay with Cashia is processed per the Data Protection Act, 2019, using end-to-end encryption and tokenization.

● You must not store or misuse PSU data obtained through these features.

● Any data breach involving QR Codes, Payment Links, or Pay with Cashia must be reported to Cashia within 24 hours, per CBK Cybersecurity Guidelines.

● Where Cashia transfers or processes personal data outside Kenya, it shall do so only with the Data Commissioner’s approval and ensure the recipient jurisdiction upholds comparable data protection standards, as required under Sections 48–50 of the Data Protection Act, 2019. All third-party data processors must execute Data Processing Agreements consistent with the Act and CBK Cybersecurity Guidelines (CBK/PSP/GUID/02).

Breach and Consequences

Violations of this clause constitute a material breach, triggering:

● Immediate suspension of Stika QR Code, Payment Link, and Pay with Cashia functionality

● Account review under Restricted Activities (Section 12)

● Potential reporting to the Financial Reporting Centre (FRC) or CBK for AML/CFT or fraud violations

3.5 E-Money Issuance, Redemption, and Safeguarding

● Issuance: E-money is issued upon receipt of cleared funds from a Verified Funding Source, compliant with NPS Regulations, 2014 and CBK E-Money Guidelines.

● Redemption: Only to Verified Funding Sources in your name, subject to AML/CFT checks.

● Safeguarding: Client funds are held in segregated trust accounts at CBK-approved banks per NPSA Section 11. Cashia shall hold customer funds in a dedicated trust account with a CBK-approved financial institution. Reconciliations between customer e-money float and trust accounts shall be conducted daily, with monthly attestation by internal audit in compliance with Regulation 19 of the National Payment System Regulations, 2014.

● No Interest: Balances are non-interest-bearing.

● No Insurance: Balances are not covered by the Kenya Deposit Insurance Corporation (KDIC).

3.6 Third-Party Integrations and API Access

● Cashia may provide API access for integration with third-party systems (e.g., e-commerce platforms, accounting software, mobile apps), enabling automated transactions via Stika QR Codes, Payment Links, and Pay with Cashia. API usage is governed by the Cashia Developer Agreement (incorporated by reference) and subject to the following rules.

a. API Key Generation

● Eligibility: Only Merchants with Verified Status (per Section 4.4) may generate API keys in the Cashia merchant app.

● Generation Process:

o Merchants generate API keys via the app dashboard under the "API Settings" tab. o Each key is unique, alphanumeric, and associated with your Stika profile.

o Keys are scoped to specific permissions (e.g., read-only for transaction queries, write for Payment Link creation).

o Keys are displayed once upon generation for security; copy and store securely immediately.

b. Features and Usage

● Permissions: Keys enable:

o Querying transaction history (e.g., QR code scans, Payment Link clicks, Pay with Cashia authorizations).

o Generating dynamic Stika QR Codes or Payment Links programmatically.

o Integrating Pay with Cashia for automated authorizations.

● Rate Limits: Enforced to prevent abuse (e.g., 1,000 calls/hour per key); exceeding limits triggers temporary suspension.

● Sandbox Mode: Test keys are available for development; live keys access only after Verified Status confirmation.

c. Security Best Practices

You must:

● Secure Storage: Store API keys as environment variables or in secure vaults (e.g., AWS Secrets Manager); never embed in code, commit to repositories, or share publicly.

● Access Control: Restrict key usage to authorized applications/devices; use IP whitelisting where possible.

● Rotation: Rotate keys every 90 days or immediately if compromised; revoke old keys via the app dashboard.

● Monitoring: Log all API calls and monitor for anomalies (e.g., unusual volume); report suspected breaches to Cashia within 24 hours.

● Compliance: Adhere to PCI DSS for card data, Data Protection Act, 2019 for PSU data, and CBK Cybersecurity Guidelines for encryption/tokenization.

d. Cashia Controls

Cashia retains authority to:

● Revoke Keys: Immediately disable any key for suspected fraud, misuse, or non-compliance without notice.

● Audit Usage: Monitor API calls for rate limits, unusual patterns, or security risks; retain logs for 7 years per NPS Regulations, 2014.

● Suspend Access: Limit or terminate API functionality for Accounts with high error rates or violations.

e. Liability

● You are solely liable for losses from compromised API keys (e.g., unauthorized transactions via Payment Links).

● Cashia is not liable for damages from improper key management.

● You indemnify Cashia against claims arising from API misuse or breaches.

Unauthorized API use or key sharing constitutes a material breach, triggering Account suspension (Section 4.6) and potential FRC reporting for AML/CFT violations.

3.7 Service Availability, Maintenance, and Business Continuity

Cashia targets 99.5% uptime (excluding maintenance) but does not guarantee:

● Uninterrupted access

● Error-free operation

● Real-time processing

Maintenance:

● Planned: Notified 48 hours in advance via email, in-app banner, or website.

● Emergency: May occur without notice for security or system integrity.

Cashia maintains a Business Continuity Plan per CBK Cybersecurity Guideline (CBK/PSP/GUID/02). Cashia maintains a Business Continuity and Disaster Recovery Plan as required by Regulation 32 of the National Payment System Regulations, 2014. Any service interruption exceeding 2 hours shall be reported to the CBK and affected Merchants within 24 hours, detailing remediation steps per CBK Cybersecurity Guidelines.

3.8 Risk and Identity Disclaimer

Cashia cannot guarantee:

● PSU identity

● Transaction completion

● Prevention of minor access (despite age controls)

You accept inherent risks in digital payments and must implement independent fraud controls.

3.9 Intellectual Property and Licensing

● Cashia’s brand, Stika templates, QR Codes, Payment Links, and platform are proprietary under the Copyright Act, 2001.

● You receive a limited, revocable license to use Stika QR Codes, Payment Links, and Pay with Cashia for payment acceptance only.

● Prohibited: Modification, resale, or reverse engineering.

3.10 Agents and Outsourcing

● Prior to any material outsourcing, Cashia shall conduct comprehensive due diligence assessing the provider’s technical capacity, security, and regulatory compliance, and shall monitor outsourced

performance quarterly. All outsourced service providers shall be contractually bound to confidentiality and CBK compliance obligations.

● Cashia may appoint agents (e.g., for marketing, onboarding) or outsource functions (e.g., e-money processing, API hosting, data storage) to third parties, per NPS (E-Money) Regulations 2021, Regulation 24 and NPS Regulations 2014, Regulation 24.

● Cashia retains full responsibility for the actions of agents and third parties, ensuring compliance with Confidentiality (Section 9), Intellectual Property (Section 10), AML/CFT (Section 13.2), and record keeping (Section 13.4) obligations.

● Material outsourcing arrangements (e.g., engaging new payment processors) require prior approval from the Central Bank of Kenya (CBK), and Cashia will notify you of such arrangements via support@cashia.com or +254 709 200 900 or in-app notifications at least 30 days before implementation, unless immediate changes are required for regulatory compliance.

● You must not appoint agents to act on Cashia’s behalf without prior written consent via support@cashia.com or +254 709 200 900.

● Any issues with agents or outsourced services must be reported to support@cashia.com or +254 709 200 900 within 7 Working Days, with disputes handled per Section 14 (Dispute Resolution and Arbitration).

3.11 Comprehensive Regulatory Compliance

National Payment Systems Act, 2011: — PSP licensing and oversight

NPS Regulations, 2014: — Operations, consumer protection, data handling

KE-QR Code Standard 2023: — Secure, interoperable QR codes and Payment Links

Data Protection Act, 2019: — Consent, data security, breach reporting

Proceeds of Crime and AML Act, 2009 (as amended): — CDD, FRC reporting

AML/CTF Amendment Act, 2023: — Enhanced sanctions

CBK Cybersecurity Guideline: — 24-hour breach reporting, risk assessments

Money Remittance Regulations, 2013: — Cross-border standards

Kenya Information and Communications Act: — Electronic signatures

3.12 Advertising and Marketing Accuracy

● You must ensure all advertising and marketing materials for your goods or services using Cashia Services, including e-money transactions via Stika QR Codes or Payment Links, are accurate, not misleading, and disclose key terms, including:

a. Fees (Section 5.1), such as e-money issuance, redemption, or transaction charges. b. Risks (Section 3.8), including potential Chargebacks (Section 6).

c. Transaction limits (Section 3.7).

● All materials must link to the Schedule of Fees at www.cashia.com and clearly state Chargeback risks, per NPS (E-Money) Regulations 2021, Regulation 4(4) and CBK Prudential Guideline on Consumer Protection (CBK/PG/22), Section 5.

● Cashia’s marketing of Cashia Services complies with these standards and will be updated per Section 17.1.

● If you identify inaccurate or misleading marketing by Cashia or other merchants, report it to support@cashia.com or +254 709 200 900 within 7 Working Days. Cashia will investigate and respond within 14 Working Days.

● Violations may result in account suspension (Section 7.2) or termination (Section 7.1), per Section 11 (Restricted Activities).

3.13 Cashia’s Duties:

● Report suspicious transactions to the FRC within 24 hours

● Retain records for 7 years

● Conduct annual CBK audits

a. Your Duties:

● Cooperate fully with compliance requests

● Report breaches or fraud immediately

● Align operations with all laws

Non-compliance triggers suspension, termination, or FRC reporting.

4. Accounts

4.1. Account Creation and Eligibility

● To use Cashia Services, including Stika QR Codes, Payment Links, and Pay with Cashia, you must create a Cashia Account through the Self-Onboarding process on the Cashia website or mobile app. Accounts are available to:

a. Individuals: Natural persons over 18 years old, resident in Kenya or supported Territories, with valid identification.

b. Businesses: Registered entities (e.g., sole proprietorships, partnerships, companies) with valid business registration and tax documentation.

● You warrant that all Onboarding Data provided is accurate, complete, and lawful, and you are authorized to enter this Agreement. Cashia reserves the right to reject, suspend, or terminate Accounts based on Know-Your-Business (KYB) verification outcomes, AML/CFT/CPF risk assessments, or regulatory requirements under the National Payment Systems Act, 2011 and Proceeds of Crime and Anti-Money Laundering Act, 2009 (as amended).

4.2 Account Types

Cashia offers:

● Individual Accounts: For sole proprietors or freelancers, linked to personal identification and verified funding sources.

● Corporate/Business Accounts: For registered entities, requiring business registration, tax ID (e.g., KRA PIN), and beneficial owner details (≥25% ownership).
All Accounts are non-interest-bearing, do not constitute bank accounts, and are not covered by the Kenya Deposit Insurance Corporation (KDIC) per the Kenya Deposit Insurance Act, 2012.

4.3 Self-Onboarding Process

● Merchants initiate account creation via the Self-Onboarding portal on the Cashia website or mobile app by:

a. Providing Owner & Business Details

o Individual: Full legal name, ID/passport number, phone, email, physical address. o Business: Business name, registration number, tax ID (e.g., KRA PIN), physical address, nature of business, and expected transaction volume.

o Beneficial owner details (for businesses with ≥25% ownership).

b. Uploading KYB Documents

o Certificate of Incorporation or Business Registration (for businesses).

o Proof of address (e.g., utility bill, lease agreement < 3 months old).

o Valid ID of beneficial owners or individual merchants.

o Bank statement or letter confirming ownership of a Verified Bank Account or Verified Card.

o Documents are processed using Optical Character Recognition (OCR) to extract relevant data (e.g., registration number, tax ID, owner names) for automated verification, supplemented by manual review where necessary.

c. Configuring your Stika

o Creating a unique Stika identifier and virtual storefront for branding (e.g., logo, business name).

o Enabling Stika QR Codes, Payment Links, and Pay with Cashia for transaction acceptance, including setting payment rules (e.g., accepted currencies, transaction limits).

d. Accepting the Agreement

o Reviewing and confirming Electronic Acceptance of this Agreement and all Complementary Documents (e.g., AML/CFT Policy, Privacy Policy, Refund Policy) via clicking “I Accept” or equivalent, per the Kenya Information and Communications Act.

