Payment Processing Addendum

1. Definitions

• "Payment Credentials" means your Authorize.net API Login ID, Transaction Key, and any other authentication credentials you provide to ArmoryFlow for the purpose of processing payments on your Storefront.
• "Merchant Account" means your Authorize.net payment gateway account, which you own, control, and maintain independently of ArmoryFlow.
• "Payment Nonce" means the tokenized, single-use payment token generated by Authorize.net's Accept.js on the consumer's device, which represents the consumer's payment method without exposing raw card data.
• "Transaction" means a credit card charge processed through your Merchant Account via ArmoryFlow's checkout system.
• "Distributor Credentials" means any login credentials, API keys, FTP usernames and passwords, or other authentication information you provide to ArmoryFlow for accessing third-party firearms distributor systems on your behalf.

2. Authorization

2.1 Payment Processing Authorization

By providing your Payment Credentials to ArmoryFlow, you expressly authorize Circle Square Inc. to:

• Store your Payment Credentials in encrypted form on ArmoryFlow's servers for the sole purpose of processing Transactions on your Storefront
• Decrypt and use your Payment Credentials at the time of each Transaction to submit charges to Authorize.net on your behalf
• Submit authCaptureTransaction requests to Authorize.net using your Merchant Account credentials when a consumer completes checkout on your Storefront
• Perform test authorization transactions (e.g., $0.01 auth + void) to validate your Payment Credentials when you first configure them

This authorization is limited to processing Transactions initiated by consumers through your ArmoryFlow Storefront checkout flow. ArmoryFlow will not use your Payment Credentials for any other purpose.

2.2 Distributor Access Authorization

By providing Distributor Credentials, you expressly authorize Circle Square Inc. to:

• Store your Distributor Credentials in encrypted form for the sole purpose of accessing distributor inventory and pricing data on your behalf
• Connect to distributor systems (via FTP, FTPS, API, or other protocols) using your credentials to download product catalogs, inventory availability, and pricing data
• Perform periodic synchronization of distributor data according to your integration settings

This authorization does not extend to placing orders, modifying account settings, or taking any action on your distributor accounts beyond reading inventory and product data, unless you separately and explicitly authorize such actions.

2.3 Revocation

You may revoke this authorization at any time by removing your Payment Credentials or Distributor Credentials from your ArmoryFlow account settings. Upon revocation:

• ArmoryFlow will delete your stored credentials within 24 hours
• Your Storefront checkout will be disabled (for Payment Credentials)
• Distributor data synchronization will stop (for Distributor Credentials)
• Any pending or in-progress Transactions at the time of revocation will be completed if already submitted to Authorize.net

3. Credential Security

3.1 Encryption

ArmoryFlow protects your Payment Credentials and Distributor Credentials using:

• AES-256-GCM encryption: Industry-standard authenticated encryption with unique initialization vectors for each credential
• Supabase Vault (when available): Database-level secret management with additional isolation
• Encryption at rest and in transit: All credential data is encrypted at rest in the database and in transit via TLS/SSL

3.2 Access Controls

Access to stored credentials is limited to:

• The ArmoryFlow checkout system (for Payment Credentials, at the time of Transaction processing)
• The ArmoryFlow integration sync system (for Distributor Credentials, at the time of data synchronization)
• Authorized Circle Square Inc. personnel for system maintenance and incident response (with audit logging)

3.3 PCI DSS Compliance

ArmoryFlow's payment architecture is designed to minimize PCI DSS scope:

• Client-side tokenization: Consumer credit card data is tokenized directly by Authorize.net's Accept.js running in the consumer's browser. Raw card numbers, CVV codes, and expiration dates are never transmitted to or stored on ArmoryFlow servers.
• Nonce-only processing: ArmoryFlow's servers receive only opaque Payment Nonces, which are single-use tokens that cannot be used to reconstruct card data.
• No cardholder data storage: ArmoryFlow does not store credit card numbers, CVV codes, or full expiration dates. Only masked card information (e.g., last 4 digits) is stored for order records.

