Paxeer. All documents
COMPLIANCE

AML / KYC Policy

Operator
PaxLabs Inc., a Delaware corporation ("PaxLabs," "we," "us," or the "Operator")
Settlement Infrastructure
ChainFlow Inc., a Delaware corporation ("ChainFlow")
Applies to
use of the Services to the extent they involve identity verification, value transfer, settlement, fiat or digital-asset on/off-ramps, or other activity subject to anti-money-laundering, counter-terrorist-financing, and sanctions obligations.
Version
1.0
Effective Date
June 10, 2026

1Purpose and Commitment

1.1 PaxLabs Inc. is committed to preventing the use of the Services for money laundering, terrorist financing, sanctions evasion, proliferation financing, bribery, corruption, fraud, and other financial crime. This AML/KYC Policy (the "Policy") describes the risk-based controls applied across the Paxeer ecosystem's operated services, including the Deus marketplace, the Matrix agentic infrastructure, and the settlement infrastructure operated by ChainFlow Inc.

1.2 This Policy supplements the Terms of Service and is incorporated by reference into the Terms. It should be read together with the Acceptable Use Policy, the AI Agent Responsible Use Policy, the Machine-to-Machine (M2M) Agreement, the Privacy Policy, and the Compliance Statement. Capitalized terms not defined here have the meanings given in the Terms of Service.

1.3 Regulatory framework. This Policy is designed to address the requirements of applicable anti-money-laundering, counter-terrorist-financing, and sanctions laws, including:

  • (i)The U.S. Bank Secrecy Act ("BSA") and its implementing regulations, as administered by the Financial Crimes Enforcement Network ("FinCEN");
  • (ii)U.S. sanctions programs administered by the Office of Foreign Assets Control ("OFAC");
  • (iii)The EU Anti-Money Laundering Directives (including Directive (EU) 2015/849, as amended) and related regulations;
  • (iv)The UK Money Laundering, Terrorist Financing, and Transfer of Funds Regulations;
  • (v)The Financial Action Task Force ("FATF") Recommendations, including the Updated Guidance for a Risk-Based Approach to Virtual Assets and VASPs;
  • (vi)The EU Markets in Crypto-Assets Regulation ("MiCA"), to the extent it imposes AML-related obligations on crypto-asset service providers; and
  • (vii)Other applicable national and supranational AML/CFT laws in jurisdictions where the Services are offered.

1.4 Licensing and registration. This Policy does not, by itself, determine which money-transmission, money-services-business ("MSB"), virtual-asset-service-provider ("VASP"), or crypto-asset-service-provider ("CASP") registrations or licenses are required. Those determinations are made with qualified counsel on a jurisdiction-by-jurisdiction basis. [Counsel and compliance to confirm registration and licensing status — including FinCEN MSB registration, applicable U.S. state money-transmitter licenses, MiCA CASP authorization, and local VASP registrations — before operating regulated activity in each jurisdiction.]

2Scope and the Decentralization Boundary

2.1 What this Policy covers.

This Policy applies to the services PaxLabs and ChainFlow operate and control — specifically:

  • (i)Account onboarding, identity verification, and customer due diligence;
  • (ii)Settlement and transaction-processing infrastructure operated by ChainFlow;
  • (iii)Fiat or digital-asset on-ramps and off-ramps, where offered;
  • (iv)The Deus marketplace, to the extent marketplace functions constitute regulated activity;
  • (v)The Credit Ledger and metered-usage billing systems;
  • (vi)Any other service or feature designated by PaxLabs as subject to AML/KYC requirements.

2.2 What this Policy does not cover.

The Paxeer Network is a decentralized protocol. Self-custodied wallets and peer-to-peer Onchain Activity that does not pass through PaxLabs-operated or ChainFlow-operated infrastructure are not custodied or intermediated by PaxLabs. This Policy applies to the services PaxLabs and ChainFlow operate, not to the underlying protocol's deterministic, permissionless behavior. PaxLabs does not control the Network's consensus, validator set, or the execution of third-party smart contracts.

2.3 Agent and M2M activity.

Where Agents or M2M interactions engage in activity that constitutes or facilitates value transfer, settlement, or other regulated activity through PaxLabs-operated or ChainFlow-operated infrastructure, this Policy applies to the Operator of the Agent. The Operator is responsible for ensuring that its Agent's activity complies with this Policy, including sanctions screening, transaction-monitoring obligations, and cooperation with verification requirements.

3Risk-Based Approach

3.1 Risk Assessment Framework.

PaxLabs applies a risk-based approach to AML/CFT controls, calibrating the nature and intensity of due-diligence measures and monitoring to the assessed risk across the following dimensions:

  • (i)Customer risk — the nature of the User (individual, entity, regulated institution, PEP, correspondent relationship), the User's source of funds and wealth, transaction history, and behavioral indicators;
  • (ii)Product and service risk — the nature of the Service used (marketplace, settlement, on/off-ramp, API hosting, Agent deployment), the potential for anonymity, and the speed and irreversibility of transactions;
  • (iii)Geographic risk — the jurisdiction of the User's residence, incorporation, or activity, including proximity to comprehensively sanctioned jurisdictions, FATF grey-list or black-list jurisdictions, and jurisdictions with known AML/CFT deficiencies;
  • (iv)Channel risk — the method of onboarding and interaction (remote, non-face-to-face, automated, agent-mediated); and
  • (v)Transaction risk — transaction volume, frequency, value, patterns, counterparty relationships, and consistency with the User's profile.

3.2 Risk Tiering.

Based on the assessment of the factors above, Users and relationships are assigned a risk tier:

  • (i)Standard risk — Users that present a normal risk profile and are subject to standard due-diligence and monitoring measures;
  • (ii)Elevated risk — Users that present one or more elevated risk indicators and are subject to enhanced due-diligence measures and more frequent monitoring; and
  • (iii)Prohibited — Users, jurisdictions, or activity types that are prohibited outright under this Policy, applicable law, or PaxLabs' risk appetite.

3.3 Periodic Review.

The risk assessment is documented, reviewed, and updated: (a) at least annually; (b) upon material changes to products, services, markets, or customer base; (c) upon material changes in the threat landscape or typology guidance from regulators or FATF; and (d) following any significant compliance incident.

4Customer Identification and Due Diligence

4.1 When Verification Is Required.

Users must complete identity verification before accessing regulated features of the Services. Verification may also be required: (a) when a User's activity exceeds defined thresholds; (b) when a User's risk profile changes; (c) when triggered by transaction-monitoring alerts; (d) upon periodic review; or (e) as required by applicable law.

4.2 Individual Users — Standard Due Diligence (CDD).

For individual Users, standard CDD includes the collection and verification of:

  • (i)Full legal name;
  • (ii)Date of birth;
  • (iii)Residential address;
  • (iv)Government-issued identification document (passport, national identity card, or equivalent);
  • (v)Any additional identifiers required by applicable law (e.g., tax identification number, social security number); and
  • (vi)Screening against applicable sanctions, watchlists, and PEP databases (Section 5).

Verification is performed using reliable, independent sources, which may include government-issued identity documents, authoritative databases, electronic verification services, and third-party identity-verification providers.

4.3 Entity Users — Standard Due Diligence (CDD).

For entity Users (corporations, partnerships, LLCs, DAOs with legal personality, trusts, and other legal arrangements), standard CDD includes:

  • (i)Full legal name and any trading names;
  • (ii)Jurisdiction and date of formation or incorporation;
  • (iii)Registered address and principal place of business;
  • (iv)Formation and organizational documents (certificate of incorporation, articles, operating agreement, or equivalent);
  • (v)Identification of beneficial owners — individuals who directly or indirectly own or control twenty-five percent (25%) or more of the entity, or who otherwise exercise significant control, consistent with applicable beneficial-ownership requirements (including FinCEN's Beneficial Ownership Rule and the EU's beneficial-ownership directives);
  • (vi)Verification of the identity of each identified beneficial owner and at least one authorized representative, using the individual CDD procedures in Section 4.2;
  • (vii)Proof of authority of the individual acting on behalf of the entity (board resolution, power of attorney, or equivalent); and
  • (viii)Screening of the entity and its beneficial owners against applicable sanctions, watchlists, and PEP databases (Section 5).

4.4 Enhanced Due Diligence (EDD).

Enhanced due diligence is applied to Users and relationships that present elevated risk, including:

  • (i)Politically exposed persons ("PEPs"), their family members, and close associates;
  • (ii)Users located in, operating from, or transacting with counterparties in FATF grey-list or black-list jurisdictions, or jurisdictions with known AML/CFT deficiencies;
  • (iii)Users with complex or opaque ownership structures;
  • (iv)Users whose transaction patterns are unusual, inconsistent with their profile, or involve unusually high values;
  • (v)Correspondent or nested relationships with other VASPs or financial institutions; and
  • (vi)Any other situation where the risk assessment indicates elevated risk.

EDD measures may include, as appropriate:

  • (i)Source-of-funds and source-of-wealth inquiry, including supporting documentation;
  • (ii)Purpose and intended nature of the business relationship;
  • (iii)Senior management approval for onboarding or continuation of the relationship;
  • (iv)Increased frequency of periodic reviews and ongoing monitoring;
  • (v)Additional documentary evidence of identity, address, and beneficial ownership; and
  • (vi)Independent verification of information provided.

4.5 Simplified Due Diligence (SDD).

Where permitted by applicable law and where the risk assessment supports it, simplified due-diligence measures may be applied to lower-risk Users, products, or jurisdictions. SDD does not eliminate the obligation to identify the User and screen against sanctions lists. SDD is not available where the User is located in or connected to a high-risk jurisdiction, where there is a suspicion of money laundering or terrorist financing, or where applicable law requires full CDD.

4.6 Ongoing Due Diligence.

Customer due diligence is not a one-time exercise. PaxLabs conducts ongoing due diligence throughout the business relationship, including:

  • (i)Monitoring transactions and activity for consistency with the User's known profile and risk tier;
  • (ii)Periodic re-verification and refresh of KYC information, with frequency determined by the User's risk tier (at least annually for elevated-risk Users);
  • (iii)Re-screening against updated sanctions lists and PEP databases; and
  • (iv)Updating the risk-tier assignment where new information warrants it.

4.7 Verification Handling.

All identity-verification information is collected, processed, stored, and retained in accordance with the Privacy Policy and Section 10 of this Policy. Third-party identity-verification providers are engaged under contractual terms that require appropriate data protection and security measures.

5Sanctions and Prohibited Jurisdictions

5.1 Sanctions Screening.

PaxLabs screens Users, beneficial owners, counterparties, wallet addresses, and transactions against applicable sanctions programs, including:

  • (i)U.S. OFAC — Specially Designated Nationals and Blocked Persons List ("SDN List"), Sectoral Sanctions Identifications List, and other OFAC-administered lists;
  • (ii)United Nations Security Council consolidated sanctions list;
  • (iii)European Union consolidated sanctions list;
  • (iv)United Kingdom HM Treasury consolidated sanctions list; and
  • (v)Other applicable national sanctions lists as determined by the jurisdictions in which the Services are offered.

Screening is performed: (a) at onboarding; (b) on an ongoing basis as sanctions lists are updated; (c) in connection with transactions, where applicable; and (d) upon trigger events identified through monitoring.

5.2 Prohibited Jurisdictions.

Users may not access or use the Services if they are located in, ordinarily resident in, organized under the laws of, or acting on behalf of a person or entity in a jurisdiction subject to comprehensive U.S. sanctions, including Cuba, Iran, North Korea, Syria, and the Crimea, Donetsk, and Luhansk regions of Ukraine (as updated by OFAC from time to time). PaxLabs maintains a restricted-jurisdictions list, which may include additional jurisdictions based on PaxLabs' risk assessment and legal advice.

5.3 Prohibited Persons.

The Services may not be accessed or used by any person or entity that: (a) is listed on the OFAC SDN List or any other applicable sanctions list identified in Section 5.1; (b) is owned or controlled by, or acting on behalf of, a sanctioned person or entity; or (c) is otherwise the subject of sanctions that prohibit dealings with that person or entity under applicable law.

5.4 Sanctions Compliance Measures.

Where PaxLabs identifies a sanctions match or a reasonable basis to suspect sanctions exposure:

  • (i)PaxLabs will block, reject, or decline the transaction or activity;
  • (ii)PaxLabs will freeze or hold any off-chain funds or Credit Ledger balances associated with the sanctioned person or entity, to the extent technically and legally feasible;
  • (iii)PaxLabs will file any required blocking or rejection reports with the applicable authority (including OFAC blocking reports within the required timeframe); and
  • (iv)PaxLabs will not process further activity for the sanctioned person or entity unless and until the sanctions designation is removed or a specific license is obtained from the applicable authority.

5.5 Agent and M2M Sanctions Compliance.

Operators are responsible for ensuring that their Agents do not transact with sanctioned persons, sanctioned entities, or sanctioned-jurisdiction wallets. The use of Agent automation, M2M interactions, or layered transactions to evade or circumvent sanctions is strictly prohibited and may result in immediate termination and referral to authorities.

6Transaction Monitoring

6.1 Monitoring Framework.

ChainFlow Inc., as the settlement and transaction-processing infrastructure provider, supports the monitoring of activity within regulated Services for indicators of suspicious, anomalous, or potentially illicit behavior. PaxLabs and ChainFlow maintain a transaction-monitoring program that includes:

  • (i)Rule-based monitoring for known typologies, including structuring (breaking transactions into smaller amounts to evade thresholds), rapid movement of funds, round-tripping, layering, and patterns inconsistent with a User's profile;
  • (ii)Behavioral analytics to detect anomalous patterns, deviations from expected activity, and emerging typologies;
  • (iii)Threshold-based alerts for transactions exceeding defined value or volume parameters;
  • (iv)Counterparty analysis, including assessment of counterparty risk, geographic nexus, and sanctions exposure; and
  • (v)Agent-specific monitoring for M2M transaction patterns that may indicate automated structuring, evasion, or manipulation.

6.2 Blockchain Analytics.

Wallet- and address-level analytics are used to assess exposure to illicit sources, darknet markets, mixers, tumblers, sanctioned addresses, and other high-risk indicators. Blockchain analytics are performed using third-party analytics providers under contractual terms consistent with the Privacy Policy. The public nature of Onchain Activity supports but does not replace the monitoring of activity within PaxLabs-operated services.

6.3 Travel Rule Compliance.

Where a transaction constitutes a qualifying transfer under the FATF Travel Rule (FATF Recommendation 16) or equivalent national regulations (including FinCEN's Funds Transfer Rule and the EU's Transfer of Funds Regulation), PaxLabs and ChainFlow collect, transmit, and retain the required originator and beneficiary information.

  • (i)Required information typically includes: originator name, originator account number or wallet address, originator address or national identifier or date of birth; and beneficiary name and beneficiary account number or wallet address.
  • (ii)Travel Rule information is transmitted to the counterparty VASP or financial institution using a compliant messaging protocol. [Compliance to confirm applicable thresholds, message standards, and protocols per jurisdiction — e.g., TRISA, OpenVASP, or proprietary solutions.]
  • (iii)Where required originator or beneficiary information is unavailable or cannot be verified, PaxLabs may decline, delay, or return the transaction.

6.4 Currency Transaction Reporting.

Where applicable law requires the filing of currency transaction reports ("CTRs") for transactions above a defined threshold, PaxLabs will file such reports with the applicable authority within the required timeframe.

7Reporting and Escalation

7.1 Internal Escalation.

PaxLabs maintains documented internal escalation procedures that route potential sanctions matches, transaction-monitoring alerts, unusual activity, and other compliance concerns to designated compliance personnel for review and disposition. Escalation procedures include defined timelines, documentation requirements, and decision authorities.

7.2 Suspicious Activity Reporting.

  • (i)Where PaxLabs knows, suspects, or has reason to suspect that a transaction involves funds derived from illegal activity, is designed to evade reporting requirements, lacks a lawful purpose, or involves the use of the Services to facilitate criminal activity, PaxLabs will file a Suspicious Activity Report ("SAR") or Suspicious Transaction Report ("STR") with the applicable financial intelligence unit or regulatory authority, in accordance with applicable law.
  • (ii)SARs and STRs are filed within the timeframes required by applicable law (typically within thirty (30) days of detection, with extensions where permitted). [Compliance to confirm filing timelines per jurisdiction.]
  • (iii)PaxLabs will not disclose the existence of a SAR or STR to the subject of the report or to any unauthorized person ("no tipping off"), as prohibited by applicable law.

7.3 Law Enforcement and Regulatory Cooperation.

PaxLabs cooperates with lawful requests, subpoenas, court orders, and regulatory inquiries from competent authorities, including FinCEN, OFAC, law enforcement, and foreign counterparts through appropriate legal channels. Cooperation includes the provision of records, information, and testimony as required by applicable law, subject to applicable legal privileges and protections.

7.4 Voluntary Disclosures.

Where PaxLabs identifies a potential violation of sanctions, BSA, or other applicable financial-crime law by PaxLabs itself, PaxLabs will consider making a voluntary self-disclosure to the applicable authority, in consultation with counsel.

8Governance, Responsibility, and Training

8.1 Compliance Function.

PaxLabs maintains a designated compliance function responsible for the development, implementation, administration, and oversight of this Policy and the broader AML/CFT program. The compliance function operates with appropriate independence and has direct access to senior management and, where applicable, the board.

8.2 Designated Compliance Officer.

A named AML/Compliance Officer is responsible for the day-to-day administration of the AML/CFT program, including oversight of screening, monitoring, reporting, training, and policy updates. [Insert name, title, and contact of designated AML/Compliance Officer.]

8.3 Senior Management Responsibility.

Senior management of PaxLabs is responsible for: (a) ensuring that adequate resources are allocated to the AML/CFT program; (b) reviewing and approving the risk assessment and Policy on at least an annual basis; (c) receiving and acting on compliance reports and escalations; and (d) fostering a culture of compliance throughout the organization.

8.4 Training.

  • (i)All relevant personnel — including employees, contractors, and agents involved in onboarding, customer-facing functions, transaction processing, compliance, and product development — receive AML/CFT and sanctions training upon hiring and at least annually thereafter.
  • (ii)Training covers: applicable legal obligations; PaxLabs' policies and procedures; sanctions requirements; red flags and suspicious-activity indicators; typologies relevant to digital assets, decentralized finance, and agentic systems; reporting obligations; and the consequences of non-compliance.
  • (iii)Training records are maintained, including the content covered, the date of training, and the personnel who completed it.

8.5 Independent Testing.

The AML/CFT program is subject to independent testing or audit on a risk basis, conducted by qualified internal audit personnel or an independent third party. Independent testing assesses the adequacy and effectiveness of the program, including policies, procedures, controls, screening, monitoring, and reporting. Findings and recommendations are documented and reported to the Compliance Officer and senior management. OpenNet Security LLC supports independent testing for security-adjacent controls.

9ChainFlow Inc. — Role and Allocation

9.1 ChainFlow's Role.

ChainFlow Inc. operates the payments, settlement, and transaction-processing infrastructure that supports regulated Services. ChainFlow's responsibilities include: (a) processing and settling transactions in accordance with protocol rules and applicable law; (b) supporting transaction monitoring and alert generation within the settlement infrastructure; (c) applying Travel Rule and originator/beneficiary information requirements to qualifying transfers; and (d) implementing sanctions-screening controls at the transaction level within the settlement infrastructure.

9.2 Allocation of Obligations.

PaxLabs and ChainFlow allocate AML/CFT responsibilities between them by written agreement. PaxLabs retains overall program responsibility and is the primary contracting party with Users. ChainFlow supports PaxLabs' program by providing the monitoring, screening, and reporting capabilities described in this Policy within the settlement infrastructure. This allocation does not affect the User's obligations under this Policy or the Terms of Service.

9.3 User-Facing Obligations.

For the avoidance of doubt, the User's counterparty for compliance purposes is PaxLabs. Users interact with PaxLabs for onboarding, verification, and compliance matters. Where ChainFlow requires information from a User to fulfill its settlement or compliance obligations, PaxLabs will coordinate the request.

10Recordkeeping

10.1 Retention Periods.

Identity-verification records, CDD and EDD documentation, screening results, transaction-monitoring records, SAR/STR filing records, and related compliance records are retained for the longer of:

  • (i)Five (5) years following the end of the business relationship or the date of the transaction (or such longer period as required by applicable law); and
  • (ii)The period required by the specific applicable law governing the record (which may exceed five years in certain jurisdictions or for certain record types).

10.2 Onchain Records.

Onchain records — including transaction hashes, wallet addresses, and state committed to the Paxeer Network — are permanent and immutable by the nature of the technology. These records exist independently of PaxLabs' retention practices and cannot be deleted.

10.3 Deletion and Anonymization.

Upon expiration of the applicable retention period, off-chain compliance records are deleted or anonymized in accordance with the Privacy Policy, except where continued retention is required by an ongoing investigation, legal proceeding, or regulatory obligation.

10.4 Record Security.

Compliance records are stored securely with access limited to authorized compliance, legal, and audit personnel on a need-to-know basis. Technical and organizational security measures are implemented in accordance with the Privacy Policy and supported by OpenNet Security LLC.

11User Obligations

11.1 Accurate Information.

Users must provide accurate, complete, and current information in connection with identity verification and account registration, and must promptly update such information when it changes.

11.2 Cooperation.

Users must cooperate with PaxLabs' verification, due-diligence, and periodic-review processes, including providing requested documentation and information within reasonable timeframes. Failure to cooperate may result in restriction, suspension, or termination of access to the Services.

11.3 Prohibited Conduct.

Users must not use the Services for any purpose prohibited by this Policy, the AUP, or applicable AML/CFT and sanctions laws, including money laundering, terrorist financing, sanctions evasion, structuring, layering, or any attempt to disguise the origin, destination, or nature of funds or activity.

11.4 Agent Compliance.

Operators of Agents are responsible for ensuring that their Agents' activity complies with this Policy, including ensuring that Agents do not transact with sanctioned persons or addresses, do not engage in structuring or layering, and do not otherwise facilitate financial crime through automated or M2M activity.

11.5 Consequences of Non-Compliance.

Failure to comply with this Policy may result in: (a) restriction or suspension of access to regulated features; (b) termination of the User's account; (c) withholding or freezing of off-chain funds or Credit Ledger balances, to the extent technically and legally feasible; (d) filing of SARs/STRs or other regulatory reports; and (e) referral to law enforcement or regulatory authorities.

12Whistleblower Protections

12.1 PaxLabs encourages personnel and Users to report suspected violations of this Policy, applicable AML/CFT laws, or other financial-crime concerns. Reports may be made to the Compliance Officer or through the reporting channels specified in Section 13.

12.2 PaxLabs will not retaliate against any person who makes a good-faith report of a suspected violation. Personnel who report concerns are protected from adverse employment action in connection with their report, consistent with applicable whistleblower-protection laws.

13Contact

AML/Compliance Officer: [Name, title, and contact to be inserted]

Compliance function: [compliance@paxlabs — or dedicated email to be inserted]

Suspicious activity or sanctions concerns: [dedicated reporting channel to be inserted]

For general legal and privacy matters, see the contact information in the Terms of Service and Privacy Policy.

14Changes

14.1 PaxLabs may update this Policy from time to time to reflect changes in applicable law, regulatory guidance, risk assessment, or the Services. When we make material changes, we will update the "Version" and "Effective Date" at the top of this document and provide notice through the Services or by other reasonable means.

14.2 Your continued use of the Services after the updated effective date constitutes your acceptance of the revised Policy. Regulatory changes that impose mandatory obligations may take effect immediately upon the effective date required by the applicable regulation, regardless of the notice period.

Version 1.0 — Effective Date: June 10, 2026

↑ Top