Completion of Self-Onboarding does not guarantee account approval. Cashia conducts automated and/or manual KYB verification, leveraging OCR technology for document processing and, where applicable, API-based checks with regulatory registries (e.g., Business Registration Service). Verification ensures compliance with:

● National Payment Systems Act, 2011

● Proceeds of Crime and Anti-Money Laundering Act, 2009 (as amended)

● Data Protection Act, 2019

OCR Processing Details:

● Data Extraction: OCR extracts text from uploaded KYB documents to populate verification fields (e.g., business name, KRA PIN).

● Security: Extracted data is encrypted and tokenized per Data Protection Act, 2019 and CBK Cybersecurity Guidelines (CBK/PSP/GUID/02).

● Error Handling: Documents failing OCR validation (e.g., illegible scans) are flagged for manual review, and Merchants may be prompted to resubmit.

● Merchant Responsibility: You must ensure uploaded documents are clear, legible, and authentic to avoid delays or rejection.

Cashia may request additional documentation or clarification during KYB review. Failure to provide accurate, complete, or legible data may result in rejection or suspension.

4.4 Verified Status

Upon successful KYB verification, your Account achieves Verified Status, enabling live transactions via Stika QR Codes, Payment Links, and Pay with Cashia. To maintain Verified Status, you must:

● Update Onboarding Data promptly for any changes (e.g., business address, beneficial owners).

● Comply with AML/CFT/CPF obligations, including reporting suspicious transactions to Cashia within 24 hours, per Proceeds of Crime and Anti-Money Laundering Act, 2009.

● Adhere to Section 3.4 (Stika QR Codes and Payment Links) and Section 12 (Restricted Activities). Cashia may revoke Verified Status for:

● Incomplete or fraudulent KYB data

● High chargeback rates or suspected fraud

● Non-compliance with this Agreement or applicable laws

4.5 Account Management

a. You are responsible for:

● Maintaining secure access to your Account (e.g., strong passwords, two-factor authentication) per CBK Cybersecurity Guidelines (CBK/PSP/GUID/02).

● Monitoring transactions via the merchant app dashboard for Stika QR Codes, Payment Links, and Pay with Cashia.

● Reporting unauthorized access or suspicious activity (e.g., unexpected QR scans, link clicks, or Pay with Cashia attempts) to Cashia at support@cashia.com or +254 709 200 900 within 24 hours.

● Ensuring Account Balance reflects accurate e-money holdings, subject to Schedule of Fees deductions.

b. Cashia provides:

● Real-time transaction tracking and notifications.

● Secure storage of Onboarding Data per Data Protection Act, 2019, using end-to-end encryption.

● Audit logs of Account activity (retained for 7 years per National Payment System Regulations, 2014).

4.6 Account Suspension or Termination

a. Cashia may suspend or terminate your Account for:

● Breach of this Agreement, including Restricted Activities (Section 12) (e.g., misuse of Stika QR Codes, Payment Links, or Pay with Cashia, submitting fraudulent KYB documents).

● Suspected fraud, AML/CFT violations, or regulatory non-compliance.

● Failure to maintain Verified Status or provide updated KYB data.

● Excessive chargebacks or disputes.

b. Upon suspension:

● You may not process new transactions.

● Existing Stika QR Codes and Payment Links may be disabled.

● Account Balance may be frozen pending investigation.

Upon termination:

● Remaining Account Balance will be redeemed to a Verified Funding Source after deducting fees, disputes, or chargebacks, per National Payment System Regulations, 2014.

● You must cease using Cashia Services, including Stika features.

You may request Account closure via support@cashia.com or +254 709 200 900 , subject to AML/CFT checks and clearance of disputes.

4.7 Liability and Indemnification

● You are solely liable for losses arising from:

o Inaccurate or fraudulent Onboarding Data.

o Unauthorized Account access due to your failure to secure credentials.

o Misuse of Stika QR Codes, Payment Links, or Pay with Cashia.

● You indemnify Cashia against claims, fines, or losses resulting from your non-compliance with this Agreement or applicable laws.

● Cashia is not liable for losses due to:

o Merchant errors in Stika configuration or transaction data.

o PSU actions or non-delivery of goods/services.

4.8 Data Protection

● Onboarding Data and transaction data (e.g., Stika name, payment details) are processed per the Data Protection Act, 2019, using tokenization and encryption.

● You must not store or misuse PSU data obtained via Cashia Services.

● Any data breach involving your Account must be reported to Cashia within 24 hours, per CBK Cybersecurity Guidelines (CBK/PSP/GUID/02).

5. Fees and Payment Terms

5.1 Fee Structure

● Cashia charges fees for Services, including transactions via Stika QR Codes, Payment Links, Pay with Cashia, and API integrations, as detailed in the Schedule of Fees on www.cashia.com before transaction execution, per NPS (E-Money) Regulations 2021, Regulation 4(2) and NPS Regulations 2014, Regulation 4(2).

● Fees include transaction fees, withdrawal fees, chargeback fees, dispute resolution fees, and API usage fees, based on transaction volume, payment method, or API call frequency. Fees are quoted in Kenyan Shillings (KES) unless specified otherwise and exclude taxes (e.g., VAT per the Finance Act).

● You acknowledge that fees are non-refundable except as stated in the Refund Policy. Cashia may update the Schedule of Fees with 30 days’ notice via email, in-app notification, or website posting, per Consumer Protection Act, 2012 requirements for transparency.

5.2 Transaction Fees

● Each completed transaction via Stika QR Codes, Payment Links, or Pay with Cashia incurs a transaction fee, as specified in the Schedule of Fees. Fees are either a percentage of the transaction amount (e.g., 2% for card payments) or a flat rate (e.g., KES 50 for mobile money). Cashia deducts fees from the Account Balance during settlement.

● You must provide accurate transaction data (title, description, amount) per Section 3.4 to prevent disputes that may incur additional fees. Cross-border transactions may have higher fees due to currency conversion or international processing, compliant with Money Remittance Regulations, 2013.

5.3 API Usage Fees

● API key usage for integrations (per Section 3.6) may incur fees based on call volume, endpoint type (e.g., generating Payment Links, querying Pay with Cashia transactions), or premium features (e.g., real-time analytics), as outlined in the Schedule of Fees.

● Sandbox mode is free for testing, but live API calls are chargeable after achieving Verified Status (Section 4.4). Exceeding rate limits (e.g., 1,000 calls/hour) may result in temporary suspension and a reinstatement fee. You must monitor API usage via the merchant app dashboard to manage costs and avoid overuse.

5.4 Settlement

● Cashia settles funds to your Verified Funding Source (Section 4.3) within 2 Working Days for e-money transactions, subject to deductions for fees, Chargebacks (Section 6), or holds (Section 7.2), per NPS (E-Money) Regulations 2021, Regulation 20.

5.5 Withdrawal and Top-Up Fees

● Topping Up your Cashia Account from a Verified Funding Source or redeeming e-money to a Verified Bank Account or Verified Card may incur fees, per the Schedule of Fees.

● Fees depend on the funding source (e.g., KES 30 for bank transfers, KES 20 for mobile money) and transaction size. Withdrawals are processed within 3 Working Days, subject to AML/CFT checks per Proceeds of Crime and Anti-Money Laundering Act, 2009. Inaccurate funding source details may delay withdrawals and incur additional processing fees.

5.6 Chargeback and Dispute Fees

● You are liable for chargebacks or disputes from transactions via Stika QR Codes, Payment Links, or Pay with Cashia, including those due to non-delivery, fraud, or incorrect transaction data (e.g., misleading titles).

● Cashia deducts chargeback amounts and associated fees from your Account Balance immediately, per the Refund Policy.

● A dispute resolution fee applies if Cashia mediates a dispute, as detailed in the Schedule of Fees. Excessive chargebacks may lead to Account suspension or termination (Section 4.6). You may contest chargebacks via support@cashia.com or +254 709 200 900 within 7 days, providing evidence (e.g., delivery confirmation).

5.7 Payment Terms

● Cashia deducts fees automatically from your Account Balance at the time of each transaction, withdrawal, or chargeback. If the Account Balance is insufficient, Cashia will invoice you for outstanding amounts, payable within 7 Working Days via a Verified Funding Source.

● Non-payment may result in Account suspension, termination, or collection actions (Section 4.6). Transaction proceeds (net of fees) are settled to your Account Balance daily, subject to risk holds or AML/CFT reviews per National Payment System Regulations, 2014.

5.8 Transparency and Reporting

● Cashia provides real-time fee breakdowns, transaction reports, and API usage logs via the merchant app dashboard, ensuring transparency per Consumer Protection Act, 2012.

● You must review reports regularly and report discrepancies (e.g., incorrect fee deductions) to Cashia at support@cashia.com or +254 709 200 900 within 14 days of a transaction.

● Cashia retains fee and transaction records for 7 years, per National Payment System Regulations, 2014. Fee disputes are resolved within 30 days, with outcomes communicated via email or in-app notification.

5.9 Tax Compliance

● You are responsible for remitting applicable taxes (e.g., VAT, withholding tax) on transactions processed via Cashia Services, per the Finance Act and Kenya Revenue Authority requirements.

● Cashia may deduct taxes as required by law and provide tax invoices or receipts via the merchant app dashboard.

● You must provide accurate tax details (e.g., KRA PIN) during Self-Onboarding (Section 4.3) to ensure compliance.

5.10 Liability for Fees

● You are solely liable for all fees, taxes, and penalties arising from your use of Cashia Services, including misuse of Stika QR Codes, Payment Links, Pay with Cashia, or API keys.

● You indemnify Cashia against claims, fines, or losses from non-payment or regulatory violations.

● Cashia is not liable for losses due to your failure to monitor fees, maintain sufficient Account Balance, or comply with tax obligations.

5.11 Data Protection for Fee Processing

● Fee-related data (e.g., transaction amounts, API call logs) is processed with encryption and tokenization, per Data Protection Act, 2019. You must not misuse fee reports or transaction data.

● Any data breach involving fee processing must be reported to Cashia within 24 hours, per CBK Cybersecurity Guidelines (CBK/PSP/GUID/02).

6. Chargebacks and Disputes

6.1 Definitions

● A Chargeback occurs when a Payment Service User (PSU) or their payment provider (e.g., card issuer, mobile money operator) reverses a transaction, requesting a refund due to reasons such as non-delivery, defective goods, fraud, or unauthorized payment.

● A Dispute is a claim or complaint filed by a PSU directly with Cashia or through a payment provider, contesting a transaction processed via Stika QR Codes, Payment Links, Pay with Cashia, or API integrations. Chargebacks and Disputes are governed by this Agreement, the Refund Policy on www.cashia.com, and Consumer Protection Act, 2012.

6.2 Merchant Responsibility

● You are solely responsible for Chargebacks and Disputes arising from transactions via Stika QR Codes, Payment Links, Pay with Cashia, or API integrations.

● Causes may include inaccurate transaction data (e.g., misleading titles or descriptions per Section 3.4), non-delivery of goods/services, or failure to meet PSU expectations. You must ensure transactions comply with the Consumer Protection Act, 2012, providing clear, accurate details to minimize disputes. Cashia acts as an intermediary, facilitating resolution but not guaranteeing outcomes.

