Terms of Service

1. Acceptance and definitions

By creating an account, accessing the dashboard, or making any call to the API, you (the Customer) agree to be bound by these Terms. If you accept on behalf of a legal entity, you represent that you have authority to bind that entity.

• API. The HTTPS endpoints at api.iso-compliant.com, including without limitation /v1/iso20022/pain.001, /v1/iso20022/pain.008, /v1/iso20022/camt.053/parse, /v1/iso20022/pain.002/parse, /v1/qr-bill, and /v1/iban/validate.
• Rule pack. A versioned per-bank Implementation Guideline (IG) artefact (e.g. ubs@2026.06) used to validate Customer payloads.
• MCP server. The @iso-compliant/mcp-server npm package and its associated stdio/SSE transports.
• Evidence Pack. A signed bundle of audit logs, attestation hashes, and rule-pack versions exported by the Customer for use as compliance evidence (SOC 2, ISO 27001, FINMA).
• Documentation. The technical materials published at docs.iso-compliant.com.

2. The service

iso-compliant provides a stateless transformation and validation service for ISO 20022 payment messages. The Customer submits a JSON payload; iso-compliant returns deterministic XML (or, for inbound parsing endpoints, structured JSON) validated against an XSD schema plus a per-bank rule pack. The Service does not move funds, hold balances, initiate payment instructions to banks on the Customer's behalf, or act as a payment institution under applicable financial regulation.

The Service is sold as infrastructure software. Bank-side acceptance of any file generated by the Service depends on the Customer's banking relationship, the accuracy of the input the Customer provides, and conditions outside iso-compliant's control.

3. Accounts and authentication

The Customer is responsible for safeguarding all credentials issued by or registered with iso-compliant, including API keys (bearer tokens with the prefix iso_live_ or iso_test_), Ed25519 signing keys, and dashboard login credentials. The Customer shall:

• Rotate API keys at least every 365 days, and immediately upon suspected compromise;
• Restrict key distribution to personnel and systems with a need to know;
• Notify iso-compliant via security@iso-compliant.com within 24 hours of becoming aware of any unauthorised use.

iso-compliant is not liable for the consequences of compromised Customer credentials prior to the Customer's notification.

4. Acceptable use

The Customer shall not, and shall not permit any third party to:

• Use the Service to generate payment files for, or to reconcile payment files relating to, transactions the Customer has not independently verified comply with applicable law in every relevant jurisdiction (including AML, sanctions, and tax-reporting law);
• Submit malformed or oversized requests with the intent or effect of consuming infrastructure capacity beyond the Customer's reasonable production needs (denial-of-service);
• Reverse-engineer, decompile, or otherwise attempt to derive the source of the deterministic validation logic, the rule packs, or the bank-fixture matrix;
• Resell, sublicense, or expose the Service as a substantially similar competing product;
• Use the Service in connection with any business that is the subject of comprehensive sanctions administered by the Swiss SECO, the European Union, the United Kingdom HMT/OFSI, or the United States OFAC (the Sanctioned Persons List);
• Use the Service to circumvent any judicial process or regulatory obligation to which the Customer or its counterparties are subject.

iso-compliant reserves the right to suspend Service access on reasonable suspicion of a material breach of this Section 4, with notice where practicable.

5. Customer data and zero-retention

The Service is engineered for zero plaintext retention of payment payloads. The only persistent artefacts associated with a Customer request are:

• An anonymised idempotency record consisting of the request key, the SHA-256 of the canonical request body, the derived MsgId, the ruleset version applied, and the response status, retained for seven (7) years for replay protection;
• An audit-attestation chain entry containing the SHA-256 of the canonical response XML, the SHA-256 of the prior chain entry, and the chain sequence number, retained for seven (7) years;
• If the Customer queues a payment to the human-in-the-loop retry queue, the original payload encrypted with a per-tenant key managed by the Customer's KMS, retained until the queue item resolves and then auto-deleted.

Plaintext payment payloads expire from the request-render cache within five (5) minutes of response transmission. iso-compliant does not train, fine-tune, or otherwise condition any machine-learning model on Customer payload contents.

Customer data is processed in the customer's elected region (default EU-Frankfurt; additional regions available per the order form). Data does not leave the elected region in the course of normal Service operation. Detailed processing terms are set out in the Data Processing Agreement.

