securepayAPI · Legal

Acceptable Use Policy

Last updated: April 21, 2026

1.Introduction & Scope

This Acceptable Use Policy (“AUP”) governs how you may use the securepayAPI Services (the dashboard, APIs, hosted payment pages, SDKs, and related tools). It is part of your Terms of Service with Lumiria LLC and applies in addition to our Restricted Businesses list, our Privacy Policy, the rules of the card networks (Visa, Mastercard, American Express, Discover, JCB, UnionPay), and applicable law.

The Restricted Businesses list defines what you may sell on the Services. This AUP defines how you may use the Services — the technical, operational, and conduct-related rules every Merchant, Representative, employee, contractor, and integrator working under your account must follow.

If you violate this AUP.We may suspend or terminate your account, hold settlement, charge fees and pass through any fines or assessments imposed by our banking partners or the card networks, and report unlawful conduct to the relevant authorities. See Section 10 for details.

2.Account Integrity

You shall:

  • provide accurate, complete, and current information about your business, principals, beneficial owners, and Settlement Account during onboarding and on an ongoing basis;
  • maintain the security of your dashboard credentials and enable two-factor authentication for every user with administrative access;
  • limit access to authorised personnel of your Merchant entity, on a need-to-know basis, and revoke access promptly when an individual leaves or no longer requires it;
  • promptly notify us at legal@securepayapi.com of any material change to your business — including changes in beneficial ownership, control persons, sales channels, products, or material increases in volume.

You shall not:

  • create or maintain an account using a false, stolen, or borrowed identity, or using temporary or disposable email addresses or phone numbers solely to obscure who is behind the account;
  • create additional accounts for the purpose of evading processing limits, holds, Reserves, suspensions, or terminations;
  • share dashboard credentials, API keys, or session tokens with third parties outside your Merchant organisation, except with our pre-approved integrators acting on your behalf;
  • refuse, delay, or obstruct legitimate identity-, business-, or source-of-funds verification.

3.API, Credentials & Integration Security

Your API keys and webhook secrets are confidential to your Merchant account. You are solely responsible for any activity that occurs under your credentials.

  • do not commit Secret API keys, webhook secrets, or other credentials to public repositories, log streams, screenshots, or client-side bundles;
  • do not embed Secret keys in mobile apps, browser code, or any place a third party can extract them — use Publishable keys for client-side flows;
  • where supported, use restricted-scope keys with the minimum permissions required for the task;
  • rotate keys immediately if you suspect or detect compromise, and notify us at security@securepayapi.com;
  • verify webhook signatures on every event you process; do not act on unverified payloads;
  • serve all webhook endpoints over HTTPS using a current TLS configuration;
  • implement idempotency for retry-prone API operations (charges, refunds, payouts) to avoid duplicate processing;
  • use Test-Mode keys for development and quality-assurance traffic; do not run automated load testing, fuzzing, or fake-volume generation in Live Mode;
  • do not enable employees, contractors, or end customers to obtain or impersonate your API credentials.

4.Acceptable Technical Use

You shall use the Services within their documented contracts.

  • respect documented rate limits; do not bypass them by rotating accounts, IP addresses, proxies, or API keys, by parallelising clients, or by other means;
  • do not scrape, crawl, harvest, or otherwise extract data from the dashboard, our website, or undocumented endpoints by automated means without our written permission;
  • do not use anonymising proxies, residential-proxy networks, or VPN-rotation infrastructure to interact with the Services for the purpose of evading rate limits, fraud controls, or geographic restrictions;
  • do not use the Services in ways that impose an unreasonable or disproportionately large load on our infrastructure;
  • do not modify, manipulate, or rewrite request or response payloads in transit so as to misrepresent Transactions to securepayAPI, our acquirers, or the card networks;
  • do not use the dashboard primarily as a virtual terminal for manual key-entry of card data without point-of-sale presence;
  • do not generate or process Transactions for the purpose of validating, testing, or enumerating stolen, leaked, or otherwise unauthorised payment credentials (“card testing”).

5.Security, Interference & Probing

You shall not:

  • conduct security probing, vulnerability scanning, penetration testing, fuzz testing, automated scanning, or any other adversarial security assessment against the Services without our prior written authorisation;
  • upload, transmit, or distribute viruses, worms, trojans, ransomware, spyware, or any other malicious or destructive code, or any code intended to gain unauthorised access to systems or data;
  • attempt to gain unauthorised access to non-public APIs, internal systems, accounts of other Merchants, or any data not explicitly made available to you by the Services;
  • conduct denial-of-service or distributed-denial-of-service attacks, traffic-flooding, or amplification attacks against the Services or any third party from your account;
  • circumvent, defeat, or interfere with security or authentication features of the Services (including rate limits, fraud controls, two-factor authentication, IP allowlists, or device-binding);
  • interrupt or interfere with other Merchants' use of the Services, or the operation of our payment partners' or sub-processors' services.