6.3 Chargeback Process

● Upon receiving a Chargeback request, Cashia notifies you via email or in-app notification within 24 hours, detailing the transaction, reason, and evidence required (e.g., proof of delivery, transaction logs).

● You must respond within 7 Working Days with supporting documentation via support @cashia.com or +254 709 200 900. Cashia deducts the Chargeback amount and any associated fees (per Schedule of Fees, Section 5) from your Account Balance immediately upon notification, pending resolution.

● If the Account Balance is insufficient, Cashia will invoice you, payable within 7 Working Days via a Verified Funding Source. Successful Chargeback defenses result in funds being reinstated, net of fees.

6.4 Dispute Resolution

● Disputes filed with Cashia are handled per the Refund Policy.

● You must provide evidence (e.g., order confirmation, delivery receipts) within 7 Working Days of notification.

● Cashia mediates disputes, aiming to resolve within 30 days, communicating outcomes via email or in-app notification.

● A dispute resolution fee, as outlined in the Schedule of Fees, applies if Cashia’s mediation is required. If a Dispute remains unresolved after 30 days, you or the PSU may escalate it to the Central Bank of Kenya (CBK) at +254 20 286 1000 or complaints@cbk.go.ke , per National Payment Systems Act, 2011.

● Unresolved disputes may escalate to chargebacks or regulatory reporting if fraud or AML/CFT issues are suspected, per Proceeds of Crime and Anti-Money Laundering Act, 2009.

6.5 Preventive Measures

To minimize Chargebacks and Disputes, you must:

● Provide accurate, truthful transaction data (title, description, amount, expiry) per Section 3.4.

● Use secure channels for Payment Links and controlled environments for Stika QR Codes (Section 3.4).

● Monitor API key usage for anomalies (Section 3.6) and report suspicious activity (e.g., unauthorized Pay with Cashia attempts) to Cashia within 24 hours.

● Maintain clear communication with PSUs, including delivery timelines and refund policies, per Consumer Protection Act, 2012.

Cashia implements fraud detection (e.g., transaction monitoring, API call limits) and may hold funds or suspend transactions for high-risk activity, per National Payment System Regulations, 2014.

6.6 Consequences of Excessive Chargebacks or Disputes

Excessive Chargebacks or Disputes, defined as a rate exceeding 1% of monthly transactions or 10 incidents (whichever is higher), may result in:

● Increased transaction fees, per Schedule of Fees.

● Temporary holds on Account Balance for risk mitigation.

● Suspension or termination of Account, Stika QR Codes, Payment Links, Pay with Cashia, or API keys (Section 4.6).

● Reporting to the Financial Reporting Centre (FRC) for suspected fraud or AML/CFT violations. Cashia may require you to implement corrective measures (e.g., improved transaction descriptions) to maintain Verified Status (Section 4.4).

6.7 Liability

● You are solely liable for Chargeback and Dispute amounts, associated fees, and penalties, including those from PSU fraud, non-delivery, or regulatory violations.

● You indemnify Cashia against claims, fines, or losses arising from Chargebacks or Disputes. Cashia is not liable for losses due to your failure to provide accurate transaction data, deliver goods/services, or comply with this Agreement.

6.8 Data Protection

● Chargeback and Dispute data (e.g., PSU Stika name, transaction details, API logs) is processed with encryption and tokenization, per Data Protection Act, 2019.

● You must not misuse PSU data obtained during resolution. Any data breach involving Chargeback or Dispute processes must be reported to Cashia within 24 hours, per CBK Cybersecurity Guidelines (CBK/PSP/GUID/02).

6.9 Regulatory Compliance

● Cashia handles Chargebacks and Disputes in compliance with National Payment Systems Act, 2011, National Payment System Regulations, 2014, and Consumer Protection Act, 2012. Transaction and resolution records are retained for 7 years, per regulatory requirements.

● You must cooperate with Cashia for audits or FRC reporting related to Chargebacks or Disputes, per Proceeds of Crime and Anti-Money Laundering Act, 2009.

6.10 Execution, Reversals, and Liability

● Payment instructions, including e-money transfers via Stika QR Codes, Payment Links, or Pay with Cashia, are irrevocable once authorized by the PSU using Strong Customer Authentication (SCA), per NPS (E-Money) Regulations 2021, Regulation 20 and NPS Regulations 2014, Regulation 20.

● Reversals are permitted only for fraud, unauthorized transactions, or non-delivery of goods/services, subject to investigation by Cashia.

● You must submit evidence (e.g., proof of delivery, transaction logs) within 7 Working Days via support@cashia.com or +254 709 200 900 to support or contest a reversal request.

● If Cashia is liable for a transaction error (e.g., system failure affecting API integrations), Cashia will restore your Account Balance or e-money wallet to its state before the error, per National Payment Systems Act, 2011, Section 31(2)(b). You remain liable for reversals due to your failure to deliver goods/services or comply with this Agreement (e.g., Restricted Activities per Section 11).

● You remain liable for reversals due to your failure to deliver goods/services or comply with this Agreement (e.g., Restricted Activities per Section 11). Disputes over reversals follow Section 14, with escalation to CBK at +254 20 286 1000 or complaints@cbk.go.ke if unresolved.

● Any material changes to reversal rules require prior approval from the Central Bank of Kenya (CBK), per NPS (E-Money) Regulations 2021, Regulation 4(3), and will be notified per Section 17.2. Disputes over reversals follow Section 14.

7. Termination and Suspension

7.1 Termination by Merchant

● You may terminate your Cashia Account by submitting a written request via support@cashia.com or +254 709 200 900 , subject to clearance of outstanding fees, Chargebacks, Disputes, or AML/CFT checks per Proceeds of Crime and Anti-Money Laundering Act, 2009.

● Upon termination, you must cease using Cashia Services, including Stika QR Codes, Payment Links, Pay with Cashia, and API keys. Cashia will redeem any remaining Account Balance, net of fees, to your Verified Funding Source within 7 Working Days, per National Payment System Regulations, 2014. Termination does not relieve you of obligations for prior transactions, fees, or indemnities.

7.2 Termination by Cashia

● Cashia may terminate your Cashia Account, with or without notice, for reasons including breach of this Agreement, such as engaging in Restricted Activities (Section 12), failure to maintain Verified Status (Section 4.4), non-payment of fees (Section 5), excessive Chargebacks or Disputes (Section 6.6), suspected fraud, AML/CFT violations, or non-compliance with applicable laws.

● Upon termination, Cashia will disable your Stika QR Codes, Payment Links, Pay with Cashia, and API keys, freeze your Account Balance pending investigation, and redeem any remaining balance, net of fees, Chargebacks, or penalties, to your Verified Funding Source within 30 days, subject to regulatory checks.

● Where termination or suspension arises from suspected fraud, AML/CFT non-compliance, or regulatory breach, Cashia shall notify the CBK and Financial Reporting Centre (FRC) within 24 hours, as required by Regulation 41 of the NPS Regulations, 2014 and Section 44 of POCAMLA, 2009.

7.3 Suspension

● Cashia may suspend your Cashia Account, Stika QR Codes, Payment Links, Pay with Cashia, or API keys, with immediate effect, for reasons including suspected fraud, AML/CFT concerns, high Chargeback/Dispute rates (Section 6.6), failure to provide updated KYB data (Section 4.4), exceeding API rate limits (Section 3.6), or pending investigation of Restricted Activities (Section 12).

● During suspension, you may not process new transactions or generate new API keys, and your Account Balance may be frozen. Cashia will notify you via email or in-app notification, detailing reasons and required actions (e.g., providing documentation). Suspension may last until issues are resolved or escalate to termination.

7.4 Effect of Suspension or Termination

● Upon suspension or termination, you must immediately cease using Cashia Services, including Stika QR Codes, Payment Links, Pay with Cashia, and API keys.

● Existing Payment Links and Stika QR Codes will be disabled, and API keys will be revoked. You remain liable for all transactions, fees, Chargebacks, or Disputes incurred prior to or during suspension/termination.

● Cashia may report termination due to fraud or AML/CFT violations to the Financial Reporting Centre (FRC), per Proceeds of Crime and Anti-Money Laundering Act, 2009.

7.5 Reinstatement

● To lift a suspension, you must address the underlying issue (e.g., provide KYB documents, resolve Disputes) within 14 Working Days of notification.
● Cashia will review your submission and may reinstate your Account, Stika QR Codes, Payment Links, Pay with Cashia, or API keys if compliant. Reinstatement may incur a fee, per Schedule of Fees (Section 5). Failure to resolve issues may lead to termination.

7.6 Post-Termination Obligations

● After termination, you must retain transaction records for 7 years, per National Payment System Regulations, 2014, and cooperate with Cashia for audits or regulatory inquiries.

● You must honor refund requests for transactions processed prior to termination, per Refund Policy and Consumer Protection Act, 2012. Any outstanding fees or Chargebacks remain payable via a Verified Funding Source.

7.7 Dispute Escalation

● If you dispute a suspension or termination decision, you may contact Cashia at support @cashia.com or +254 709 200 900 within 14 Working Days, providing evidence (e.g., compliance documentation). Cashia will review and respond within 30 days. Unresolved disputes may be escalated to the Central Bank of Kenya (CBK) at +254 20 286 1000 or complaints@cbk.go.ke , per National Payment Systems Act, 2011.

7.8 Liability

● You are solely liable for losses, fees, or penalties arising from suspension or termination due to your non-compliance, fraud, or Restricted Activities.

● You indemnify Cashia against claims, fines, or losses resulting from such actions. Cashia is not liable for losses due to your failure to comply with this Agreement, maintain Verified Status, or secure your Cashia Account or API keys.

7.9 Data Protection

● Data related to suspension or termination (e.g., transaction logs, API usage, KYB data) is processed with encryption and tokenization, per Data Protection Act, 2019.

● You must not misuse PSU data during or after suspension/termination. Any data breach must be reported to Cashia within 24 hours, per CBK Cybersecurity Guidelines (CBK/PSP/GUID/02).

8. Representations and Warranties

8.1 Merchant Representations and Warranties

● You represent and warrant that you are duly organized, validly existing, and in good standing under the laws of Kenya or your jurisdiction of registration, with full authority to enter this Agreement and use Cashia Services, including Stika QR Codes, Payment Links, Pay with Cashia, and API integrations.

● You confirm that all Onboarding Data provided during Self-Onboarding (Section 4.3) is accurate, complete, and lawful, and you will update it promptly for any changes (e.g., business address, beneficial owners).

● You warrant that your use of Cashia Services complies with all applicable laws, including National Payment Systems Act, 2011, Proceeds of Crime and Anti-Money Laundering Act, 2009, and Consumer Protection Act, 2012, and does not involve Restricted Activities (Section 12).

8.2 Compliance with KYB and AML/CFT

● You warrant that you have provided accurate KYB documentation (e.g., Certificate of Incorporation, KRA PIN) processed via OCR during Self-Onboarding (Section 4.3), and you maintain Verified Status (Section 4.4) by adhering to AML/CFT/CPF obligations, including reporting suspicious transactions to Cashia within 24 hours.

● You confirm that your business activities, transactions, and API key usage (Section 3.6) do not facilitate money laundering, terrorist financing, or fraud, per Proceeds of Crime and Anti-Money Laundering Act, 2009.

8.3 Transaction Integrity

● You represent that all transactions processed via Stika QR Codes, Payment Links, Pay with Cashia, or API integrations are for lawful goods or services, with accurate transaction data (title, description, amount, expiry) per Section 3.4.

● You warrant that you will deliver goods or services as described to PSUs, minimizing Chargebacks and Disputes (Section 6), and comply with the Refund Policy and Consumer Protection Act, 2012.

8.4 Security and API Usage

● You warrant that you will secure your Cashia Account and API keys (Sections 3.6, 4.5) using strong passwords, two-factor authentication, and secure storage (e.g., environment variables, not code repositories), per CBK Cybersecurity Guidelines (CBK/PSP/GUID/02).

● You confirm that API keys will only be used for authorized integrations, with monitoring for anomalies (e.g., excessive calls) and immediate reporting of suspected breaches to Cashia within 24 hours.

8.5 Cashia Representations and Warranties

● Cashia represents and warrants that it is a licensed Payment Service Provider under National Payment Systems Act, 2011, authorized to provide Cashia Services, including Stika QR Codes, Payment Links, Pay with Cashia, and API integrations. Cashia will process transactions, fees (Section 5), Chargebacks, and Disputes (Section 6) in compliance with applicable laws and this Agreement.

● Cashia will maintain secure systems, using encryption and tokenization for Onboarding Data, transaction data, and API logs, per Data Protection Act, 2019.

8.6 Disclaimer of Warranties

● Cashia provides Services on an “as is” basis, with no warranties beyond those expressly stated. Cashia does not warrant uninterrupted or error-free Services, including availability of Stika QR Codes, Payment Links, Pay with Cashia, or API integrations, nor does it guarantee specific transaction outcomes or PSU behavior.

● Cashia is not responsible for losses due to merchant errors, PSU actions, or third-party system failures.

8.7 Indemnification

● You indemnify Cashia against claims, fines, or losses arising from your breach of these warranties, including inaccurate Onboarding Data, non-compliance with laws, misuse of Stika QR Codes, Payment Links, Pay with Cashia, or API keys, or failure to deliver goods/services.

● Cashia indemnifies you against claims arising from Cashia’s failure to comply with its licensing obligations under National Payment Systems Act, 2011, subject to the limitations in Section 8.8.

8.8 Limitation of Liability

● Nothing in this Agreement limits or excludes liability arising from fraud, gross negligence, willful misconduct, or breach of statutory obligations under the Consumer Protection Act, 2012 or the National Payment Systems Act, 2011.

8.9 Dispute Escalation

● If you believe Cashia has breached its warranties, you may file a claim via support@cashia.com or +254 709 200 900 within 14 Working Days, providing evidence. Cashia will review and respond within 30 days. Unresolved claims may be escalated to the Central Bank of Kenya (CBK) at +25420 286 1000 or complaints@cbk.go.ke , per National Payment Systems Act, 2011.

9. Confidentiality

9.1 Definition of Confidential Information

● Confidential Information includes, but is not limited to:

a. E-money transaction data (e.g., amounts, timestamps, PSU identifiers via Stika QR Codes or Payment Links).

b. API keys, integration credentials, and technical specifications.

c. KYB documents and merchant account details.

d. PSU personal and financial data processed through Cashia Services.

● Any non-public information disclosed by Cashia, including pricing, system architecture, and security protocols.

9.2 Obligations

● You must:

a. Use confidential information only for the purpose of using Cashia Services. b. Not disclose it to third parties without prior written consent from Cashia via support@cashia.com or +254 709 200 900.

c. Store it securely using industry-standard encryption and access controls, per Data Protection Act, 2019 and CBK Cybersecurity Guidelines (CBK/PSP/GUID/02).

9.3 Permitted Disclosures

● You may disclose Confidential Information:

a. As required by law, including to the Central Bank of Kenya (CBK), Financial Reporting Centre (FRC), or law enforcement, per NPS (E-Money) Regulations 2021, Regulation 23 and POCAMLA 2009. b. To your employees or agents on a need-to-know basis, provided they are bound by equivalent confidentiality obligations.

c. In response to a valid court order, with prior notice to Cashia where permitted.

9.4 Breach Reporting

● You must report any suspected or actual breach of confidential information to support@cashia.com within 24 hours of discovery. Cashia will coordinate response and regulatory reporting as required.

● Return or Destruction

● Upon termination (Section 7.1), you must return or securely destroy all confidential Information within 7 Working Days, except records required for compliance (Section 13.4).

9.5 Merchant Obligations

● You must protect confidential Information with reasonable care, using measures at least as stringent as those for your own sensitive data, compliant with the Data Protection Act, 2019.

● You may only use confidential information to perform obligations under this Agreement, such as processing transactions or resolving disputes.

● You must not disclose confidential information to third parties without Cashia’s prior written consent, except to authorized employees or agents with a need to know, bound by equivalent confidentiality terms. You must secure API keys (Section 3.6) in encrypted environments (e.g., secure vaults, not code repositories) and report any unauthorized access or data breach to Cashia within 24 hours, per CBK Cybersecurity Guidelines (CBK/PSP/GUID/02).

9.6 Cashia Obligations

● Cashia will protect your confidential information, including onboarding data processed via OCR (Section 4.3) and transaction data, using encryption and tokenization, per Data Protection Act, 2019. Cashia may disclose confidential information to payment providers, regulatory authorities (e.g., CBK, Financial Reporting Centre), or auditors as required by law or to provide Cashia Services.

● Cashia will notify you of any data breach involving your confidential Information within 24 hours, unless prohibited by law, per CBK Cybersecurity Guidelines.

9.7 Permitted Disclosures

● You and Cashia may disclose confidential information as required by court orders, CBK regulations, or other legal obligations (e.g., AML/CFT reporting per Proceeds of Crime and Anti-Money Laundering Act, 2009).

● The disclosing party must notify the other party promptly, unless legally prohibited, to allow protective measures. Disclosures to the CBK for Dispute or termination escalations (Sections 6.4, 7.7) must include only necessary data, protected per Data Protection Act, 2019.

9.8 Data Retention

● Confidential Information, including transaction logs, API usage data, and Chargeback/Dispute records, will be retained for 7 years, per National Payment System Regulations, 2014, or longer if required by law. Upon termination (Section 7), Cashia will delete your confidential Information, except as needed for regulatory compliance or ongoing disputes, using secure deletion methods.

9.9 Return or Destruction

● Upon termination of your Cashia Account (Section 7), you must return or destroy all Cashia Confidential Information, including API keys and transaction data, except where retention is required by law.

● You must certify destruction in writing if requested by Cashia. Cashia will return or destroy your confidential information, subject to regulatory retention requirements.

9.10 Breach of Confidentiality

● A breach of confidentiality, such as unauthorized disclosure of PSU data or API keys, constitutes a material breach of this Agreement, potentially leading to suspension or termination (Section 7), increased fees (Section 5), or reporting to the Financial Reporting Centre for AML/CFT violations. You are liable for losses or fines arising from your breach, and you indemnify Cashia against related claims.

9.11 Dispute Escalation

● If you believe Cashia has mishandled your confidential information, you may file a claim via support@cashia.com or +254 709 200 900 within 14 Working Days, providing evidence. Cashia will investigate and respond within 30 days. Unresolved claims may be escalated to the Central Bank of Kenya (CBK) at +254 20 286 1000 or complaints@cbk.go.ke , per National Payment Systems Act, 2011.

9.12 Survival

● Confidentiality obligations survive termination of this Agreement for 7 years or until all confidential Information is returned, destroyed, or becomes non-confidential, whichever is longer, per Data Protection Act, 2019 and National Payment System Regulations, 2014.

10. Intellectual Property

10.1 Ownership of Cashia Intellectual Property

● Cashia owns all Intellectual Property in Cashia Services, including the Stika brand, Stika QR Codes, Payment Links, Pay with Cashia, merchant app, APIs, and related software, designs, and trademarks. This includes copyrights, trademarks, patents, and trade secrets protected under Industrial Property Act, 2001 and Copyright Act, 2001.

● You may not copy, modify, distribute, or use Cashia Intellectual Property without written consent, except as permitted in this Agreement.

10.2 Merchant License

● Cashia grants you a non-exclusive, non-transferable, revocable license to use Cashia Intellectual Property solely to operate your Stika virtual storefront, create Stika QR Codes, generate Payment Links, process Pay with Cashia transactions, and integrate APIs (Section 3.6), provided you maintain Verified Status (Section 4.4).

● For example, you may display the Stika logo on your storefront or QR codes per branding guidelines on www.cashia.com . You must not alter logos, QR code designs, or API code without approval.

10.3 Merchant Intellectual Property

● You own Intellectual Property in content provided during Self-Onboarding (Section 4.3), such as business logos, names, or product descriptions used in your Stika virtual storefront.

● You grant Cashia a non-exclusive, worldwide, royalty-free license to use, display, and reproduce your Intellectual Property to provide Cashia Services, such as showing your logo on Stika QR Codes or Payment Links. Cashia will not use your Intellectual Property for other purposes without consent.

10.4 Restrictions

● You must not reverse-engineer, decompile, or modify Cashia Intellectual Property, such as APIs, the merchant app, or Stika QR code designs. For example, you cannot recreate Stika QR codes for a competing service or share API code publicly.

● Unauthorized use or creation of derivative works without consent is a material breach, leading to suspension or termination (Section 7) and potential legal action under Industrial Property Act, 2001.

10.5 Infringement Claims

● If you believe Cashia Intellectual Property infringes third-party rights, or if your Intellectual Property (e.g., your logo) is misused via Cashia Services, notify Cashia at support@cashia.com or +254709 200 900 within 14 Working Days, providing evidence, such as trademark registration or proof of misuse.

● Cashia will investigate and respond within 30 days, taking action (e.g., removing infringing content) if warranted. You must cooperate with Cashia to resolve claims, per Copyright Act, 2001.

10.6 Confidentiality of Intellectual Property

● Cashia Intellectual Property, including API code, Stika branding, and merchant app software, is Confidential Information (Section 9).

● You must protect it from unauthorized disclosure, storing API keys in secure environments (e.g., encrypted vaults, not code repositories) per Section 3.6, and report breaches to support@cashia.com or +254 709 200 900 within 24 hours, per CBK Cybersecurity Guidelines (CBK/PSP/GUID/02).

10.7 Termination of IP Rights

● Upon suspension or termination of your Cashia Account (Section 7), your license to use Cashia Intellectual Property ends immediately.

● You must stop using Stika QR Codes, Payment Links, Pay with Cashia, APIs, and Cashia branding. For example, you must remove Stika logos from your website or materials. Cashia’s license to use your Intellectual Property also ends, except for data retained for regulatory compliance (Section 9.5).

10.8 Indemnification

● You indemnify Cashia against claims, fines, or losses from your misuse of Cashia Intellectual Property or infringement by your content, such as using an unauthorized logo on your Stika storefront.

● Cashia indemnifies you against claims from Cashia Intellectual Property infringing third-party rights, subject to the limitations in Section 8.8.

10.9 Dispute Escalation

● If you dispute Cashia’s handling of Intellectual Property issues, file a claim via support@cashia.com or +254 709 200 900 within 14 Working Days, providing evidence, such as proof of ownership. Cashia will respond within 30 days. Unresolved claims may be escalated to the Central Bank of Kenya (CBK) at +25420286 1000 or complaints@cbk.go.ke , per National Payment Systems Act, 2011.

11. Restricted Activities

11.1 Prohibited Actions

You must not engage in Restricted Activities, as defined in Section 2, which include, but are not limited to:

● Using Cashia Services, including Stika QR Codes, Payment Links, Pay with Cashia, or API integrations, for illegal activities, such as money laundering, terrorist financing, or fraud.

● Providing false, inaccurate, or misleading Onboarding Data during Self-Onboarding (Section 4.3), such as fake business registration or KRA PIN.

● Engaging in transactions for prohibited goods or services (e.g., illegal drugs, weapons) as listed on www.cashia.com.

● Misusing Cashia Intellectual Property, such as altering Stika QR code designs or reverse-engineering APIs (Section 10.4).