6. Security and audit

iso-compliant maintains the following technical and organisational measures:

• Cryptographic non-repudiation on every mutating request, via Ed25519 detached signatures or RFC 9421 HTTP Message Signatures;
• TLS 1.3 in transit; AES-256-GCM at rest at the Postgres layer (via our subprocessor's volume encryption);
• Hash-chained audit log (SHA-256 per entry, chained per tenant) exposing tamper-evidence and ordering guarantees;
• Quarterly external penetration testing, with executive summary available to the Customer under NDA;
• SOC 2 Type 1 readiness from month 3 of GA; Type 2 audit window opens at month 9; ISO 27001 certification targeted at month 14. Status is published at docs.iso-compliant.com/compliance.

The Customer may export an Evidence Pack at any time covering the Customer's own tenant. The Evidence Pack is suitable for use as third-party-attestable evidence in the Customer's own SOC 2, ISO 27001, or FINMA audit.

7. Fees and billing

7.1 Pricing model

The Service is priced on a per-document basis. Pricing tiers are published at iso-compliant.com/#pricing. The Service is never priced as a percentage of transaction value. This commitment is structural; iso-compliant will not introduce percentage-of-volume pricing into existing Customer subscriptions during the term.

7.2 Free tier

The free tier permits up to 100 documents per calendar month. The free tier does not include a Service Level Agreement, enterprise support, or the Evidence Pack export feature. Usage beyond 100 documents in a month requires an active paid subscription.

7.3 Paid tier

Paid subscriptions are billed monthly in arrears via Stripe Billing on the basis of metered document events (event name iso-compliant_document). The unit price for each document depends on the Customer's volume bracket, ranging from $0.05 per document at the entry tier to $0.005 per document at the highest committed-volume tier.

7.4 Enterprise tier

Enterprise subscriptions are billed annually under a separate order form. The fee shown at sign-up is a placeholder; Customers should contact sales@iso-compliant.com for a quote. Enterprise pricing may include implementation fees ($7,500 per new bank added to the validated fixture matrix at Customer request).

7.5 Taxes

All fees are exclusive of any value-added tax (VAT), goods and services tax, or similar transaction tax. Where iso-compliant is required to collect such tax, it will be added to the invoice. The Customer is responsible for withholding taxes that may be due in the Customer's jurisdiction.

7.6 Disputed charges

Disputed charges must be raised in writing to billing@iso-compliant.com within thirty (30) days of the invoice date. Undisputed amounts remain payable on their original due date.

8. Service level

Paid-tier Customers receive a 99.9% monthly uptime commitment measured against availability of api.iso-compliant.com excluding scheduled maintenance (announced at least 72 hours in advance) and force-majeure events. Enterprise-tier Customers may negotiate a 99.99% commitment with credit terms set out in the order form. Service credits are the Customer's sole and exclusive remedy for downtime not caused by a material breach of these Terms.

9. Changes to the service

iso-compliant may modify the Service from time to time. Material breaking changes to the API surface (request shape, response shape, error codes) will be announced with at least 90 days' notice and accompanied by a versioned migration path. Rule packs are versioned per release; the Customer may pin a specific rule-pack version via the X-Iso-Compliant-Bank-Ruleset request header. Deprecated rule-pack versions remain accessible for at least 12 months from the deprecation announcement.

10. Intellectual property

As between the parties, iso-compliant retains all right, title, and interest in and to the Service, the rule packs, the bank-fixture matrix, and the Documentation. The Customer retains all right, title, and interest in the Customer's payment data. The Customer grants iso-compliant a non-exclusive, worldwide, royalty-free licence to process Customer payment data solely as necessary to provide the Service.

The MCP server package @iso-compliant/mcp-server is published under the MIT licence. Use of the package is governed by its licence; these Terms govern use of any gated API endpoints the package proxies to.

11. Warranties and disclaimers

iso-compliant warrants that, as of the date of each release, each rule pack has been validated against the corresponding bank's published UAT samples or production samples (where licensed by the bank). iso-compliant does not warrant that any file generated by the Service will be accepted by any particular bank in any particular transaction; bank acceptance depends on the input the Customer provides, the Customer's own banking relationship, and conditions outside iso-compliant's control.