ArmoryFlow maintains compliance with PCI DSS requirements applicable to its role as a technology service provider using client-side tokenization (SAQ A-EP scope or equivalent).

3.4 Security Incident Notification

In the event of a security incident that may have compromised your Payment Credentials or Distributor Credentials, ArmoryFlow will:

• Notify you as soon as reasonably practicable, and in any event within 72 hours of discovery
• Provide details of the nature of the incident and the credentials potentially affected
• Take immediate steps to contain and remediate the incident
• Cooperate with your investigation and any required notifications

Upon receiving notice of a security incident, you should immediately rotate your Payment Credentials in your Authorize.net dashboard and your Distributor Credentials with each affected distributor, then update the new credentials in your ArmoryFlow account.

4. Your Responsibilities

4.1 Merchant Account

You are solely responsible for:

• Establishing and maintaining your Authorize.net Merchant Account
• Complying with all Authorize.net terms of service and merchant agreements
• Maintaining PCI DSS compliance for your Merchant Account
• Managing chargebacks, disputes, and fraud claims on your Merchant Account
• Configuring appropriate fraud detection and prevention settings in your Authorize.net dashboard
• Paying all Authorize.net fees, processing fees, and chargeback fees
• Ensuring your Authorize.net account is properly configured for e-commerce transactions

4.2 Credential Management

You are responsible for:

• Providing accurate, current Payment Credentials and Distributor Credentials
• Rotating your credentials periodically in accordance with security best practices and your merchant agreement requirements
• Updating your credentials in ArmoryFlow promptly if they change
• Notifying ArmoryFlow immediately if you suspect your credentials have been compromised outside of ArmoryFlow's systems
• Using separate API credentials for ArmoryFlow rather than sharing credentials with other services, where possible

4.3 Tax Configuration

You are solely responsible for configuring the correct tax rate in your ArmoryFlow storefront settings. ArmoryFlow provides a flat tax rate field as a convenience. ArmoryFlow does not:

• Calculate, determine, or validate the applicable tax rate for your transactions
• Guarantee the accuracy of tax amounts charged to consumers
• File, remit, or report sales tax on your behalf
• Provide tax advice or guidance

You are responsible for determining the correct tax treatment for your transactions, collecting the appropriate amount of tax, and remitting taxes to the appropriate taxing authorities.

4.4 Distributor Accounts

You are solely responsible for:

• Maintaining your accounts with firearms distributors in good standing
• Complying with all distributor terms of service and dealer agreements
• Ensuring you have authorization from each distributor to use automated inventory access tools (such as ArmoryFlow's integration features)
• Any fees, charges, or penalties assessed by distributors in connection with your account

5. Transaction Processing

5.1 Checkout Flow

When a consumer completes a purchase on your Storefront, ArmoryFlow processes the Transaction as follows:

1. The consumer's browser tokenizes card data via Accept.js (no raw card data reaches ArmoryFlow)
2. ArmoryFlow validates the cart contents, product availability, and pricing server-side
3. ArmoryFlow decrypts your Payment Credentials
4. ArmoryFlow submits an authCaptureTransaction to Authorize.net using your credentials and the consumer's Payment Nonce
5. Upon successful charge, ArmoryFlow creates the order record and sends confirmation emails
6. Your Payment Credentials are immediately discarded from memory after the Transaction

5.2 Failed Transactions

If a Transaction is declined or fails, the consumer is notified and no order is created. If a Transaction succeeds but the order record fails to be created (a rare edge case), ArmoryFlow logs the Transaction details (transaction ID, amount, and contact information) to a recovery log. In this case:

• The consumer is instructed to contact you with their transaction reference
• You are responsible for resolving the issue using your Authorize.net dashboard
• ArmoryFlow will assist with providing Transaction details from the recovery log upon request

5.3 Refunds and Voids

ArmoryFlow does not currently process refunds or voids through its platform. All refunds must be processed by you directly through your Authorize.net dashboard. You are solely responsible for your refund policy and for processing refunds in compliance with applicable consumer protection laws.

