1. General Provisions
1.1. "Freedom Pay Kyrgyzstan" LLC (hereinafter — Payment Organization) is a legal entity registered under the laws of the Kyrgyz Republic, specializing in payment solutions for online businesses, carrying out activities on the basis of a License from the National Bank of the Kyrgyz Republic (hereinafter — National Bank, NBKR) as a payment organization. 
1.2. The Payment Organization, based on IT solutions provided by Technological Partners (a payment gateway and a hardware-software complex (HSC) that allows processing payer data on payments made using payment cards) and a banking acquiring services agreement concluded with the Acquiring Bank, provides the ability to carry out interaction between System participants according to unified standards and algorithms, regardless of the payment system through which the payment for the corresponding order (goods/service) is made. 
1.3. These Operating Rules of the payment organization (hereinafter — Rules) are an internal regulatory document of the Payment Organization and define:

• the architecture and operational scheme of the System;
• requirements for the use of secure communication channels;
• the procedure and procedures for participants joining and exiting the System;
• procedures for connecting participants and requirements for participants;
• the procedure for processing and clearing payments;
• requirements for physical and information security;
• criteria for uninterrupted functioning;
• reporting requirements for participants;
• the risk management system, including the model and measures for their mitigation;
• information protection requirements;
• dispute resolution procedures;
• emergency action procedures;
• participant notification procedures;
• rights, obligations, and liability of participants;
• tariff policy;
• measures to protect the rights of consumers of financial services. 

1.4. The Payment Organization carries out its activities in accordance with:

• The Law of the Kyrgyz Republic "On the National Bank of the Kyrgyz Republic";
• The Law of the Kyrgyz Republic "On the Payment System of the Kyrgyz Republic";
• The Law of the Kyrgyz Republic "On Countering the Financing of Criminal Activity and Legalization (Laundering) of Proceeds from Crime";
• The Regulation "On the regulation of the activities of payment organizations and payment system operators", approved by the Resolution of the Board of the NBKR dated September 30, 2019, No. 2019-P-14/50-2-(PS) (as amended on December 26, 2025, No. 2025-P-12/70-6-(PS));
• The Regulation "On minimum requirements for the organization of internal control in payment organizations and payment system operators for the purpose of countering the financing of criminal activities and the legalization (laundering) of proceeds from crime", approved by the Resolution of the Board of the NBKR dated August 19, 2020, No. 2020-P-14/46-4-(PS) (as amended on December 26, 2025, No. 2025-P-12/70-6-(PS));
• The Regulation "On minimum requirements for the provision of remote/distance service in the Kyrgyz Republic", approved by the Resolution of the Board of the NBKR dated April 15, 2015, No. 22/3 (as amended on December 26, 2025, No. 2025-P-12/70-6-(PS));
• The Regulation "On minimum requirements for the system of countering internal and external fraud (anti-fraud) in payment organizations/payment system operators of the Kyrgyz Republic", approved by the Resolution of the Board of the NBKR dated October 31, 2025, No. 2025-P-14/59-1-(PS));
• The Regulation "On minimum requirements for the minimum size of the authorized capital of payment organizations, operators of payment systems of settlements using electronic money", approved by the Resolution of the Board of the NBKR dated December 26, 2025, No. 2025-P-12/70-6-(PS) (material 129256);
• other normative legal acts of the Kyrgyz Republic and the National Bank of the Kyrgyz Republic (hereinafter — Applicable Requirements). 

1.5. Amendments and additions may be made to these Rules by the executive collegial body of the Payment Organization in order to:

• improve the quality of services provided;
• increase the efficiency and reliability of the System;
• comply with applicable requirements. 

1.6. In the event of contradictions between the provisions of these Rules and the requirements of the legislation of the Kyrgyz Republic, the norms of the legislation shall have priority.

