Code of Conduct

Last Updated: December 2025

Introduction

This Code of Conduct establishes the acceptable use policies, prohibited activities, and enforcement mechanisms for the x402 Payment Processing Service platform and API. All users, developers, and organizations using our services are required to comply with this code of conduct.

Scope: This code of conduct applies to:

All API usage (REST and GraphQL endpoints)
Platform usage (Admin Portal, Developer Portal, and related services)
All interactions with our payment processing infrastructure
All data handling and storage practices

By using our services, you agree to abide by this code of conduct. Violations may result in warnings, suspension, or termination of access to our services.

API Usage Policies

Acceptable Use

When using our REST and GraphQL APIs, you must:

1. Rate Limiting Compliance

Adhere to all rate limiting restrictions:

Per-API-key: 1000 requests per 15 minutes
Authentication endpoints: 5 requests per 15 minutes
GraphQL: 20 queries per 10 seconds, 10 mutations per 10 seconds
Do not attempt to circumvent rate limits through multiple API keys, IP rotation, or other means

2. API Key Security

Keep your API keys confidential and secure
Never commit API keys to version control systems
Rotate API keys regularly and immediately revoke compromised keys
Use environment-specific keys (sandbox vs. production) appropriately
Do not share API keys between applications or users

3. Request Standards

Use HTTPS for all API requests
Implement proper error handling and retry logic
Use idempotency keys for all payment operations
Respect request size limits (1MB maximum)
Include appropriate headers and content types

4. Webhook Usage

Verify webhook signatures to ensure authenticity
Implement secure webhook endpoints (HTTPS required)
Handle webhook failures gracefully with retry logic
Do not use webhooks for unauthorized data collection

5. Payment Processing

Only process legitimate transactions
Obtain proper authorization from payment recipients
Use appropriate payment schemes (exact vs. upto) correctly
Provide accurate metadata for all transactions
Comply with all applicable financial regulations

Prohibited API Activities

The following activities are strictly prohibited:

API Abuse: Scraping, excessive automated requests, or any activity that degrades service performance
Rate Limit Circumvention: Attempting to bypass rate limits through any means
Unauthorized Access: Attempting to access APIs without valid authentication
Data Mining: Unauthorized collection or extraction of data from our APIs
Reverse Engineering: Attempting to reverse engineer our API protocols or security measures
Service Disruption: Any activity that disrupts, damages, or interferes with our services

Platform Usage Policies

Admin Portal Guidelines

When using the Admin Portal, you must:

1. Account Security

Use strong passwords (minimum 12 characters with complexity requirements)
Enable multi-factor authentication when available
Do not share account credentials
Report suspicious account activity immediately

2. Data Access

Only access data necessary for your legitimate business purposes
Do not access, modify, or delete data belonging to other users
Respect data privacy and confidentiality requirements
Comply with all applicable data protection regulations

3. Account Management

Maintain accurate account information
Update contact information promptly
Respond to account verification requests in a timely manner
Notify us immediately of any account security breaches

Developer Portal Guidelines

When using the Developer Portal, you must:

Documentation Usage: Use documentation and examples for legitimate integration purposes only
API Key Management: Create and manage API keys responsibly
Testing: Use sandbox/test environments for development and testing
Support: Follow appropriate channels for support requests

Prohibited Activities

The following activities are strictly prohibited across all platform services:

Fraudulent Transactions

Processing fraudulent or unauthorized payments
Chargeback fraud or abuse
Payment manipulation or tampering
Creating fake transactions or test data in production
Money laundering or terrorist financing

Security Violations

Unauthorized access attempts
Hacking, cracking, or exploiting security vulnerabilities
Distributed Denial of Service (DDoS) attacks
Malware distribution or phishing attempts
Social engineering attacks

Data Misuse

Unauthorized data collection or harvesting
Selling or sharing user data without authorization
Violating data privacy regulations (GDPR, CCPA, etc.)
Storing sensitive data insecurely
Failing to implement proper data retention and deletion

Illegal Activities

Any activity that violates applicable laws or regulations
Processing payments for illegal goods or services
Violating intellectual property rights
Engaging in discriminatory practices
Violating export control or sanctions regulations

