Master Subscription Agreement (“MSA”) Prometeo

This Master Subscription Agreement (this “Agreement” or “MSA”) is entered into by and between Prometeo (“Provider”) and the customer identified in the applicable Order Form (“Customer”), and is effective as of the Effective Date set forth in such Order Form. Each Order Form forms an integral part of this Agreement and is governed by its terms.

What does this MSA cover?

This MSA governs your access to and use of Prometeo’s software product (the “Product” or the “Services”), which is made available via API and enabled through API credentials. This Agreement sets out the rights and obligations of both parties and forms a legally binding contract between you and Prometeo.

Where are the specific conditions?

The applicable Services, fees, and other commercial terms will be specified in the respective Order Form.

Acceptance of services and the importance of the KYC/KYB process

You acknowledge and agree that the Services are provided on an "as is" and "as available" basis, without any express or implied warranties. This means that we do not guarantee uninterrupted availability, error-free operation, or compatibility with your systems. We expressly disclaim any warranties of merchantability, fitness for a particular purpose, non-interference, accuracy, or reliability of the information provided through the Services.

As part of our compliance and risk management procedures, Know Your Customer (KYC) and Know Your Business (KYB) processes are essential. Prometeo, in collaboration with its partners (such as banks and payment service providers, amongst others), reserves the right to request additional information or documentation at any time. Failure to provide the required information may result in delays, limitations, or suspension of the Services.

Third-Party Providers and Information Sharing

To deliver our Services, we rely on third-party partners/providers, such as banks, payment service providers, and other technology partners. By using our Services, you acknowledge and consent to the necessary sharing of information with these providers, strictly for the purpose of enabling and improving the Services.

We take reasonable measures to ensure that our providers meet appropriate security and compliance standards. However, since their operations are independent and outside our direct control, we cannot assume responsibility for any actions, omissions, or service disruptions attributable to such third parties. Even so, we remain committed to working with trusted providers to deliver a reliable and secure service experience.

Please note that, depending on the jurisdiction in which the Services are provided, additional information, consents, or documentation may be required in order to comply with local legal, regulatory, or operational requirements.

About Us and how to contact us

Who we are

You may know us by our brand names, such as Prometeo and PrometeoAPI. Whenever we refer to "Prometeo," "we," "us," or "our," we mean the entity identified as Provider in the applicable Order Form.

How to contact us

You can reach us using the contact details specified in the applicable Order Form. For general inquiries, you may also contact us through support@prometeoapi.com.

About You

The entity identified as "Customer" in the applicable Order Form will be referred to in this Agreement as "you," "your," “Merchant” or "Customer."

This includes affiliates or subsidiaries, provided they are explicitly mentioned in the Order Form. Otherwise, access to the service will be limited to the contracting entity and the users specified in the Order Form.

About this MSA

This MSA governs the provision of our Services and may be supplemented by:

• Order Forms, detailing the specific Services, pricing, and terms. The Initial Order Form is the first executed, with additional Order Forms possible over time.
• Annexes, as required for certain Services.
• Additional Documents, such as our Code of Ethics and Privacy Policy.

In case of conflict, the following order of precedence applies:

1. Order Form
2. This MSA
3. DPA
4. Privacy Policy
5. Website Terms and Conditions
6. Other policies or notices.

Changes we can make

We may update this Agreement from time to time. If we make changes, we will notify you at least 30 calendar days in advance via email or the platform where the Services are accessed. If you do not agree with the changes, you may terminate the Agreement during the notice period. If you continue using the Services after the effective date, the changes will be considered accepted.

Some changes may take effect immediately without notice if they clarify terms, comply with laws, introduce new services without added obligations, or reflect industry changes. All updates will be reasonable, necessary, and legally compliant.

Access to our Product and new versions

During the Term specified in the Order Form, the Customer may access and use the Services using the authentication method designated by Prometeo — which may include an API Key or mutual TLS (mTLS), depending on the Service. The applicable authentication method will be specified in the technical documentation provided by Prometeo.