EXCEPT FOR THE EXPRESS WARRANTIES IN THIS SECTION 11 AND TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE SERVICE IS PROVIDED "AS IS" AND ISO-COMPLIANT DISCLAIMS ALL OTHER WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, INCLUDING MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, AND ANY WARRANTY ARISING FROM COURSE OF DEALING OR USAGE OF TRADE.

12. Limitation of liability

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, ISO-COMPLIANT'S TOTAL CUMULATIVE LIABILITY ARISING OUT OF OR RELATING TO THESE TERMS, REGARDLESS OF THE FORM OF ACTION, WILL NOT EXCEED THE AMOUNT THE CUSTOMER PAID TO ISO-COMPLIANT IN THE TWELVE (12) MONTHS PRECEDING THE EVENT GIVING RISE TO THE LIABILITY. IN NO EVENT WILL ISO-COMPLIANT BE LIABLE FOR LOSS OF PROFITS, LOSS OF DATA, LOSS OF BUSINESS, OR ANY INDIRECT, INCIDENTAL, SPECIAL, OR CONSEQUENTIAL DAMAGES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Specifically and without limitation, iso-compliant is not liable for (a) any losses arising from a payment rejected by a bank or routed to a wrong counterparty as a consequence of incorrect Customer input, (b) any losses arising from the Customer's failure to retry a payment that the bank flagged as ambiguous or duplicated, or (c) any losses arising from the Customer's reliance on a deprecated rule-pack version after the deprecation window has elapsed.

13. Indemnification

The Customer will defend, indemnify, and hold harmless iso-compliant from and against any third-party claim arising out of (i) the Customer's use of the Service in breach of Section 4 (Acceptable use); (ii) the Customer's submission of payment data that infringes a third party's rights or violates applicable law; or (iii) the Customer's failure to obtain authorisation from a counterparty whose payment data appears in a Customer payload.

iso-compliant will defend, indemnify, and hold harmless the Customer from and against any third-party claim that the Service, as delivered and used in accordance with these Terms, infringes a third-party intellectual-property right.

14. Termination

Either party may terminate these Terms for cause if the other party materially breaches them and fails to cure within thirty (30) days of written notice. iso-compliant may terminate immediately and without notice if the Customer is the subject of a sanctions designation, a bankruptcy petition, or a court order prohibiting further provision of the Service.

Upon termination, the Customer's right to access the API ceases immediately. The Customer's audit-attestation chain and idempotency records remain retained for the periods set out in Section 5. The Customer may export an Evidence Pack covering the active period for up to ninety (90) days after termination.

15. Export and sanctions

The Customer represents that it is not, and is not acting on behalf of any person who is, the subject of sanctions administered by the Swiss SECO, the European Union, the United Kingdom HMT/OFSI, or the United States OFAC. The Customer shall not use the Service in or for the benefit of any embargoed country or sanctioned end-user.

16. Governing law and disputes

These Terms are governed by the substantive laws of the State of Delaware, United States of America, without regard to its conflict-of-laws provisions. The United Nations Convention on Contracts for the International Sale of Goods does not apply. The parties submit to the exclusive jurisdiction of the Court of Chancery of the State of Delaware (and, where subject-matter jurisdiction is lacking there, the state or federal courts located in New Castle County, Delaware), save that either party may seek injunctive relief in any court of competent jurisdiction to protect its intellectual-property rights.

17. General provisions

• Entire agreement. These Terms, together with any order form, Data Processing Agreement, and policies incorporated by reference, are the entire agreement between the parties and supersede any prior or contemporaneous proposals or communications.
• Severability. If any provision is held unenforceable, the remaining provisions remain in effect.
• Assignment. Neither party may assign these Terms without the other party's written consent, except that iso-compliant may assign in connection with a merger, acquisition, or sale of all or substantially all of its assets.
• Force majeure. Neither party is liable for failure to perform due to events beyond its reasonable control, including network outages affecting Cloudflare or Supabase, government action, and acts of war.
• Notices. Notices under these Terms must be in writing to legal@iso-compliant.com and to the Customer's account-administrator email of record.
• Amendments. iso-compliant may amend these Terms by posting a revised version at this URL with a new effective date. Material amendments will be announced via email to the account administrator at least thirty (30) days before they take effect.

18. Contact

iso-compliant Inc. · Delaware, USA
Legal: legal@iso-compliant.com
Security: security@iso-compliant.com
Billing: billing@iso-compliant.com