2. Terms and Definitions
2.1. For the purposes of these Rules, the following terms and definitions are used:

• Payment Organization — "Freedom Pay Kyrgyzstan" LLC, a legal entity registered under the laws of the Kyrgyz Republic, carrying out activities on the basis of a License from the National Bank of the Kyrgyz Republic as a payment organization in accordance with Applicable Requirements.
• Technological Partner — a legal entity registered under the laws of the Kyrgyz Republic, acting on the basis of a License from the NBKR, providing IT solutions (payment gateway) that ensure the acceptance of payments by various payment methods and the corresponding HSC, with the help of which payments made by System participants are processed.
• System — a hardware-software complex provided by the Technological Partner to the Payment Organization on the basis of an Information and Technology Interaction Agreement, as well as related tools and resources used by System participants to provide services for the execution of a Payment Order.
• Acquiring Bank — a commercial bank of the Kyrgyz Republic with which the Payment Organization has concluded an agreement for the provision of banking acquiring services.
• Merchant — an online store/supplier of goods and/or works and/or services, in whose infrastructure a Payment Order is initiated.
• Payment Order — a request to conduct a transfer operation as payment or transfer of funds, initiated in the Merchant's infrastructure through the System.
• Payment System — a system for transferring funds that provides unified rules and standards for processing, accounting, and mutual settlement of operations, and authorizes a specific method of executing a Payment Order, including international payment systems VISA, MasterCard Worldwide, and others.
• Personal Account (Dashboard) — a specialized section of the Merchant in the System, which displays information on operations carried out to execute Payment Orders.
• Agent — a legal entity or an individual entrepreneur who has concluded an agency agreement with the Payment Organization on carrying out activities for receiving payments from individuals and legal entities in favor of suppliers of goods, works, and services.
• Subagent — a legal entity or an individual entrepreneur involved by the Agent to perform functions for receiving payments on the basis of a corresponding agreement.
• Agreement — a contract concluded between the Payment Organization and the Merchant, defining the terms and conditions for providing payment acceptance services.
• Applicable Requirements — legislation of the Kyrgyz Republic, normative legal acts of the National Bank of the KR, rules and standards of the Payment Systems used, and accepted contractual obligations. 

2.2. Other terms and definitions not defined in these Rules are used in the meaning established by the legislation of the Kyrgyz Republic and normative legal acts of the National Bank of the KR.

3. System Architecture and Operational Scheme
3.1. The System is a multi-level payment infrastructure that ensures the receipt, processing, and routing of payments from payers in favor of Merchants. 
3.2. The System architecture includes the following main components:

• payment gateway — an interface for receiving and routing payment requests;
• hardware-software complex (HSC) — a system for processing payment transactions;
• participant management system — a database of Merchants, their details, and settings;
• security and monitoring module — an anti-fraud system;
• reporting system — generation of reports for participants and regulators;
• communication channels with the Acquiring Bank and international payment systems. 

3.3. Operational scheme of the System:

• 3.3.1. Payment initiation: The Payer initiates a payment on the Merchant's website or application.
• 3.3.2. Data transfer: Payment data is transmitted via a secure connection (TLS/SSL) to the System's payment gateway.
• 3.3.3. Security check: The HSC conducts a check for fraudulent operations using the anti-fraud system.
• 3.3.4. Authorization: The authorization request is transmitted through the Acquiring Bank to the corresponding payment system (VISA, MasterCard, etc.).
• 3.3.5. Response processing: The authorization result is returned through the chain: payment system → Acquiring Bank → System → Merchant → Payer.
• 3.3.6. Operation execution: upon successful authorization, the operation is recorded in the System, and the Payer receives confirmation.
• 3.3.7. Clearing and settlement: registries of operations are formed daily for mutual settlements with participants.

3.4. All components of the System function in real-time and ensure payment processing 24/7.

4. Procedure and Procedures for Participants Joining and Exiting the System
4.1. The procedure for connecting a Merchant to the System consists of the following conditional stages:

• Application registration
• Access to the personal account
• Filling out the questionnaire
• Collection of a package of documents
• Verification
• Conclusion of the Agreement
• Integration
• Setting transaction processing parameters
• Testing
• Activation of "live mode" 

4.2. Connection of the Merchant to the System is carried out under the following conditions:

• 4.2.1. Application registration: The Merchant initiates connection to the System using the corresponding application functionality on the Website. The System automatically registers the Merchant's application and sends confirmation to the email address specified during application. The Merchant agrees to the collection and processing of personal data.
• 4.2.2. Access to the Personal Account: The registration confirmation contains instructions, an identifier, and a temporary password. The Merchant logs in, changes the temporary password, and proceeds to fill out the questionnaire.
• 4.2.3. Filling out the questionnaire: The Merchant fills out questionnaires in the Personal Account in accordance with the requirements of the current legislation of the KR on AML/CFT. The Merchant may contact System support for assistance.
• 4.2.4. Collection of a package of documents: The Merchant provides a package of documents in accordance with AML/CFT legislation. Primary submission is done by uploading scans or copies in the Personal Account.
• 4.2.5. Verification: The Payment Organization checks the completeness and compliance of the documents. If necessary, additional documents are requested. The Merchant is informed of the verification result.
• 4.2.6. Conclusion of the Service Agreement: In case of a positive result, the Merchant concludes the Agreement. The Merchant provides original documents in accordance with the requirements of the current legislation of the KR.
• 4.2.7. Integration: The Payment Organization provides integration documentation and assists if necessary. The Merchant performs the integration.
• 4.2.8. Setting transaction processing parameters: The Payment Organization configures the Merchant's transaction parameters in accordance with the Agreement and Applicable Requirements.
• 4.2.9. Testing: Initially, a test mode is established. The Merchant conducts test operations, identifies errors, and eliminates them on their side. The Payment Organization does the same on its side.
• 4.2.10. Activation of "live mode": After all errors are eliminated, the "live mode" for conducting operations is activated. 