We’ll let the Customer know about every new platform release. If the Customer asks to delay an update — and the reason is exceptional and justified — we’re not responsible for any errors or issues that happen during that deferred period.

SaaS Model

Customer will access the Services under a managed services model ("Software as a Service" or “SaaS”), meaning that the underlying infrastructure required for its operation is managed by the Provider.

Restrictions

The Customer may only use the Services as contracted and authorized. Unauthorized use, including resale, third-party access, modification, competitive use, or prohibited activities, is strictly forbidden.

Requirements

1. Eligibility

To access and use our Services, Customer must be a legally registered entity in a supported country or territory and successfully complete our Know Your Customer (KYC) / Know Your Business (KYB) verification process.

2. Authorized Users

The Customer may designate individuals (“Authorized Users”) to use the Services. Each will receive an individual API Key, and access will be linked to their email domain. The Customer must share a list of authorized email addresses with the Provider, which will be used to manage access, monitor activity, and handle billing.

The Customer is fully responsible for what Authorized Users do, including any misuse or unauthorized use. The Provider does not check the authority of each user beyond the initial email match.

In some cases, the Provider may require two-factor authentication (2FA) to access the Services. The Customer agrees to follow these steps when requested.

The Provider may add more advanced user management tools later, including admin roles and permissions.

3. Disputes with Authorized Users

Any issues between the Customer and its Authorized Users about access or use of the Services are their responsibility to resolve. The Provider is not responsible for any problems, losses, or claims that come from those disputes. The Customer must manage and regularly review who has access.

4. Additional Terms and Third-Party Agreements

To provide its Services, the Provider may work with designated institutions or third-party partners/ providers. The Customer acknowledges that access to certain Services may be subject to additional terms and conditions established by such entities. By entering into this Agreement, the Customer expressly agrees to be bound by any applicable terms and conditions required by these third-party providers, as referenced in the Order Form and related schedules.

5. Customer Information and Verification

The Customer must provide complete, accurate, and up-to-date information at all times. The Provider is not liable for any issues arising from inaccurate or outdated information and may request confirmation or supporting documents as needed.

The Provider conducts KYC/KYB and security checks, which may include verifying other parties involved in transactions.

The Customer agrees to promptly provide requested information in an acceptable format. The Provider may verify information through third parties, including credit checks, and disclose relevant data for compliance purposes. Failure to provide or verify required information may result in suspension, limitation, or termination of Services.

Provider's Role and Communication

Direct communication with the Provider regarding unauthorized transactions does not imply its involvement in regulated financial activities. Customer acknowledges that Prometeo is not a licensed financial institution and relies on licensed partners/ providers for such activities.

Any communication regarding unauthorized transactions is solely for initial reporting. As a technology service provider, the Provider facilitates the transmission of such reports to its licensed partners, who are responsible for handling regulated activities in accordance with operational protocols and agreements.

Suspension of your access to the Services

The Provider may suspend or restrict the Customer’s access to the Services if it has reasonable grounds to believe that:

• The security of the account or the service of the banking provider has been compromised.
• There is unauthorized or fraudulent activity involving the account or the Services.
• The Customer has violated this Agreement, any applicable policies, or related documentation.
• The Customer has breached the Restrictions clause.
• The Customer is using the Services in a manner that interferes with Provider’s platform or adversely affects third parties.
• The Customer has failed to pay undisputed amounts within the applicable Payment Period, as outlined in the section about Non-Payment.

Provider will notify Customer of any suspension or restriction and the reasons for it as soon as reasonably possible, either prior to or promptly after it takes effect, unless such notification is prohibited by law or would compromise security.

The suspension will end once the Customer resolves the issue, including paying any overdue amounts if needed.