Bona-fide security researchers should follow our coordinated disclosure process (Section 9) instead.

6.Reverse Engineering & Derivative Works

You shall not:

  • decompile, disassemble, or reverse-engineer any part of the Services, except to the extent that applicable law expressly permits these activities notwithstanding this restriction;
  • extract source code, model weights, training data, fraud-rule heuristics, or other proprietary internals from the Services;
  • train, fine-tune, or otherwise build artificial-intelligence or machine-learning models on inputs to or outputs from the Services that you obtained other than as expressly permitted under your contract with us;
  • copy, mirror, or republish material parts of the Services or our Documentation in order to build a competing service;
  • remove, obscure, or alter any proprietary notices, watermarks, or attributions in or on the Services.

7.Brand, Trademarks & Impersonation

You shall not:

  • use the securepayAPI name, logos, marks, trade dress, or domain names other than as expressly permitted by our brand guidelines or by a written agreement with us;
  • register or use a domain, application name, social handle, or marketplace listing that imitates securepayAPI or that suggests an affiliation, partnership, endorsement, or accreditation that does not exist;
  • send communications (including email, SMS, push notifications, in-app messages, or letters) that purport to come from securepayAPI or that direct your customers to phishing pages disguised as securepayAPI;
  • misrepresent securepayAPI's services, fees, security, or availability to your customers, regulators, or the public.

8.Cooperation with Investigations

You shall:

  • respond promptly and in good faith to our requests for KYC, KYB, source-of-funds, beneficial-ownership, business-licence, or other due-diligence documentation;
  • permit reasonable review of your business operations and risk controls as part of underwriting, periodic re-verification, or investigation of suspected violations;
  • cooperate with our banking partners, the card networks, regulators, auditors, and law-enforcement agencies in connection with any matter that involves your account;
  • preserve, and not destroy, alter, or render inaccessible, records relevant to a known or reasonably anticipated investigation, regulatory inquiry, or dispute, until the matter is resolved or the retention period required by law has expired.

9.Reporting Vulnerabilities & Incidents

We welcome reports from security researchers and customers. Where possible, please use the appropriate channel below.

  • Suspected vulnerability in the Services — email security@securepayapi.com with a description, reproduction steps, and any impact assessment. Do not exploit the vulnerability beyond what is necessary to confirm it, do not access data that does not belong to you, and do not publicly disclose until we have had a reasonable opportunity to remediate. We will not pursue legal action against good-faith researchers who follow this process.
  • Suspected compromise of your account, API keys, or webhook secrets — rotate the affected credentials immediately and email security@securepayapi.com.
  • Suspected breach of cardholder data or other Personal Data on your systems — notify us within twenty-four (24) hours at security@securepayapi.com and at legal@securepayapi.com; you remain responsible for cardholder-data breach notifications under the Network Rules and applicable law.
  • Other AUP violations — to report a Merchant or third party for suspected misuse, contact legal@securepayapi.com.

10.Enforcement & Consequences

If we determine, in our reasonable discretion, that you have violated this AUP, we may take any one or more of the following actions, with or without prior notice depending on the severity and urgency of the matter:

  • contact you for clarification, remediation, or additional information;
  • throttle, restrict, or temporarily suspend access to specific Services or features;
  • suspend your account in whole or in part;
  • hold or extend the holding period for Settlement Funds and Reserves under the Terms;
  • terminate the Terms in accordance with Section 14 of the Terms;
  • charge investigation, monitoring, or compliance fees, and pass through any fines, assessments, or penalties imposed by our banking partners or the card networks;
  • preserve, freeze, or transfer funds where required by law, court order, or banking-partner instruction;
  • report the conduct to law-enforcement agencies, regulators, the card networks, or our banking partners.

Failure to enforce any provision of this AUP is not a waiver of our right to enforce it later.

11.Updates to this Policy

We may update this AUP from time to time. Material changes will be communicated through the dashboard or by email at least thirty (30) days before they take effect, except where a shorter period is required by law, by the Network Rules, or to address a security or legal risk. The “Last updated” date at the top of this page reflects the most recent version.

12.Contact

For matters related to this AUP, please contact:

Lumiria LLC d/b/a securepayAPI
1451 Richardson Rd. Ste. 109 #127, Apex, NC 27523, USA
Security: security@securepayapi.com
Legal: legal@securepayapi.com
Phone: +1 844 680 0679