● Disclosing confidential information, such as PSU data or API keys, without authorization (Section 9).

● Generating excessive Chargebacks or Disputes (Section 6.6), such as exceeding 1% of monthly transactions or 10 incidents.

● Exceeding API rate limits (Section 3.6) or using API keys for unauthorized integrations, such as in unsecured public repositories.

● Failing to pay fees or Chargeback amounts (Section 5) or comply with AML/CFT reporting requirements.

● Impersonating another merchant or PSU, or using Cashia Services to deceive PSUs, such as creating misleading Payment Link descriptions.

11.2 Monitoring and Detection

● Cashia monitors transactions, API usage, and account activity for Restricted Activities using fraud detection tools, per CBK Cybersecurity Guidelines (CBK/PSP/GUID/02). For example, Cashia may flag unusual transaction patterns or excessive API calls.

● You must cooperate with Cashia’s investigations, providing requested data (e.g., transaction records) within 7 Working Days via support@cashia.com or +254 709 200 900 .

11.3 Consequences of Restricted Activities

Engaging in Restricted Activities is a material breach of this Agreement, leading to:

● Immediate suspension or termination of your Cashia Account, Stika QR Codes, Payment Links, Pay with Cashia, or API keys (Section 7).

● Freezing of Account Balance pending investigation, with potential deductions for fees or Chargebacks (Section 5).

● Reporting to the Financial Reporting Centre (FRC) for suspected AML/CFT violations, per Proceeds of Crime and Anti-Money Laundering Act, 2009.

● Increased fees or penalties, per Schedule of Fees (Section 5).

● Legal action for damages or intellectual property violations (Section 10). Cashia will notify you of suspected Restricted Activities via support@cashia.com or +254 709 200 900 , detailing required actions to resolve the issue.

11.4 Merchant Responsibilities

● You must ensure your use of Cashia Services complies with this Agreement and applicable laws. You must monitor your Cashia Account, Stika virtual storefront, and API usage for suspicious activity and report it to support@cashia.com or +254 709 200 900 within 24 hours. For example, report unauthorized API key access or fraudulent PSU transactions.

● You must maintain accurate transaction data (Section 3.4) and secure API keys (Section 3.6) to prevent Restricted Activities.

11.5 Indemnification

● You indemnify Cashia against claims, fines, or losses arising from your Restricted Activities, including regulatory penalties, PSU disputes, or third-party claims due to fraud or intellectual property misuse. Cashia is not liable for losses caused by your Restricted Activities or failure to comply with this Agreement.

11.6 Dispute Escalation

● If you dispute Cashia’s determination of Restricted Activities or related consequences (e.g., suspension), file a claim via support@cashia.com or +254 709 200 900 within 14 Working Days, providing evidence, such as transaction records or compliance documentation. Cashia will respond within 30 days.

● Unresolved claims may be escalated to the Central Bank of Kenya (CBK) at +254 20 286 1000 or complaints@cbk.go.ke , per National Payment Systems Act, 2011.

12. General Provisions

12.1 Governing Law and Jurisdiction

● This Agreement is governed by the laws of Kenya, including National Payment Systems Act, 2011 and Consumer Protection Act, 2012, without regard to conflict of law principles.

● Any disputes arising under this Agreement, including those related to Cashia Services, Stika QR Codes, Payment Links, Pay with Cashia, or API integrations, are subject to the exclusive jurisdiction of the courts of Kenya.

12.2 Amendments

● Cashia may amend this Agreement, including terms related to fees (Section 5), Chargebacks (Section 6), or Restricted Activities (Section 11), by providing notice via support@cashia.com or +254 709 200 900 or in-app notification at least 30 days before changes take effect.

● Continued use of Cashia Services after the effective date constitutes acceptance. If you object to amendments, you may terminate your Cashia Account (Section 7.1) before the effective date, subject to outstanding obligations.

12.3 Notices

● Notices under this Agreement, including for Disputes (Section 6), termination (Section 7), or Restricted Activities (Section 11), must be sent to Cashia via support@cashia.com or +254 709 200 900 or to you via the email associated with your Cashia Account.

● Notices are deemed received 24 hours after sending, unless delivery is refused. You must update your contact details in your Cashia Account (Section 4.5) to ensure accurate delivery.

12.4 Severability

● If any provision of this Agreement is found invalid or unenforceable by a Kenyan court, the remaining provisions remain in full force. For example, if a restriction in Section 11 is deemed unenforceable, other restrictions still apply.

● Cashia may replace the invalid provision with one that reflects the original intent, compliant with applicable laws.

12.5 Waiver

● Failure by Cashia to enforce any provision of this Agreement, such as a breach of Restricted Activities (Section 11), does not waive that provision or future enforcement. Any waiver must be in writing and sent via support@cashia.com or +254 709 200 900 .

12.6 Entire Agreement

● This Agreement, including the Refund Policy and branding guidelines on www.cashia.com , constitutes the entire agreement between you and Cashia regarding Cashia Services.

● It supersedes all prior agreements, whether written or oral, related to Stika QR Codes, Payment Links, Pay with Cashia, or API integrations.

12.7 Assignment

● You may not assign or transfer your rights or obligations under this Agreement, including your Cashia Account or API keys, without Cashia’s written consent via support@cashia.com or +254 709 200 900.

● Cashia may assign this Agreement to a successor entity, with notice to you, per National Payment System Regulations, 2014.

12.8 Force Majeure

● Neither party is liable for delays or failure to perform due to events beyond their control, such as natural disasters, regulatory changes, or system outages, except for payment obligations (Section 5).

● Cashia will notify you of such events via support@cashia.com or +254 709 200 900, and you must report impacts to Cashia within 7 Working Days.

12.9 Dispute Escalation

● Disputes not covered by Sections 6.4, 7.7, 9.8, or 10.9 (e.g., general Agreement disputes) must be filed via support@cashia.com or +254 709 200 900 within 14 Working Days, with supporting evidence.

● Cashia will respond within 30 days. Unresolved disputes may be escalated to the Central Bank of Kenya (CBK) at +254 20 286 1000 or complaints@cbk.go.ke , per National Payment Systems Act, 2011.

12.10 Survival

● Provisions that by their nature should survive termination of this Agreement, including Sections 5 (Fees), 6 (Chargebacks and Disputes), 8 (Representations and Warranties), 9 (Confidentiality), 10 (Intellectual Property), and 11 (Restricted Activities), remain in effect post-termination, per Data Protection Act, 2019 and National Payment System Regulations, 2014.

12.11 Language and Clarity

● This Agreement uses plain English to ensure clarity, fairness, and transparency in describing your rights, obligations, fees (Section 5), and risks (Section 3.8) related to Cashia Services, such as Stika QR Codes, Payment Links, and API integrations.

● Cashia will explain any terms or provide simplified summaries upon request via support@cashia.com or +254 709 200 900 or in-app chat, per NPS (E-Money) Regulations 2021, Regulation 4(1) and CBK Prudential Guideline on Consumer Protection (CBK/PG/22), Section 4. You may provide feedback on clarity or request assistance to understand terms, with responses provided within 7 Working Days.

13. Regulatory Compliance

13.1 Compliance with Applicable Laws

● You must comply with all applicable laws when using Cashia Services, including Stika QR Codes, Payment Links, Pay with Cashia, and API integrations, as defined in Section 2.

● This includes National Payment Systems Act, 2011, Proceeds of Crime and Anti-Money Laundering Act, 2009, Consumer Protection Act, 2012, Data Protection Act, 2019, and CBK Cybersecurity Guidelines (CBK/PSP/GUID/02).

● You must ensure your business activities, transaction data (Section 3.4), and API usage (Section 3.6) adhere to these laws to maintain Verified Status (Section 4.4).

13.2 AML/CFT Obligations

● You must implement Anti-Money Laundering (AML) and Combating the Financing of Terrorism (CFT) measures for all transactions, including e-money transfers via Stika QR Codes, Payment Links, or Pay with Cashia, per NPS (E-Money) Regulations 2021, Regulation 22 and POCAMLA 2009. This includes:

a. KYC verification of PSUs for high-value or high-risk transactions (e.g., above KES 100,000 or repeated small transfers).

b. Enhanced Due Diligence (EDD) for politically exposed persons (PEPs), high-risk jurisdictions, or unusual patterns.

c. Sanctions screening against UN, OFAC, and local lists before processing payments. d. Transaction monitoring for suspicious activity (e.g., rapid fund movement, structuring). You must report suspicious transactions to support@cashia.com or +254 709 200 900 within 24 hours and to the Financial Reporting Centre (FRC) as required by law, without tipping off the PSU, per POCAMLA 2009, Section 15. Cashia will freeze accounts and file reports where necessary. Failure to comply may result in immediate suspension (Section 7.2) or termination (Section 7.1).

13.3 Sanctions Screening

You must screen PSUs and transactions against sanctions lists and report matches to support@cashia.com or +254 709 200 900 within 24 hours, per Section 13.2.

13.4 Data Protection

● You must protect PSU data and Onboarding Data (Section 4.3) processed via OCR, using encryption and secure storage, per Data Protection Act, 2019. For example, PSU Stika names or transaction details must not be stored in unencrypted formats.

● You must report data breaches to Cashia at support@cashia.com or +254 709 200 900 within 24 hours, per CBK Cybersecurity Guidelines. Cashia employs encryption and tokenization for all confidential information (Section 9), ensuring compliance with data protection laws.

13.5 CBK Oversight

● Cashia is subject to CBK oversight. You must cooperate with CBK inspections and provide information as required, per NPS (E-Money) Regulations 2021, Regulation 27.

13.6 Record Retention and Auditability

● You must retain e-money transaction records, API logs, KYB data, and related documents for 7 years from the date of transaction or account termination, per NPS (E-Money) Regulations 2021, Regulation 21 and NPS Regulations 2014, Regulation 21. Records must be accurate, complete, and stored securely.

● You must provide records to Cashia, Central Bank of Kenya (CBK), or Financial Reporting Centre (FRC) upon request within 7 Working Days via support@cashia.com or +254 709 200 900 . Failure to comply may result in account suspension (Section 7.2).

● Cashia retains parallel records and will cooperate with regulatory audits, investigations, or inspections, per National Payment Systems Act, 2011, Section 31.

13.7 CBK Oversight

● Cashia operates as a licensed Payment Service Provider under National Payment Systems Act, 2011, subject to CBK oversight. You must comply with CBK directives, including providing KYB data (Section 4.3) or responding to regulatory inquiries. Non-compliance may lead to suspension or termination (Section 7) or reporting to CBK, with notice via support@cashia.com or +254 709 200 900 .

13. 8Consumer Protection

● You must ensure transactions via Stika QR Codes, Payment Links, or Pay with Cashia provide clear, accurate descriptions (Section 3.4) and honor Refund Policy terms, per Consumer Protection Act, 2012. For example, you must deliver goods or services as described to avoid Disputes (Section 6).

● Cashia facilitates transparent Dispute resolution, with escalation to CBK if unresolved (Section 6.4).

● Cashia shall ensure that all transaction-related fees, limits, and risks are clearly displayed to Merchants and end-users before each transaction. Merchants shall reciprocally disclose all relevant costs and conditions to Payment Service Users (PSUs) in line with Section 4(2) of the NPS (E-Money) Regulations, 2021 and Section 5 of CBK/PG/22.

13.9 Intellectual Property Compliance

● You must respect Cashia Intellectual Property (Section 10), such as Stika branding and APIs, and ensure your content (e.g., logos) does not infringe third-party rights, per Industrial Property Act, 2001 and Copyright Act, 2001. Report suspected infringements to support@cashia.com or +254 709 200 900 within 14 Working Days (Section 10.5).

13.10 Audits and Investigations

● You must cooperate with Cashia for regulatory audits or investigations by CBK, FRC, or other authorities, providing requested data (e.g., KYB documents, transaction logs) within 7 Working Days via support@cashia.com or +254 709 200 900 .

● Failure to cooperate may result in suspension (Section 7) or reporting to regulators, per National Payment Systems Act, 2011.

13.11 Dispute Escalation

● If you dispute Cashia’s regulatory compliance actions (e.g., data requests, suspension for non compliance), file a claim via support@cashia.com or +254 709 200 900 within 14 Working Days, providing evidence, such as compliance records.

● Cashia will respond within 30 days. Unresolved disputes may be escalated to the Central Bank of Kenya (CBK) at +254 20 286 1000 or complaints@cbk.go.ke , per National Payment Systems Act, 2011.

14. Dispute Resolution and Arbitration

14.1 Informal Resolution

● You and Cashia must attempt to resolve disputes arising under this Agreement, including those related to Cashia Services, Stika QR Codes, Payment Links, Pay with Cashia, API integrations, Chargebacks (Section 6), termination (Section 7), or Restricted Activities (Section 11), through good-faith negotiations.

● You must initiate resolution by contacting Cashia at support@cashia.com or +254 709 200 900 within 14 Working Days of the issue, providing details and evidence, such as transaction records or correspondence. Cashia will respond within 30 days, proposing a resolution or requesting further information.

14.2 Arbitration

● If a dispute cannot be resolved informally within 30 days, it must be submitted to binding arbitration under Arbitration Act, 1995, unless it falls under CBK jurisdiction (Section 14.3). Arbitration will be conducted by a single arbitrator appointed by the Nairobi Centre for International Arbitration (NCIA), with proceedings in Nairobi, Kenya, in English.

● The arbitrator’s decision is final and binding, except as provided by law. Each party bears its own costs, unless the arbitrator awards otherwise.

● Disputes involving Confidential Information (Section 9) or Intellectual Property (Section 10) must maintain confidentiality during arbitration.

14.3 CBK Escalation

● Disputes related to regulatory compliance (Section 13), such as AML/CFT violations, data breaches, or PSP licensing issues, may be escalated to the Central Bank of Kenya (CBK) if unresolved through informal resolution or arbitration.

● You must file a claim with CBK at +254 20 286 1000 or complaints@cbk.go.ke within 14 Working Days of Cashia’s final response, providing evidence, such as compliance records or dispute correspondence, per National Payment Systems Act, 2011.

14.4 Exceptions

● This section does not apply to Disputes initiated by Payment Service Users (PSUs) under Section 6 (Chargebacks and Disputes), which follow the Refund Policy and Section 6.4 processes.

● Injunctions or urgent equitable relief (e.g., for Intellectual Property misuse, Section 10) may be sought directly in Kenyan courts without prior arbitration.

14.5 Confidentiality of Disputes

● All dispute-related communications, including arbitration proceedings and CBK escalations, are confidential information (Section 9).

● You and Cashia must protect dispute details, such as PSU data or API logs, using encryption and secure channels, per Data Protection Act, 2019. Breaches must be reported to support@cashia.com or +254 709 200 900 within 24 hours.

14.6 Costs and Fees

● You are responsible for fees incurred during dispute resolution, such as arbitration costs, unless otherwise awarded by the arbitrator.

● Unpaid fees or Chargeback amounts (Section 5) may be deducted from your Account Balance during dispute resolution, per Section 7. Cashia is not liable for your legal or administrative costs unless required by law.

14.7 Cooperation

● You must cooperate with Cashia during dispute resolution, providing requested data (e.g., KYB documents, transaction logs) within 7 Working Days via support@cashia.com or +254 709 200 900. Failure to cooperate may lead to suspension (Section 7) or an adverse arbitrator decision.

14.8 Survival

● This section survives termination of this Agreement, ensuring disputes related to surviving provisions, such as Fees (Section 5), Confidentiality (Section 9), Intellectual Property (Section 10), or Regulatory Compliance (Section 13), follow these processes, per Arbitration Act, 1995 and National Payment Systems Act, 2011.

15. Indemnification and Limitation of Liability

15.1 Merchant Indemnification

▪ You agree to indemnify, defend, and hold harmless Cashia, its affiliates, and their respective officers, directors, and employees from any claims, losses, damages, fines, or liabilities, including legal fees, arising from:

a. Your misuse of Cashia Services, including Stika QR Codes, Payment Links, Pay with Cashia, or API integrations (Section 3).

b. Your engagement in Restricted Activities (Section 11), such as fraud or AML/CFT violations. c. Your breach of this Agreement, including failure to pay fees (Section 5) or resolve Chargebacks (Section 6).

d. Your misuse of Confidential Information (Section 9), such as unauthorized disclosure of PSU data or API keys.

e. Infringement of third-party Intellectual Property by your content (Section 10), such as using an unauthorized logo on your Stika virtual storefront.

f. Non-compliance with applicable laws, including Data Protection Act, 2019 or Proceeds of Crime and Anti-Money Laundering Act, 2009 (Section 13).

g. You must notify Cashia of any claim at support@cashia.com or +254 709 200 900 within 7 Working Days and cooperate in the defence.

15.2 Cashia Indemnification

▪ Cashia agrees to indemnify, defend, and hold you harmless from claims, losses, damages, or liabilities, including legal fees, arising from:

▪ Cashia’s misuse of your Intellectual Property (Section 10), such as unauthorized use of your logo beyond providing Cashia Services.
▪ Cashia Intellectual Property infringing third-party rights, provided you promptly notify Cashia at support@cashia.com or +254 709 200 900 and cooperate in the defence.

▪ This indemnification is subject to the limitations in Section 15.4 and excludes claims arising from your actions or modifications to Cashia Services.

15.3 Indemnification Process

▪ The indemnifying party must assume control of the defense and settlement of any claim, subject to the indemnified party’s right to participate with separate counsel at its own expense. The indemnified party must provide reasonable assistance, such as providing KYB data (Section 4.3) or transaction records (Section 3.4), within 7 Working Days via support@cashia.com or +254 709 200 900 . Settlements requiring payment or admission of liability by the indemnified party require prior written consent.

15.4 Limitation of Liability

● To the fullest extent permitted by law, Cashia’s liability under this Agreement, including for issues with Cashia Services, Chargebacks (Section 6), or data breaches (Section 9), is limited to the total fees paid by you to Cashia in the 12 months prior to the claim.

● Cashia is not liable for indirect, consequential, or punitive damages, such as loss of profits or business interruption, even if advised of the possibility. For example, Cashia is not liable for losses from PSU Disputes caused by your failure to deliver goods. This limitation does not apply to gross negligence or willful misconduct.

15.5 Exclusions

● Neither party is liable for damages caused by:

a. The other party’s failure to comply with this Agreement, such as engaging in Restricted Activities (Section 11).

b. Force majeure events (Section 12.8), except for payment obligations (Section 5). c. Unauthorized modifications to Cashia Services, such as altering API code (Section 3.6) without approval.

15.6 Dispute Escalation

● Disputes related to indemnification or liability must follow the process in Section 14 (Dispute Resolution and Arbitration).

● You must file a claim via support@cashia.com or +254 709 200 900 within 14 Working Days, providing evidence, such as claim details or transaction records. Unresolved disputes may be escalated to the Central Bank of Kenya (CBK) at +254 20 286 1000 or complaints@cbk.go.ke , per National Payment Systems Act, 2011, if related to regulatory issues.

15.7 Survival

● This section survives termination of this Agreement, ensuring indemnification and liability obligations for matters arising from Fees (Section 5), Chargebacks (Section 6), Confidentiality (Section 9), Intellectual Property (Section 10), or Regulatory Compliance (Section 13) remain in effect, per Consumer Protection Act, 2012.

16. Merchant Support and Communication

16.1 Support Channels

● Cashia provides support for issues related to Cashia Services, including Stika QR Codes, Payment Links, Pay with Cashia, API integrations, Self-Onboarding (Section 4.3), Chargebacks (Section 6), or account management, via support@cashia.com or +254 709 200 900 and in-app chat on the merchant app.

● Complaints must be submitted within 15 Working Days of the incident, with clear details (e.g., transaction ID, date, issue description), per NPS (E-Money) Regulations 2021, Regulation 25.

● Cashia will acknowledge receipt within 24 hours and aim to resolve within 30 Working Days. Complex complaints (e.g., involving fraud or third-party agents) may require up to 7 additional Working Days.

● Support is available during business hours (Monday–Friday, 8:00 AM–5:00 PM EAT), with responses within 24 hours for standard inquiries and 7 Working Days for complex issues, such as API errors or Dispute escalations

16.2 Issue Reporting

● You must report issues, such as transaction errors, API malfunctions, data breaches (Section 9), or suspected Restricted Activities (Section 11), to Cashia at support@cashia.com or +254 709 200 900 within 24 hours of discovery.

● Reports must include relevant details, such as transaction IDs, PSU data (anonymized per Data Protection Act, 2019), or API logs. For example, if a Stika QR Code fails to process a payment, include the QR code ID and error message. Cashia will acknowledge receipt within 24 hours and provide resolution steps or timelines.

16.3 Communication Protocols

● Cashia will communicate with you via the email associated with your Cashia Account (Section 4.5) or in-app notifications for matters including fee updates (Section 5), termination notices (Section 7), amendment notifications (Section 12.2), or regulatory requests (Section 13).

● You must maintain updated contact details in your Cashia Account to ensure delivery, per National Payment System Regulations, 2014. Communications are deemed received 24 hours after sending, unless delivery is refused.

16.4 Merchant Responsibilities

● You must promptly respond to Cashia’s support or regulatory inquiries, providing requested data (e.g., KYB documents, transaction records) within 7 Working Days via support@cashia.com or +254 709 200 900.

● You must monitor your Cashia Account and Stika virtual storefront for issues, such as unauthorized API key use (Section 3.6) or excessive Chargebacks (Section 6.6), and report them proactively to prevent escalation.

16.5 Escalation to CBK

● If a support issue or dispute remains unresolved after Cashia’s response, you may escalate it to the Central Bank of Kenya (CBK) at +254 20 286 1000 or complaints@cbk.go.ke , per National Payment Systems Act, 2011.

● Escalations must be filed within 14 Working Days of Cashia’s final response, including evidence, such as support correspondence or transaction logs. This applies to issues like unresolved Chargebacks (Section 6) or regulatory compliance disputes (Section 13).

16.6 Confidentiality in Communications

● All support and communication data, including issue reports and API logs, are Confidential Information (Section 9).

● You must secure communications, such as encrypting emails with sensitive PSU data, per Data Protection Act, 2019.

● Breaches must be reported to support@cashia.com or +254 709 200 900 within 24 hours, per CBK Cybersecurity Guidelines (CBK/PSP/GUID/02).

16.7 Support Limitations

● Cashia is not responsible for issues caused by your failure to comply with this Agreement, such as misconfigured APIs (Section 3.6) or non-compliance with Restricted Activities (Section 11).

● Support does not include legal advice or resolution of PSU Disputes, which follow Section 6 processes. Any costs incurred due to your delay in reporting issues are your responsibility, per Section 15.

16.8 Survival

● This section survives termination of this Agreement, ensuring support and communication obligations for matters related to Fees (Section 5), Chargebacks (Section 6), Confidentiality (Section 9), Intellectual Property (Section 10), or Regulatory Compliance (Section 13) remain in effect, per National Payment Systems Act, 2011.