4.3. The procedure for disconnecting a Merchant from the System consists of the following conditional stages:

• Notification of termination of the Agreement
• Blocking of operations
• Conduct of mutual settlements
• Blocking access to the Personal Account
• Storage of documents

4.3.1. Disconnection is carried out under the following conditions:

1. Notification of termination: The party initiating disconnection sends a notice in accordance with the Agreement terms, specifying the date and grounds.

• 4.3.2. Blocking of operations: The party initiating disconnection blocks operations. The receiving party blocks operations from the date of receipt of the notice, unless otherwise specified.
• 4.3.3. Conduct of mutual settlements: After blocking, the parties perform reconciliation and subsequent mutual settlement within the period specified in the Agreement.
• 4.3.4. Blocking access to the Personal Account: The Agreement is considered terminated upon completion of mutual settlements. Access to the Personal Account is then blocked.
• 4.3.5. Storage of data and documents: After termination, the System Operator stores data and documents for the period established by Applicable Requirements.

5. Requirements for the Use of Secure Communication Channels
5.1. All data transfer between System components and participants is carried out via secure communication channels using cryptographic protocols. 
5.2. Requirements for secure communication channels:

• use of TLS protocol version 1.2 and higher for data transmission over the Internet;
• application of security certificates issued by trusted certification centers;
• encryption of all payment data during transmission using encryption algorithms not lower than AES-256;
• use of secure VPN connections for communication with the Acquiring Bank and Technological Partner;
• tokenization of confidential payment data (card numbers, CVV codes);
• application of digital signature mechanisms to ensure data integrity and authenticity. 

5.3. Requirements for Merchants to ensure the security of communication channels:

• use of only HTTPS protocol on payment pages;
• installation and timely update of valid SSL/TLS certificates on their web resources;
• regular software updates to eliminate vulnerabilities;
• application of secure methods for storing credentials for access to the System;
• prevention of transmission of confidential data via unsecured communication channels. 

5.4. The Payment Organization carries out:

• constant monitoring of communication channel security;
• regular vulnerability checks;
• updating cryptographic protocols in accordance with best practices;
• monitoring Merchants' compliance with security requirements. 

5.5. In case of violation of security requirements, the Payment Organization has the right to suspend service until the violations are eliminated. 
5.6. The Payment Organization ensures compliance of communication channels with PCI DSS requirements.

6. Procedure for Processing and Clearing Payments
6.1. Payment processing is carried out in real-time and includes:

• reception and validation of payment data;
• checking data for compliance with security requirements;
• transmission of the authorization request to the payment system through the Acquiring Bank;
• reception and processing of the authorization response;
• recording the operation result in the System database;
• notifying the Merchant and Payer of the operation status.

 6.2. Clearing (mutual settlements) is carried out:

• on a daily basis — formation of registries of successfully conducted operations;
• transmission of registries to the Acquiring Bank for settlements;
• receipt of funds from the Acquiring Bank to the Payment Organization's settlement account;
• transfer of funds to Merchants in accordance with the terms of the Agreements, minus commissions;
• formation of reconciliation acts and reporting for participants. 
• 6.3. Terms of mutual settlements are established in the Agreements with Merchants and depend on the type of operations and terms of work with the Acquiring Bank.

7. Risk Management System
7.1. The Payment Organization applies a comprehensive risk management system aimed at identifying, assessing, monitoring, and reducing the following types of risks:

• operational risk — the risk of System failures;
• fraud risk — the risk of fraudulent operations;
• cybersecurity risk — the risk of unauthorized access;
• AML/CFT risk — the risk of using the System for money laundering or terrorist financing;
• reputational risk — the risk of loss of reputation;
• liquidity risk — the risk of insufficient funds for settlements. 

7.2. Risk mitigation measures include:

• implementation of an anti-fraud monitoring system;
• application of a multi-level security system for the IT infrastructure;
• conducting proper customer due diligence (identification, verification);
• setting limits on operations and reserving funds;
• regular testing and auditing of the System;
• risk insurance;
• training personnel in risk detection and prevention methods. 

7.3. The Payment Organization annually conducts a risk assessment and updates the risk management model.

8. Requirements for Physical and Information Security
8.1. Physical security:

• server equipment is placed in certified data centers with access control systems;
• redundant power supply and climate control systems are provided;
• video surveillance and logging of access to server rooms are maintained;
• backup copies of data are stored in geographically remote locations. 

8.2. Information security:

• a multi-level protection system against unauthorized access is applied;
• firewalls and intrusion detection/prevention systems (IDS/IPS) are used;
• data encryption during storage and transmission is carried out;
• multi-factor authentication (MFA) is applied for access to critical systems;
• regular software updates and vulnerability elimination are conducted;
• logging of all operations and system access is maintained;
• security monitoring is carried out 24/7. 

8.3. The Payment Organization ensures compliance with PCI DSS requirements and undergoes regular audits.

9. Criteria for Uninterrupted Functioning
9.1. The System ensures uninterrupted functioning and service availability in accordance with the following criteria: 
9.2. System availability indicators:

• System availability not less than 99.5% of the time per month (excluding planned maintenance);
• maximum time of unplanned breaks in operation no more than 4 hours per month;
• recovery time after a failure no more than 2 hours;
• average processing time for one transaction no more than 3 seconds. 

9.3. Planned technical maintenance:

• conducted at night (from 00:00 to 06:00 Bishkek time);
• participants are notified at least 72 hours in advance;
• duration does not exceed 4 hours;
• conducted no more than once a month (except for emergencies). 

9.4. Measures to ensure continuity:

• redundancy of critical components (servers, network equipment, communication channels);
• geographical distribution of servers and storage systems;
• automatic failover to backup systems;
• daily data backup with storage of copies for at least 30 days;
• availability of Disaster Recovery Plans (DRP);
• regular testing of recovery procedures (at least once a quarter). 

9.5. Performance monitoring:

• 24/7 monitoring of the System status;
• automatic notification of technical personnel of incidents;
• registration of all incidents in an incident log;
• analysis of incident causes and prevention measures. 

9.6. The Payment Organization quarterly analyzes continuity indicators.

10. Reporting Requirements for Participants
10.1. The Payment Organization provides the following types of reporting to Merchants: 
10.2. Current reporting (available in real-time via the Personal Account):

• information on payments (date, time, amount, status, transaction ID);
• details on refunds and chargebacks;
• data on accrued commissions;
• balance of funds for transfer;
• transaction statistics for a selected period. 

10.3. Periodic reporting:

• daily reports on operations (generated automatically);
• weekly summary reports;
• monthly reports with full details;
• monthly reconciliation acts. 

10.4. Reporting format:

• electronic format (PDF, XLSX, CSV);
• available for download via Personal Account;
• can be sent via email upon request;
• automatic report sending can be configured. 

10.5. Requirements for Merchants' reporting:

• monthly confirmation of reconciliation acts within 5 working days of receipt;
• immediate notification of discrepancies;
• provision of supporting documents upon request;
• maintaining own records for reconciliation. 

10.6. Reporting to regulatory bodies:

• The Payment Organization provides reporting to the NBKR as required;
• Merchants must provide information for regulatory reporting if necessary. 

10.7. The storage period for reporting is at least 5 years.

11. Information Protection Requirements
11.1. The Payment Organization ensures the protection of participant and payer information in accordance with KR legislation and international standards. 
11.2. Information protection measures:

• classification of information by confidentiality levels;
• restriction of access based on the principle of least privilege;
• multi-factor authentication for critical systems;
• encryption of personal and payment data;
• strong password policies;
• access logs stored for at least 1 year. 

11.3. Personal data protection:

• processing in accordance with the KR Law "On Personal Data";
• obtaining consent from data subjects;
• ensuring rights to access, correction, and deletion;
• appointment of a responsible person for data processing. 

11.4. PCI DSS Compliance:

• compliance with all PCI DSS requirements;
• annual certification;
• regular security audits and penetration testing. 

11.5. Personnel training: Mandatory training on security during hiring and annually. 
11.6. Requirements for Merchants: compliance during integration, non-disclosure of credentials, immediate notification of incidents, protection of their own clients' personal data, and no storage of full card data. 
11.7. Actions in case of security incidents:

• 11.7.1. In case of leakage, the Payment Organization: takes localization measures, assesses the scale, notifies data subjects (within 72 hours), notifies the NBKR, and minimizes consequences.