Additional Charges, Minimum Fees and Implementation Period

Depending on the contracted Services, additional fees may apply if usage exceeds the agreed limits. Any such charges, along with any applicable minimum monthly fees, will be specified in the Order Form.

If the parties agree on an implementation period, the default maximum will be two (2) months — unless a different timeline is stated in the Order Form.

If implementation is not completed by then:

• The Provider may reassign the team starting in the third month.
• The minimum monthly fee may start to apply.

Taxes

Payments must be made free of any deductions or withholdings unless required by law. If withholding is necessary, Customer must increase the payment so that Provider receives the full invoiced amount.

Billing and Payment Period

Invoices will always be issued as specified in the Order Form in USD. If a local currency is referenced, the official exchange rate from the previous business day before the invoice date will apply.

Payment must be made within 30 calendar days from the invoice date (the 'Payment Period').

API call pricing model

The pricing model for API calls may follow a tiered structure, where the unit price goes down as usage increases.

If applicable, the specific tiers and rates will be detailed in the Order Form.

The Provider may also apply flat or volume-based pricing, depending on the type of service and agreement with the Customer.

Payment Disputes

If the Customer disputes an invoice in good faith, it must notify the Provider within the Payment Period. The parties will work to resolve the dispute within 15 calendar days (Discussion Period). During this time, the Customer is not required to pay the disputed amount but must pay all undisputed amounts on time. If no resolution is reached after the Discussion Period, either party may pursue available legal remedies.

Non-Payment

If Customer fails to pay an undisputed invoice within the Payment Period, Provider may suspend services or terminate the Agreement,subject to the following conditions:

The Provider has sent two notifications:

• The first notifying of the outstanding balance.
• The second warning of potential suspension or termination, allowing 10 (calendar) additional days for payment.

The Customer has not paid within 10 (calendar) days of the second notification.

If services are suspended, access will be restored promptly upon full payment.

If the Agreement is terminated:

• Any applicable minimum monthly fee become immediately due.
• The Customer will not be entitled to any refunds.
• The Provider may recover outstanding amounts, including legal fees and collection costs.

Termination for breach

Either party can end this Agreement if the other seriously breaks its obligations. The terminating party must send written notice describing the issue. The breaching party has 30 calendar days to fix it.

If the issue isn’t fixed in time — or can’t be fixed — the Agreement ends at the end of that period, or immediately if the problem can’t be solved.

Termination for Regulatory Reasons

Either party may terminate this Agreement if a regulator or competent authority requires it, due to a legal or compliance issue that is attributable to the other party.

The terminating party must:

• Send a written notice explaining the situation, and
• Include any relevant documents that support the regulatory requirement.

If the issue can reasonably be solved without termination, both parties will work together to find a solution before ending the Agreement.

Termination by Notice

Either Party may terminate this Agreement for convenience by providing the other Party with no less than thirty (30) days’ prior written notice. This termination right may be exercised in light of legitimate business, strategic, or regulatory considerations, including product evolution, operational needs, or a material change in business conditions.

Termination under this clause shall not give rise to any indemnity, penalty, or compensation obligation for either Party. The terminating Party shall make reasonable efforts to ensure continuity during the notice period and to fulfill any outstanding obligations agreed before the termination date.

Effects of Termination

When this Agreement ends:

• The Customer must stop using the Services and delete or return any related materials.
• Any outstanding payments become due immediately.
• The Provider will not issue refunds for unused Services.

The following sections will remain in effect:

Intellectual Property, Confidentiality, Indemnity, Limitation of Liability, Dispute Resolution, and any others that by their nature should survive termination.

The Provider offers two main service verticals: (i) Data Services and (ii) Payment Services. The specific services within each vertical may evolve over time and will be detailed in the applicable Order Form. However, the following sections outline the general terms that govern each category.

Scope of service

The Provider grants the Customer access to its data services, including but not limited to Account Validation, Identity, Fiscal and Banking.

The specific functionalities, technical specifications, and usage limits applicable to the Customer will be detailed in the corresponding Order Form.

Account Validation

This service allows the Client to validate the status and ownership of the consulted bank or virtual account, as appropriate, aligned with the service documentation.

Identity

The Identity Validation API allows you to validate identification based on a unique attribute assigned to a person. Currently available: CURP API.

Fiscal

The Fiscal API allows you to obtain or validate tax and/or fiscal information from Tax Agencies, Fiscal or Government Entities. Currently available CEP API (Mexico) and BCU API (Uruguay).

Banking

The Banking API allows you to access your bank's information, such as balances, movements and accounts, with your authorization and in a structured and standardized way.

Usage Restrictions

The Customer agrees to use the data services strictly in accordance with the terms of this Agreement and all applicable laws and regulations.

The data services may be used solely for the purpose of validating bank account details of payees or beneficiaries in connection with payments or transfers to be made by the Customer. Such validation may occur in advance of the payment or transfer and need not be immediate, provided that it is reasonably connected to a legitimate transactional use.

The Customer can’t share, resell, or distribute any data from the Services to third parties unless we give written permission in advance.

The Customer is solely responsible for obtaining the appropriate consent from, or ensuring the informed awareness of, the bank account holder whose data is being validated, as required under applicable data protection laws.

Under no circumstances may the data be used for profiling, marketing, or any other purposes not expressly authorized under this Agreement.

Third-Party Data Sources

We obtain financial and banking data directly from third-party sources such as financial institutions, banks, open banking platforms, amongst others. We act solely in an advisory capacity, providing services for informational purposes only, and disclaim any liability regarding the accuracy or completeness of the validation responses. While we make reasonable efforts to ensure the accuracy and availability of the data, we cannot guarantee its completeness, accuracy, or real-time availability, as the information reflects the latest update made available by the source institution and is subject to the limitations of external providers.

For Informational Use Only

The services are provided solely for informational purposes and do not constitute, and shall not be construed as, financial, legal, tax, accounting, compliance, or any other form of professional advice. The Client acknowledges and agrees that certain information may originate from third-party sources and may include third-party content or opinions. The Provider makes no representations or warranties, express or implied, as to the accuracy, completeness, or timeliness of such information.

The Customer is fully responsible for any decisions made based on the information provided. The Provider is not liable for any loss or damage caused by those decisions.

Service Availability & Updates

The Provider reserves the right to modify, update, or discontinue certain data services or features. Updates may include:

• New functionalities or improvements.
• Changes in response to regulatory requirements.
• Discontinuation of specific data endpoints or integrations.

The Provider will notify the Customer of any material changes affecting the availability or functionality of the services within a reasonable timeframe, unless otherwise required by law or urgent security measures.

Billing for API Responses

The Customer acknowledges and agrees that queries made to the API in the production environment that generate a 200 response code (valid account) or 404 response code (invalid account) will be considered for service billing.

Scope of Service

The Provider grants the Customer access to its payment services, including, but not limited to, A2A (account-to-account), Borderless, and other related services that may apply depending on the specific operation. This service will enable the Customer to transact through the channels and in the countries made available by Prometeo may provide from time to time.

The specific functionalities, operational limits, and transaction types applicable to the Customer will be detailed in the corresponding Order Form. Service availability may vary by country over time, and the Provider will communicate any updates accordingly.

Account to account

Prometeo gives the Customer access to domestic account-to-account (A2A) payment services, which allow real-time bank transfers between end-users and merchants — no cards or intermediaries needed.

The service supports various integration methods, including embedded checkout via widget, Payment Link API or Payment Link non-code.

Borderless

Prometeo may facilitate access to local collection infrastructure through licensed third parties, enabling the Customer to collect funds in certain countries without requiring local legal incorporation, subject to applicable laws and operational feasibility. Settlement of such funds may occur locally or, in the case of cross-border payments, be requested in a different currency and to a destination of the Customer’s choice, provided the corresponding corridor is enabled and permitted by regulation.

Regulatory and Operational Framework

Prometeo is a technology provider and does not engage in financial intermediation. Certain services may be delivered through integrations with licensed third parties — such as financial institutions, payment processors, or local partners — depending on the service and jurisdiction.

The Customer is responsible for:

• Complying with all applicable laws and regulations, including KYC/AML requirements.
• Obtaining all required licenses, permits, or approvals to use the services as intended.
• Prometeo is not responsible for delays, limitations, or disruptions resulting from third-party infrastructure or legal constraints.

Fees

The applicable Order Form will specify the commercial terms for each Service, which may include, amongst others, one or more of the following:

• One-time setup fee, charged upon activation of the Service.
• Transaction fee, applicable to each processed transaction.
• Tiered pricing, subject to monthly transaction volume thresholds.
• Minimum monthly fee or minimum per-transaction fee, which may be offset based on actual usage.

Fees may vary depending on the type of Service contracted, the country of operation, and the operational model adopted by the Customer (e.g., use of virtual accounts, cross-border settlement, or currency conversion).

Fraud prevention and third-party errors

Fraud Prevention

The Customer is responsible for implementing and maintaining fraud detection and prevention measures in line with industry best practices. The Customer shall immediately notify the Provider upon detecting any fraudulent or suspicious activity related to the services under this Agreement.

Third-Party Errors

The Provider is not responsible for any damage, loss, or harm caused by third-party errors — whether or not those third parties work with us. This includes banks, payment networks, Users, the Customer’s customers, or external technology providers.

Collaboration and Incident Management

In cases of fraud or third-party errors, the Customer shall lead the investigation and resolution while collaborating with the Provider when necessary. The Customer must provide all relevant information to mitigate potential damages or losses.

Audit Rights

The Provider reserves the right to periodically audit the Customer’s use of the Services to verify compliance with fraud prevention and detection obligations. The Customer agrees to fully cooperate with such audits, including providing access to relevant documentation and information.

Liability Reference

The Provider’s liability regarding fraud and third-party errors is subject to the limitations established in the Liability & Indemnification section of this Agreement.

Unauthorized Transactions

If an unauthorized transaction takes place, the Provider may refund the amount to the Customer if:

• The Customer didn’t cause it through fraud or negligence.
• The Customer reported the issue promptly.
• The transaction didn’t use exposed or compromised credentials.

The Provider won’t be liable if:

• The Customer acted fraudulently.
• The Customer delayed reporting the issue.
• The security breach was due to gross negligence.

Chargebacks

If a chargeback, fraud case, or disputed transaction happens, the Provider may withhold, offset, or deduct amounts from future settlements to cover the related loss. This includes any charge or adjustment passed on by payment processors, banks, or other providers involved in the transaction.

The Customer is responsible for these losses if they are connected to its operations, transactions, or end users — even if the chargeback or claim was triggered by a third party.

The Customer must also send any documents or information needed to help resolve the issue.

Settlement period and Timing

Settlement timelines vary depending on the country, type of service, and operational setup. Funds may be settled in real time (T+0), on the next business day (T+1), or within two business days (T+2).

In some cases, settlements may be processed in periodic batches (e.g., daily or weekly), and may also be subject to cut-off times, compliance reviews, or minimum accumulated volume thresholds — especially when using virtual accounts for cross-border collection. As a result, settlement availability may not depend solely on time, but also on regulatory, operational, or commercial conditions.

Collection and Payment Mandate

If applicable and subject to applicable laws, the Customer may authorize Prometeo to collect payments or receive funds from third parties, and/or to make disbursements to third parties designated by the Client, in connection with the services provided. In such cases:

• Prometeo shall act solely as an intermediary or agent, under a collection mandate or similar arrangement, and shall not acquire ownership or control over the funds at any time;
• All funds received under this mandate shall be held in segregated accounts, separate from Prometeo’s own operational or corporate accounts, and shall not be commingled;
• Prometeo shall not be entitled to use, pledge, or dispose of the funds for any purpose other than carrying out the Client’s payment or disbursement instructions;
• Prometeo shall not be required to execute any disbursement unless sufficient funds have been made available in advance;
• The Customer remains solely responsible for compliance with any legal, regulatory, or tax obligations arising from the use of the service or from the disbursements made, including (but not limited to) reporting, withholding, and remittance of applicable taxes, and any licensing or registration requirements that may apply to the Client’s activities;
• Nothing in this Agreement shall be interpreted as Prometeo engaging in deposit-taking, fund custody, or any regulated financial activity, unless expressly authorized under applicable law.

For clarity, Prometeo acts in its own name but on behalf of the Customer, and shall not be deemed to represent or act in the name of the Client before third parties. Prometeo shall have no liability or obligation toward any third party recipient or payer, and any claims arising from the use of the service shall be directed exclusively to the Client.

Prometeo shall not be liable before regulatory authorities, financial institutions, or third parties for the use, destination, or final traceability of the funds collected or disbursed, as full responsibility for such matters rests exclusively with the Client.

Ownership of the solution and Services

The Provider retains all rights, title, and interest in and to the solution and Services, including, but not limited to:

• The software used to provide the Services.
• All graphics, user interfaces, logos, trademarks, and other materials related to PrometeoAPI.

This Agreement does not grant the Customer any ownership rights over the Provider’s intellectual property, except for the limited right to use the Services as expressly authorized in this Agreement and the applicable Order Form. The Customer acknowledges that PrometeoAPI and its components are protected by intellectual property laws and other applicable regulations.

Feedback

If the Customer provides the Provider with suggestions or ideas for improving the Services ("Feedback"), the Provider may use this Feedback freely, without restrictions or obligations. The Customer acknowledges that:

• Feedback will not be considered confidential.
• The Provider may use, modify, publish, or commercialize Feedback without compensation or credit to the Customer.
• Feedback will not be considered Customer’s trade secret.

Technology Provider

The Provider is a technology provider and does not engage in financial intermediation under any circumstances.

The technical documentation for the Services is available at: https://docs.prometeoapi.com/docs/te-damos-la-bienvenida-a-prometeo-docs.

Standard Product

The Services are provided as a standard API for all customers and do not constitute a customized solution. However, the parties may agree, through an Order Form, on additional customizations or functionalities, specifying applicable conditions such as timelines and pricing. Any customization will be subject to the Intellectual Property clause.

General

In the event of any disagreement arising from this Agreement, the parties agree to make reasonable efforts to reach an amicable resolution through the Dispute Resolution Process outlined below. This section does not limit either party’s right to seek urgent injunctive or interim relief when necessary.

Dispute Resolution Process

Either party may notify the other of a dispute at any time. The designated representatives of both Customer and Provider will discuss the matter in good faith to seek a mutual resolution.

If the dispute is not resolved within 15 business days of notification, each party must submit its position in writing to the other. Senior management representatives from both parties will then meet to discuss the conflict and explore possible solutions.

If the dispute remains unresolved after an additional 15 business days following the written submissions, either party may proceed with a claim in accordance with the following section.

Governing Law and Jurisdiction

The governing law and jurisdiction applicable to this Agreement shall depend on the contracting Provider entity. The following table outlines the applicable legal framework for each jurisdiction:

General Provisions

This Agreement shall be governed and interpreted according to the laws of the country where the contracting Provider entity is established, as specified in the applicable Order Form.

Any disputes arising from or related to this Agreement shall be subject to the exclusive jurisdiction of the courts listed in the table above.

If the applicable jurisdiction is not explicitly listed, the governing law and jurisdiction shall be those specified in the Order Form.