17. Amendments and Updates to Cashia Services

17.1 Updates to Cashia Services

● Cashia may update or modify Cashia Services, including Stika QR Codes, Payment Links, Pay with Cashia, the merchant app, or API integrations, to enhance functionality, comply with regulatory requirements, or improve security, per National Payment Systems Act, 2011.

● Updates may include changes to features, such as new QR code formats or API rate limits (Section 3.6). Cashia will notify you of significant updates via support@cashia.com or +254 709 200 900 or in-app notifications at least 30 days in advance, unless immediate changes are required for legal or security reasons.

17.2 Agreement Amendments

● Cashia may amend this Agreement, including terms related to fees (Section 5), Chargebacks (Section 6), Restricted Activities (Section 11), Intellectual Property (Section 10), Confidentiality (Section 9), or Regulatory Compliance (Section 13), to reflect changes in Cashia Services, applicable laws, or CBK directives.

● Material changes, such as increases in e-money issuance or redemption fees (Section 5.1), modifications to Stika QR Codes or Payment Links functionality (Section 3.4), or changes to dispute processes (Section 14), require prior approval from the Central Bank of Kenya (CBK), per NPS (E Money) Regulations 2021, Regulation 4(3) and NPS Regulations 2014, Regulation 4(3).

● Cashia will submit proposed changes to CBK and notify you via support@cashia.com or +254 709 200 900 or in-app notifications at least 30 days before the effective date, specifying the changes and their impact (e.g., updated fee schedules at www.cashia.com ).

● Continued use of Cashia Services after the effective date constitutes acceptance. If you object, you may terminate your Cashia Account (Section 7.1) before the effective date, subject to outstanding obligations, such as unpaid fees (Section 5) or data retention (Section 20).

17.3 Merchant Obligations

● You must implement updates to Cashia Services, such as new API versions or Stika QR code designs, within 30 days of notification to maintain Verified Status (Section 4.4). For example, you must update API integrations to comply with new security protocols.

● Failure to adopt updates may result in suspension (Section 7) or restricted access to Cashia Services. You must monitor notifications via your Cashia Account (Section 4.5) or support@cashia.com or +254 709 200 900 to stay informed.

17.4 Testing and Compatibility

● Before updates to Cashia Services are rolled out, Cashia may provide testing environments (e.g., sandbox APIs) to ensure compatibility with your systems, per CBK Cybersecurity Guidelines (CBK/PSP/GUID/02). You must test updates and report issues, such as integration errors, to support@cashia.com or +254 709 200 900 within 14 Working Days.

● Cashia is not liable for disruptions caused by your failure to test or update systems, per Section 15.

17.5 Regulatory Compliance

● Updates to Cashia Services or this Agreement will comply with applicable laws, including Data Protection Act, 2019 and National Payment System Regulations, 2014.

● You must ensure your use of updated services, such as revised Payment Links or OCR processes (Section 4.3), adheres to these laws. Cashia will cooperate with CBK audits to verify compliance, and you must provide requested data (e.g., KYB documents) within 7 Working Days via support@cashia.com or +254 709 200 900 .

17.6 Dispute Escalation

● If you dispute an amendment or update to Cashia Services, such as changes to API functionality or fees, file a claim via support@cashia.com or +254 709 200 900 within 14 Working Days, providing evidence, such as impacted transaction records.

● Cashia will respond within 30 days. Unresolved disputes may be escalated to the Central Bank of Kenya (CBK) at +254 20 286 1000 or complaints@cbk.go.ke , per National Payment Systems Act, 2011.

17.7 Confidentiality of Updates

● Information about updates to Cashia Services, such as new API specifications or Stika branding guidelines, is Confidential Information (Section 9).

● You must protect this information, such as securing API documentation in encrypted storage, and report breaches to support@cashia.com or +254 709 200 900 within 24 hours, per Data Protection Act, 2019.

17.8 Survival

● This section survives termination of this Agreement, ensuring obligations related to amendments, updates, or disputes involving Fees (Section 5), Confidentiality (Section 9), Intellectual Property (Section 10), or Regulatory Compliance (Section 13) remain in effect, per National Payment Systems Act, 2011.

18. Miscellaneous Provisions

18.1 Relationship of Parties

● You and Cashia are independent contractors, and this Agreement does not establish a partnership, joint venture, agency, or employment relationship.

● You may not act as Cashia’s agent or bind Cashia in any way, including when using Cashia Services like Stika QR Codes, Payment Links, or API integrations (Section 3). For example, you cannot represent Cashia in PSU transactions or regulatory inquiries.

18.2 No Third-Party Rights

● This Agreement is solely between you and Cashia and does not confer rights to third parties, including Payment Service Users (PSUs), except as required by law, such as under Consumer Protection Act, 2012. PSU Disputes follow Section 6 processes, and third-party claims (e.g., Intellectual Property disputes, Section 10) must be addressed through you or Cashia directly.

18.3 Language

● This Agreement and all communications, including support via support@cashia.com or +254 709 200 900 (Section 16) and arbitration (Section 14), are in English, per Arbitration Act, 1995.

● You must ensure all documentation, such as Onboarding Data (Section 4.3) or Dispute evidence (Section 6), is submitted in English or accompanied by certified translations.

18.4 Electronic Consent

● By using Cashia Services, you consent to receive electronic communications, such as amendment notices (Section 17.2) or support responses (Section 16), via your Cashia Account email or in-app notifications, per National Payment System Regulations, 2014. You must maintain updated contact details (Section 4.5) to receive these communications.

18.5 Compliance with CBK Directives

● You must comply with any CBK directives issued to Cashia as a licensed Payment Service Provider, such as providing KYB data (Section 4.3) or transaction records (Section 13.4) within 7 Working Days via support@cashia.com or +254 709 200 900 .

● Non-compliance may result in suspension (Section 7) or CBK escalation (Section 14.3), per National Payment Systems Act, 2011.

18.6 Dispute Escalation

● Disputes related to miscellaneous provisions, such as disagreements over electronic consent or language requirements, must follow Section 14 (Dispute Resolution and Arbitration). File claims via support@cashia.com or +254 709 200 900 within 14 Working Days, providing evidence, such as communication records. Unresolved disputes may be escalated to the Central Bank of Kenya (CBK) at +254 20 286 1000 or complaints@cbk.go.ke , per National Payment Systems Act, 2011.

18.7 Survival

● This section survives termination of this Agreement, ensuring obligations related to relationship status, third-party rights, language, electronic consent, and CBK compliance remain in effect, alongside surviving provisions like Fees (Section 5), Confidentiality (Section 9), Intellectual Property (Section 10), and Regulatory Compliance (Section 13), per National Payment Systems Act, 2011.

19. Termination Procedures and Post-Termination Obligations

19.1 Termination Procedures

● Termination of your Cashia Account, as outlined in Section 7, must follow these procedures. You may initiate voluntary termination by submitting a request via support@cashia.com or +254 709 200 900 , specifying the reason and confirming no outstanding transactions or Chargebacks (Section 6).

● Cashia may terminate or suspend your account for reasons in Section 7, such as engaging in Restricted Activities (Section 11) or failing to maintain Verified Status (Section 4.4).

● Cashia will notify you via support@cashia.com or +254 709 200 900 or in-app notifications, providing 30 days’ notice for non-breach terminations or immediate notice for material breaches, per National Payment System Regulations, 2014.

19.2 Account Closure Process

● Upon termination, Cashia will:

a. Deactivate your access to Cashia Services, including Stika QR Codes, Payment Links, Pay with Cashia, and API integrations (Section 3).

b. Freeze your Account Balance to settle outstanding fees, Chargebacks, or penalties (Section 5). c. Provide a final account statement within 7 Working Days via support@cashia.com or +254 709 200 900, detailing remaining balances or obligations.

d. You must cease using Cashia Intellectual Property (Section 10), such as Stika logos or APIs, and remove them from your systems or storefront within 7 Working Days.

19.3 Post-Termination Obligations

● After termination, you must:

a. Settle all outstanding fees, Chargebacks, or penalties within 30 days, per Section 5. b. Retain transaction records, API logs, and KYB data for 7 years, per National Payment System Regulations, 2014, and provide them to Cashia or regulators upon request within 7 Working Days via support@cashia.com or +254 709 200 900 .

c. Protect Confidential Information (Section 9), such as PSU data or API keys, and report breaches within 24 hours, per Data Protection Act, 2019.

d. Refrain from using Cashia Services or Intellectual Property (Section 10) for any purpose, including recreating Stika QR Codes.

e. Cashia’s license to use your Intellectual Property (Section 10.3) ends, except for data retained for regulatory compliance.

19.4 Redemption of Account Balance

● Post-termination, you may redeem any remaining Account Balance, less outstanding fees or Chargebacks, via your Verified Funding Source (Section 4.3) within 90 days of termination. Requests must be submitted via support@cashia.com or +254 709 200 900 .

● Cashia will process redemptions within 14 Working Days, subject to regulatory holds, such as AML/CFT investigations (Section 13.2).

19.5 Regulatory Reporting

● Cashia may report termination details to the Central Bank of Kenya (CBK) or Financial Reporting Centre (FRC) if related to Restricted Activities (Section 11) or AML/CFT violations (Section 13.2), per Proceeds of Crime and Anti-Money Laundering Act, 2009.

● You must cooperate with regulatory inquiries, providing data within 7 Working Days via support@cashia.com or +254 709 200 900 .

19.6 Dispute Escalation

● Disputes related to termination, such as disagreements over Account Balance redemption or fees, must follow Section 14 (Dispute Resolution and Arbitration).

● File claims via support@cashia.com or +254 709 200 900 within 14 Working Days, providing evidence, such as account statements. Unresolved disputes may be escalated to CBK at +254 20 286 1000 or complaints@cbk.go.ke , per National Payment Systems Act, 2011.

19.7 Survival

● This section survives termination, ensuring obligations related to fees (Section 5), Chargebacks (Section 6), Confidentiality (Section 9), Intellectual Property (Section 10), Restricted Activities (Section 11), Regulatory Compliance (Section 13), and Indemnification (Section 15) remain in effect, per National Payment Systems Act, 2011 and Data Protection Act, 2019.

20. Data Security and Privacy

20.1 Compliance with Privacy Laws

● You must process Personal Data of PSUs (e.g., names, phone numbers, transaction history via Stika QR Codes, Payment Links, or Pay with Cashia) in compliance with the Data Protection Act, 2019, NPS (E-Money) Regulations 2021, Regulation 26, and CBK Cybersecurity Guidelines (CBK/PSP/GUID/02).

● This includes: lawfully obtaining consent, using data only for transaction processing, and enabling data subject rights (access, rectification, erasure).

20.2 Data Protection Officer (DPO)

● Cashia’s Data Protection Officer can be reached at dpo@cashia.com for any privacy inquiries, complaints, or rights requests. You must forward PSU privacy requests to support@cashia.com or +254 709 200 900 within 24 hours.

20.3 Data Security Measures

● You must implement industry-standard security (e.g., encryption, access controls, secure storage) to protect e-money transaction data, KYB documents, and API logs, per Data Protection Act, 2019, Section 41.

20.4 Data Protection Obligations

● You must protect all data processed through Cashia Services, including Onboarding Data (Section 4.3), PSU data, transaction records (Section 3.4), and API logs (Section 3.6), in compliance with Data Protection Act, 2019.

● You must use encryption, secure storage, and access controls to safeguard data, such as PSU Stika names or payment details collected via Stika QR Codes or Payment Links. For example, KYB data submitted via OCR must be stored in encrypted formats.

20.5 Cashia’s Security Measures

● Cashia employs industry-standard security measures, including encryption, tokenization, and secure API key generation, to protect confidential information (Section 9), per CBK Cybersecurity Guidelines (CBK/PSP/GUID/02).