12. Dispute Resolution Procedures
12.1. Disputes are resolved through negotiations. 
12.2. Claim consideration procedure: Written claims are considered within 10 working days. 
12.3. Disputes on payment operations: Technical errors are corrected within 3 working days. Additional investigation may involve the Acquiring Bank. 
12.4. Disputes with payers: Merchants handle product/service quality issues; the Payment Organization handles technical payment issues. Payer claims are considered within 15 working days. 
12.5. Chargeback procedure: The Payment Organization notifies the Merchant within 1 working day of receiving a chargeback notice. The Merchant has 5 working days to provide documents to contest. Final decisions are made by the payment system (usually 30-45 days). 
12.6. If unresolved, disputes are referred to the court at the location of the Payment Organization. 
12.7. Contact: support@freedompay.kg.

13. Action Procedures in Emergency Situations
13.1. Emergency situations include technical failures, cyberattacks, leaks, force majeure, mass fraud, or bank failures.
13.2. Technical failures: immediate notification, activation of Disaster Recovery Plan, switching to backup systems, informing participants. 
13.3. Cyberattacks: isolation of systems, activation of IR protocols, notification of NBKR and law enforcement, evidence preservation. 
13.4. Information leakage: source blocking, scale assessment, notification of subjects (within 72 hours) and NBKR. 
13.5. Force majeure: activation of Business Continuity Plan, remote work organization. 
13.6. Coordination is handled by an anti-crisis headquarters. 
13.7. Readiness is tested annually. 
13.8.Merchants must have their own emergency action plans.

14. Participant Notification Procedures
14.1. The Organization must timely inform participants of significant changes. 
14.2. Methods: Email, Personal Account notifications, website news, SMS (critical), or phone calls. 
14.3. Notification timelines:

• changes in Rules — at least 10 working days;
• change in tariffs — at least 30 calendar days;
• planned maintenance — at least 72 hours;
• unplanned breaks — immediately;
• technical/API changes — at least 5 working days;
• security incidents — immediately (max 24 hours). 

14.4–14.5. Notifications must contain descriptions, dates, and required actions. 
14.6. Merchants must check notifications and update contact details. 
14.7. Email notifications are considered delivered after 24 hours. 
14.8. Lack of reaction does not exempt the participant from compliance.

15. Rights, Obligations, and Liability
15.1. The Payment Organization has the right to: accept payments, involve agents, receive fees, suspend service for violations, and request documentation. 
15.2. The Payment Organization is obliged to: ensure functioning, transfer funds timely, ensure PCI DSS security, and provide technical support. 
15.3. The Merchant has the right to: receive payments, reporting, and technical support. 
15.4. The Merchant is obliged to: provide accurate data, notify of changes, pay fees, return erroneous funds (within 3 working days), and comply with security. 
15.5. Liability of the Payment Organization: responsible for delays (if at fault) and technical failures. Liability is limited to actual damage (excludes lost profit). 
15.6. Liability of the Merchant: responsible for inaccurate info, security breaches, quality of goods, and chargebacks. 
15.7. Penalties for breach are provided in the Agreement. 
15.8. Force majeure exempts parties from liability.

16. Tariff Policy
16.1. Commissions are set individually in the Agreement. 
16.2. Factors: transaction type, volume, payment method, turnover, and risk level. 
16.3. Structure: percentage, fixed fee, combined, or subscription fee. 
16.4. Tariff changes: By agreement OR unilaterally by the Payment Organization with 30 calendar days' notice. Merchant may terminate the Agreement if they disagree. 
16.5. Commissions are deducted automatically from transfers. 
16.6. Commissions are generally not returned upon refund to the payer.

17. Measures to Protect the Rights of Financial Service Consumers
17.1. Protection through: security, clear information on fees, complaint handling, and support. 
17.2. Payment pages must show info on fees and Provide payment confirmation. 
17.3. Merchant duties: provide accurate info on goods, handle refunds, and consider complaints. 
17.4. Refund procedure: Technical return via the System to the original instrument (3-30 working days). 
17.5. Complaints: Considered within 15 working days. Written response provided.

18. Final Provisions
18.1. Rules are effective from approval by the executive body. 
18.2. Changes are communicated at least 10 working days in advance. 
18.3. Published at www.freedompay.kg. 
18.4. Unregulated issues are governed by Agreements and KR Law. 
18.5.Rules are binding for employees and participants. 
18.6. Severability: invalidity of one provision does not affect others.
18.7. Drafted in Russian. In case of discrepancy with translations, the Russian text prevails.