Payment-Specific Restrictions

Prohibited Payment Types

The following payment types are strictly prohibited:

Payments for illegal goods or services
Payments related to gambling or betting (where prohibited by law)
Payments for adult content involving minors
Payments for weapons, drugs, or other controlled substances
Payments that violate sanctions or embargoes
Payments for pyramid schemes or other fraudulent business models

Financial Regulations Compliance

All users must comply with:

Anti-Money Laundering (AML): Report suspicious transactions and maintain proper records
Know Your Customer (KYC): Provide accurate identity and business information
Sanctions Compliance: Do not process payments involving sanctioned individuals, entities, or countries
Tax Compliance: Comply with all applicable tax reporting and withholding requirements
Consumer Protection: Comply with consumer protection laws and regulations

Payment Processing Requirements

Obtain proper authorization before processing payments
Provide clear transaction descriptions and receipts
Handle refunds and disputes in accordance with applicable regulations
Maintain accurate transaction records
Comply with payment network rules and regulations

Data Handling Requirements

Data Privacy Obligations

All users must:

Privacy Compliance: Comply with applicable data protection laws (GDPR, CCPA, etc.)
Data Minimization: Only collect and process data necessary for legitimate purposes
User Consent: Obtain proper consent before collecting or processing personal data
Data Security: Implement appropriate security measures to protect data
Breach Notification: Report data breaches promptly in accordance with applicable laws

PCI DSS Compliance

When handling payment card data:

Do not store full payment card numbers unless absolutely necessary
Use PCI DSS compliant systems and processes
Implement proper encryption for card data at rest and in transit
Restrict access to card data to authorized personnel only
Maintain proper audit logs and monitoring

Data Retention and Deletion

Retain data only as long as necessary for legitimate business purposes
Delete data promptly when no longer needed
Comply with data deletion requests from users
Implement secure data deletion procedures
Maintain proper data retention policies

Security Best Practices

Use strong encryption for sensitive data
Implement proper access controls and authentication
Regularly update and patch systems
Monitor for security threats and vulnerabilities
Conduct regular security audits and assessments

Enforcement

Violation Consequences

Violations of this code of conduct may result in:

Warning: First-time minor violations may result in a written warning
Suspension: Temporary suspension of API or platform access for repeated or serious violations
Termination: Permanent termination of access for severe violations or repeated offenses
Legal Action: We reserve the right to pursue legal action for violations that cause harm or violate laws

Account Review Process

When a violation is detected:

We will investigate the reported violation
We may temporarily suspend access during investigation
We will notify the account holder of the violation and investigation
We will provide an opportunity to respond and provide additional information
We will make a determination based on the severity and circumstances
We will notify the account holder of the decision and any consequences

Appeal Procedures

If you believe a violation determination or enforcement action is incorrect:

Submit an appeal in writing within 30 days of the decision
Provide detailed information supporting your appeal
Include any relevant documentation or evidence
Appeals will be reviewed by a separate team member
You will receive a written response within 14 business days
The appeal decision is final

Reporting Violations

How to Report

If you become aware of a violation of this code of conduct:

Email: Send a detailed report to security@billmyagent.ai
Include:
- Description of the violation
- Relevant account information or API keys (if applicable)
- Evidence or documentation
- Your contact information
Confidentiality: Reports will be handled confidentially to the extent possible

Response Timeline

Initial Response: Within 72 hours of receiving a report
Investigation: Typically completed within 7-10 business days
Resolution: Action taken within 14 business days of investigation completion
Updates: Regular updates provided during extended investigations

Contact Information

For questions about this code of conduct or to report violations:

Email: security@billmyagent.ai
Security Issues: security@billmyagent.ai
General Inquiries: support@billmyagent.ai

Updates and Changes

Change Notification

We may update this code of conduct from time to time. When we make changes:

We will post the updated version on our website and documentation
We will notify users via email for material changes
We will provide at least 30 days notice for significant changes
Continued use of our services after changes constitutes acceptance

Version History

Version 1.0 (Initial Release): Establishes comprehensive code of conduct for platform and API usage

Questions

If you have questions about this code of conduct, please contact us at support@billmyagent.ai.