● Cashia conducts regular security audits and complies with Data Protection Act, 2019 to secure data processed through Cashia Services, such as transaction data or API communications.

20.6 Data Breach Notification

● You must report any suspected or actual data breach to support@cashia.com or +254 709 200 900 and the Office of the Data Protection Commissioner (ODPC) at complaints@odpc.go.ke within 24 hours of discovery. Cashia will lead breach response and regulatory reporting.

20.7 Data Breach Reporting

● You must report any data breach, such as unauthorized access to PSU data or API keys, to Cashia at support@cashia.com or +254 709 200 900 within 24 hours of discovery, per Data Protection Act, 2019.

● Reports must include details, such as the nature of the breach and affected data. Cashia will notify you of breaches involving your Cashia Account within 24 hours and may report to the Data Protection Commissioner or CBK, as required.

20.8 Data Sharing and Consent

● You must obtain PSU consent before collecting or processing personal data through Cashia Services, such as names or payment details via Pay with Cashia, per Data Protection Act, 2019.

● Cashia may share Onboarding Data or transaction records with regulators, such as CBK or the Financial Reporting Centre (FRC), for compliance with National Payment Systems Act, 2011 or Proceeds of Crime and Anti-Money Laundering Act, 2009, with notice to you via support@cashia.com or +254 709 200 900 .

20.9 Data Retention and Destruction

● You must retain e-money transaction data, KYB data, and PSU personal data processed through Cashia Services for 7 years from the date of transaction or account termination, per NPS (E-Money_- NPS (E-Money) Regulations 2021, Regulation 21 and Data Protection Act, 2019, Section 25. Data must be stored securely using industry-standard methods (e.g., encryption).

● After the 7-year retention period, you must securely destroy all such data using methods like cryptographic erasure for digital records or certified shredding for physical documents, unless retention is required by law (e.g., ongoing CBK or FRC investigations), per Data Protection Act, 2019, Section 41. You must confirm destruction to support@cashia.com within 7 Working Days of completion.

● Cashia retains parallel data, ensures secure destruction post-retention, and complies with regulatory requirements.

20.10 Merchant Responsibilities

● You must implement security measures, such as securing API keys (Section 3.6) and encrypting PSU data, to prevent Restricted Activities (Section 11), such as data misuse.

● You must train staff on data protection and report non-compliance to **support@cashia.com ** or +254 709 200 900 within 24 hours. Failure to comply may result in suspension (Section 7) or indemnification obligations (Section 15).

20.11 Data Subject Rights

● You must honor PSU data subject rights, such as access or deletion requests, per Data Protection Act, 2019. For example, if a PSU requests deletion of their payment data, you must comply and notify Cashia at support@cashia.com or +254 709 200 900 within 7 Working Days. Cashia will assist in processing such requests, ensuring compliance with applicable laws.

20.12 Dispute Escalation

● Disputes related to data security or privacy, such as breach handling or data sharing disagreements, must follow Section 14 (Dispute Resolution and Arbitration).

● File claims via support@cashia.com or +254 709 200 900 within 14 Working Days, providing evidence, such as breach reports.

● Unresolved disputes may be escalated to the Central Bank of Kenya (CBK) at +254 20 286 1000 or complaints@cbk.go.ke , per National Payment Systems Act, 2011, or to the Data Protection Commissioner.

20.13 Survival

● This section survives termination, ensuring data security and privacy obligations related to Confidentiality (Section 9), Regulatory Compliance (Section 13), Indemnification (Section 15), and Termination Procedures (Section 19) remain in effect, per Data Protection Act, 2019 and National Payment Systems Act, 2011.

21. Merchant Representations and Covenants

21.1 Ongoing Representations

● You represent and warrant, as outlined in Section 8, that you are a legally registered business in Kenya with authority to enter this Agreement.

● You covenant to maintain these representations throughout your use of Cashia Services, including Stika QR Codes, Payment Links, Pay with Cashia, and API integrations, ensuring compliance with applicable laws, such as National Payment Systems Act, 2011.

21.2 Compliance with Agreement

● You covenant to comply with all terms of this Agreement, including maintaining Verified Status (Section 4.4), paying fees (Section 5), resolving Chargebacks (Section 6), protecting Confidential Information (Section 9), respecting Intellectual Property (Section 10), avoiding Restricted Activities (Section 11), and adhering to Data Security and Privacy (Section 20). For example, you must ensure accurate Onboarding Data via OCR (Section 4.3) and secure API keys (Section 3.6).

21.3 Lawful Use of Services

● You covenant to use Cashia Services solely for lawful purposes, per Consumer Protection Act, 2012 and Proceeds of Crime and Anti-Money Laundering Act, 2009. You must not process transactions for prohibited goods or services, such as illegal drugs, as listed on www.cashia.com .

● You must verify PSU identities for high-value transactions to prevent AML/CFT violations, per Section 13.2.

21.4 Accurate Transaction Data

● You covenant to provide accurate and complete transaction data for all payments processed via Stika QR Codes, Payment Links, or Pay with Cashia (Section 3.4). For example, Payment Link descriptions must reflect the goods or services provided to avoid Disputes (Section 6). You must maintain records for 7 years, per National Payment System Regulations, 2014.

21.5 Cooperation with Cashia

● You covenant to cooperate with Cashia for regulatory audits, investigations, or support requests (Sections 13.8, 16), providing data, such as KYB documents or transaction logs, within 7 Working Days via support@cashia.com or +254 709 200 900 . You must promptly report issues, such as API errors or data breaches, per Sections 16.2 and 20.3.

21.6 Security and Confidentiality

● You covenant to implement security measures, such as encryption for PSU data and secure storage for API keys, per Data Protection Act, 2019 and CBK Cybersecurity Guidelines (CBK/PSP/GUID/02). You must protect confidential information (Section 9) and report breaches within 24 hours to support@cashia.com or +254 709 200 900 .

21.7 Dispute Resolution Compliance

● You covenant to follow Dispute Resolution and Arbitration processes (Section 14) for any disagreements, such as fee disputes or termination issues, filing claims via support@cashia.com or +254 709 200 900 within 14 Working Days. You must provide accurate evidence, such as transaction records, to facilitate resolution.

21.8 Dispute Escalation

● Breaches of these covenants, such as engaging in Restricted Activities or failing to secure data, may lead to disputes handled per Section 14. File claims via support@cashia.com or +254 709 200 900 within 14 Working Days, providing evidence.

● Unresolved disputes may be escalated to the Central Bank of Kenya (CBK) at +254 20 286 1000 or complaints@cbk.go.ke , per National Payment Systems Act, 2011.

21.9 Survival

● This section survives termination, ensuring covenants related to Confidentiality (Section 9), Intellectual Property (Section 10), Regulatory Compliance (Section 13), Data Security (Section 20), and Termination Procedures (Section 19) remain in effect, per National Payment Systems Act, 2011 and Data Protection Act, 2019.

22. Force Majeure, Business Continuity, and Related Obligations

22.1 Force Majeure Events

● Neither you nor Cashia will be liable for delays or failures to perform obligations under this Agreement, except payment of fees (Section 5) or confidentiality obligations (Section 9), due to Force Majeure Events, as defined in Section 2, such as natural disasters, government actions, or cyberattacks beyond reasonable control. For example, a nationwide internet outage affecting Stika QR Codes or API integrations qualifies as a Force Majeure Event, per Section 12.8.

22.2 Notification of Force Majeure

● If a Force Majeure Event prevents performance, the affected party must notify the other via support@cashia.com or +254 709 200 900 within 48 hours, detailing the event and expected duration. Notifications must protect confidential information (Section 9), such as PSU data or API specifications, and comply with Data Protection Act, 2019. Cashia will communicate impacts on Cashia Services, such as Payment Links or Pay with Cashia, via in-app notifications or email, per National Payment System Regulations, 2014.

22.3 Business Continuity Obligations

● You must maintain business continuity plans to ensure compliance with this Agreement during disruptions, including securing PSU data (Section 20), processing Chargebacks (Section 6), and paying fees (Section 5). For example, you must have backup systems to store transaction records and protect Intellectual Property (Section 10), such as Stika QR Code designs, during outages. Cashia maintains continuity plans, including redundant servers and encryption, per CBK Cybersecurity Guidelines (CBK/PSP/GUID/02), to ensure uninterrupted access to Cashia Services.

22.4 Intellectual Property Protections

● During Force Majeure Events, you must continue to protect Cashia’s Intellectual Property (Section 10), such as not reproducing Stika QR Codes or APIs without authorization.

● You must secure software used in Cashia Services, including API integrations (Section 3.6), to prevent unauthorized access, per CBK Cybersecurity Guidelines. Cashia will ensure continuity of licensed software, such as the merchant app, to support your operations.

22.5 Software Use and Licensing

● Your right to use Cashia’s software, such as APIs or the merchant app (Section 3.6), remains subject to the limited license in Section 10.2 during Force Majeure Events.

● You must not reverse-engineer or misuse software, and you must report any software-related issues, such as API errors, to support@cashia.com or +254 709 200 900 within 48 hours. Cashia will provide temporary workarounds, such as manual transaction processing, to maintain service continuity.

22.6 Confidentiality Obligations

● You must protect Confidential Information (Section 9), such as PSU data or API keys, during Force Majeure Events, using encryption and secure storage, per Data Protection Act, 2019. For example, transaction records must be backed up securely during a cyberattack. Breaches must be reported to support@cashia.com or +254 709 200 900 within 24 hours, per Section 20.3.

22.7 Fees and Currency Conversion

● Payment obligations for fees (Section 5) remain in effect during Force Majeure Events. You must settle fees for transactions processed via Stika QR Codes or Payment Links within the agreed timelines, using your Verified Funding Source (Section 4.3). Currency conversion for non-KES transactions must follow Section 5.3 rates at www.cashia.com , ensuring transparency per Consumer Protection Act, 2012.

22.8 Miscellaneous Terms

● Miscellaneous obligations, such as maintaining English communications (Section 18.3) and cooperating with CBK directives (Section 18.5), remain in effect during Force Majeure Events. For example, you must provide KYB data (Section 4.3) within 7 Working Days if requested by CBK, using support@cashia.com or +254 709 200 900 , despite disruptions.

22.9 Mitigation Efforts

● Both parties must take reasonable steps to mitigate Force Majeure impacts.

● You must secure API keys (Section 3.6) and Onboarding Data (Section 4.3) against cyber threats.

● Cashia will implement failover systems to restore services, such as API functionality, per CBK Cybersecurity Guidelines.

22.10 Termination Due to Prolonged Events

● If a Force Majeure Event prevents performance for more than 30 days, either party may terminate this Agreement per Section 19.1, with notice via support@cashia.com or +254 709 200 900 . Post-termination obligations, such as fee settlement (Section 19.3) and IP cessation (Section 19.2), remain in effect.

22.11 Dispute Escalation

● Disputes related to Force Majeure, business continuity, fees, IP, software use, confidentiality, or miscellaneous terms must follow Section 14 (Dispute Resolution and Arbitration). File claims via support@cashia.com or +254 709 200 900 within 14 Working Days, providing evidence, such as notification records. Unresolved disputes may be escalated to CBK at +254 20 286 1000 or complaints@cbk.go.ke , per National Payment Systems Act, 2011.

22.12 Survival

● This section survives termination, ensuring obligations related to Fees (Section 5), Confidentiality (Section 9), Intellectual Property (Section 10), Regulatory Compliance (Section 13), Data Security (Section 20), and Miscellaneous Provisions (Section 18) remain in effect, per National Payment Systems Act, 2011 and Data Protection Act, 2019.

Thank you for choosing Kashia Services Limited