6. Limitation of Liability

IN ADDITION TO THE LIMITATIONS IN THE TERMS OF SERVICE AND THE STOREFRONT OPERATOR AGREEMENT, ARMORYFLOW AND CIRCLE SQUARE INC. SHALL HAVE NO LIABILITY WHATSOEVER FOR:

• ANY DECLINED, FAILED, OR ERRONEOUS TRANSACTION PROCESSED THROUGH YOUR MERCHANT ACCOUNT
• ANY CHARGEBACK, FRAUD CLAIM, OR PAYMENT DISPUTE ON YOUR MERCHANT ACCOUNT
• ANY FEES, PENALTIES, OR CHARGES ASSESSED BY AUTHORIZE.NET, YOUR PAYMENT PROCESSOR, OR ANY CARD NETWORK
• ANY TAX LIABILITY, PENALTY, OR INTEREST RESULTING FROM INCORRECT TAX CONFIGURATION
• ANY LOSS OR DAMAGE RESULTING FROM CREDENTIAL COMPROMISE CAUSED BY YOUR ACTIONS, THIRD-PARTY BREACHES, OR CIRCUMSTANCES OUTSIDE ARMORYFLOW'S REASONABLE CONTROL
• ANY FEES, PENALTIES, OR ACCOUNT ACTIONS TAKEN BY FIREARMS DISTRIBUTORS IN CONNECTION WITH YOUR DISTRIBUTOR ACCOUNTS
• ANY INTERRUPTION OF PAYMENT PROCESSING DUE TO AUTHORIZE.NET OUTAGES, NETWORK ISSUES, OR OTHER THIRD-PARTY SERVICE DISRUPTIONS

7. Indemnification

In addition to the indemnification obligations in the Terms of Service and the Storefront Operator Agreement, you agree to indemnify, defend, and hold harmless Circle Square Inc. from any claims, damages, or expenses arising from:

• Transactions processed through your Merchant Account via ArmoryFlow
• Chargebacks, fraud claims, or payment disputes on your Merchant Account
• Your violation of Authorize.net's terms of service or merchant agreement
• Tax errors resulting from your tax configuration
• Any claim by a consumer related to a payment processed through your Storefront
• Your violation of any distributor's terms of service or dealer agreement
• Any unauthorized use of credentials that you provided to ArmoryFlow

8. ArmoryFlow's Obligations

ArmoryFlow commits to:

• Maintaining industry-standard encryption for all stored Payment Credentials and Distributor Credentials
• Using your credentials only for the purposes expressly authorized in this Addendum
• Deleting your credentials within 24 hours of your revocation of authorization or account termination
• Notifying you of any security incident that may affect your credentials within 72 hours of discovery
• Maintaining reasonable security practices consistent with industry standards for protecting credential data
• Not sharing your credentials with any third party (except as required by law or legal process)

9. General Provisions

9.1 Relationship to Other Agreements

This PPA supplements the Terms of Service and the Storefront Operator Agreement. In the event of conflict, this PPA controls with respect to payment processing and credential custody matters.

9.2 Survival

Sections 6 (Limitation of Liability), 7 (Indemnification), and 3.4 (Security Incident Notification) survive termination of this Addendum and your ArmoryFlow account.

9.3 Modifications

We may modify this PPA at any time by posting an updated version. Material changes will be communicated with at least 30 days' notice. Your continued use of payment processing features after changes take effect constitutes acceptance.

9.4 Governing Law

This PPA is governed by the laws of the State of Pennsylvania and is subject to the arbitration and dispute resolution provisions in the Terms of Service.

10. Contact Information

For questions about this Payment Processing Addendum: