# QODY Architecture Architecture documentation for QODY.ba scan-order-pay platform (SnowIT BA partner project) # Monri Integration # QODY → Monri Integration — Archive Summary **Date:** 2026-06-24 **Archived by:** Skillforge (ALAI Knowledge Management) **Purpose:** Consolidate all Monri payment integration materials for QODY project --- ## 1. Monri Contact **Account Manager:** - Name: Mahir Mulaomerović - Phone: +387 66 284 773 - Email: mahir.mulaomerovic@monri.com **SnowIT Contact for Monri:** - Entity: SnowIT d.o.o. Sarajevo - Contact: Enis Merdžanović (CTO, enis@snowit.ba) - Business Email: info@snowit.ba - Phone: +387 62 329 076 --- ## 2. Monri Response Summary **Date Received:** 2026-06-24 (from CEO) **Available Acquirer Banks (BiH):** 1. Raiffeisen Bank BiH 2. Atos Bank 3. UniCredit Bank 4. Intesa Sanpaolo Bank **Process Confirmed:** - Pick bank → access documentation → test environment → contract → production - Sandbox available for testing before merchant contract **Packages/Services:** - Standard merchant gateway integration - Transaction API - Webhook support - 3D Secure (3DS2) compliance --- ## 3. Architecture Decision **Recommended Model:** Model B — Per-Venue Merchant Accounts **Rationale:** - QODY remains software service provider (no Payment Institution license needed) - Bank-agnostic: each restaurant uses its own bank + Monri merchant account - Regulatory safety: money flows restaurant-bank → restaurant (bypasses QODY) - Scalable: parallel restaurant onboarding without platform-level approvals **QODY Platform Fee Collection:** - Monthly invoice: 29-49 KM base + 0.5% of venue revenue through QODY - Invoiced separately (not deducted from card settlements) **Full Details:** - See `/tmp/qody-prd/monri-architecture-decision.md` (25 pages, 667 lines) - Author: Finverge (Markos Zachariadis) --- ## 4. Test Environment Form **Status:** FILLED — Draft for CEO/Asmir confirmation **File:** `/tmp/monri/Podaci_za_testno_okruzenje_POPUNJENO.xlsx` **Key Data:** - Company: SnowIT d.o.o. Sarajevo - JIB: 4203069040007 - Contact: Enis Merdžanović (info@snowit.ba, +387 62 329 076) - Test Bank: Raiffeisen (sandbox) - Notification Emails: info@snowit.ba, enis@snowit.ba, john@alai.no **Note:** Requires CEO/Asmir confirmation of: - Responsible person (Enis vs Asmir) - Phone number verification --- ## 5. Clarifying Questions Sent to Monri **Status:** Sent 2026-06-24 **8 Priority Questions:** 1. Merchant-of-record model (platform vs per-venue) — CRITICAL 2. Platform fee auto-deduction support 3. Apple Pay / Google Pay availability for BiH 4. Refund, void, authorize+capture API operations 5. Webhook signatures, retry policy, idempotency 6. Test environment access timeline 7. Multi-venue reporting / reconciliation 8. PCI-DSS SAQ-A confirmation for Monri.js hosted checkout **Full Question Text:** See monri-architecture-decision.md §5 --- ## 6. Next Steps ### Immediate (blocking) - ✓ Fill test environment form (DONE — pending CEO confirmation) - ⏳ Await Monri test credentials (sandbox merchant\_id, auth\_token, webhook\_secret) - ⏳ Confirm Model B with BiH payment lawyer (1-hour consult, ~500 EUR) ### Build Phase (after test credentials) - Implement per-venue payment config vault (encrypted Monri credentials) - Monri Transaction API client (Kotlin/Ktor) - Webhook handler with signature verification - E2E test: guest checkout → Monri test charge → staff board update ### Pre-Production - Onboard 2-3 pilot restaurants through Monri merchant application - Complete PCI-DSS SAQ-A (Securion) - Privacy policy + Terms (Lexicon) - BiH fiscal integration research (Phase 2) --- ## 7. Archived Files
FileDescriptionSize
`Podaci_za_testno_okruženje.xls`Blank Monri test environment form (original)35 KB
`Podaci_za_testno_okruzenje_POPUNJENO.xlsx`Filled form (DRAFT)5.8 KB
`monri-architecture-decision.md`Full architecture analysis + recommendation667 lines
`image001.png`Monri logo (from email)8.5 KB
`image002.jpg`Monri branding (from email)17 KB
--- ## 8. Compliance Notes **Regulatory:** - Model B avoids BiH Payment Institution (PI) license requirement - QODY = software service, not payment intermediary - Legal confirmation still recommended (BiH lawyer) **Security:** - PCI-DSS scope: SAQ-A (Monri.js hosted checkout, no card data on QODY servers) - Monri credentials: encrypted vault storage (libsodium or Azure Key Vault) - Webhook: HMAC SHA512 signature verification mandatory **Data Privacy:** - BiH Data Protection Law + GDPR compliance - Privacy policy required before production launch - Cookie consent (if analytics) **Fiscal:** - BiH requires fiscal cash registers for retail/hospitality - Phase 1 (MVP): QODY order = pre-payment; restaurant issues fiscal receipt from POS - Phase 2: Integrate cloud fiscal service (e.g., eFiskalizacija.ba) --- **Archive URL:** https://docs.alai.no/books/qody-architecture/page/monri-integration **Paperless Archive ID:** \[will be added after upload\] --- **Document Owner:** ALAI Holding AS → SnowIT BA (partner tenant) **Project:** QODY.ba — Scan-Order-Pay Platform for BiH Hospitality