Date: 2026-05-14 (updated)
Context: A German defense-sector company currently uses Pleo for employee credit cards, DATEV as their accounting system, and is a (prospective) Orcha customer for AP invoice processing. They want to move off Pleo.
Purpose: Decide which employee-card / spend tool to recommend, assessed against the customer's updated priorities and the constraints of being a defense company. Includes a cannibalization analysis for Orcha.
Inputs: Per-vendor integration research in this directory, each with a ## Addendum 2026-05-14 section covering defense / cannibalization / funding model. Plus dedicated defense-sector vendor-risk research (2026-05-14).
History note: this file began as a Qonto-vs-Pleo assessment. It has been expanded into a full multi-vendor analysis after the customer's priorities were clarified. Filename retained for continuity.
Recommendation: Payhawk is the leading candidate of a flawed field — but it is NOT yet recommendable. Two blockers surfaced in 2026-05-14 verification must be cleared first (see §4.1, §7).
Payhawk is the only vendor that cleanly satisfies all four of the customer's updated priorities (cards-first quality, strong receipt app, good read and write API, non-prepaid funding) and has the best security posture of the field. But adversarial verification found that (a) one of Payhawk's two EEA card issuers, Paynetics AD, publishes an Acceptable Use Policy that explicitly bans "weapons, firearms, munitions of any sort", and (b) Payhawk imposes 3-year contracts with no exit clause and pushed a 22% mid-contract price increase in 2025. The earlier draft's claim of "no exclusion in the issuers' terms" was factually wrong and has been corrected below.
The updated priorities reshuffled the field hard. Two requirements proved decisive:
| Vendor | Verdict | One-line reason |
|---|---|---|
| Payhawk | LEADING — but blocked pending verification | Hits all 4 priorities + best certs, BUT Paynetics issuer bans weapons + punitive 3-yr contract; MEDIUM-HIGH cannibalization |
| Moss | Viable backup, flawed | Best German data residency + true credit line, but no card API at all and HIGH cannibalization |
| Pleo (incumbent) | Baseline — reason to move | READ API still export-job-gated; latent offboarding risk on a discretionary clause with no defense carve-out |
| Qonto | Disqualified (arms) / conditional (adjacent) | Explicit "military activities / sale of weapons" ban; non-prepaid card mode is eligibility-gated |
| Spendesk | Disqualified | Prepaid-only; WRITE API unproven; Adyen weapons exclusion in the stack |
| Yokoy / Perk | Disqualified | Strictly prepaid; HIGH cannibalization (Yokoy Invoice ≈ Orcha) |
| Circula | Disqualified | No public API — fails the load-bearing priority — despite being GREEN on defense |
| finway | Disqualified | No API, prepaid, weak app, HIGH cannibalization (it is an AP competitor) |
| Ramp / Brex | Disqualified (earlier) | No DATEV integration; no EU self-serve onboarding in 2026 |
Cross-cutting lesson: the defense exclusion hides in the card-issuer layer, not the spend-tool's own terms. Paynetics AD bans weapons and sits under both Payhawk and finway. Future vendor checks must trace the BIN/issuer, not just read the vendor's marketing terms.
The customer wants the replacement tool to:
And the hard constraint underneath everything: they are a German defense-sector company, so any vendor must be able to legally and willingly onboard them.
Funding model definitions used here:
✓ = meets priority · ~ = partial / conditional · ✗ = fails
| Vendor | 1. Cards quality | 2. Receipt app | 3. Read+Write API | 4. Not prepaid | Defense | Cannibalization | Overall |
|---|---|---|---|---|---|---|---|
| Payhawk | ✓ strong | ✓ strong | ✓ real-time webhooks; CRUD on cost centers/tax/CoA + suppliers (write endpoint confirmed) | ✓✓ genuine revolving credit line, monthly settle (self-underwritten; terms silent on renewal/cuts) | AMBER → RED-risk (Paynetics issuer AUP bans weapons; no BSI C5) | MEDIUM-HIGH (AI invoice agents going GA "at no extra cost") | LEADING — blocked pending §7 |
| Moss | ✓ strong (core strength) | ✓ strong | ✗ no card API; suppliers/dimensions write OK; no webhooks (polling) | ✓ Moss Credit = true credit line | AMBER (best German residency; own BaFin licence) | HIGH (AP first-class; 2026 roadmap into Orcha's lane) | Backup, flawed |
| Pleo | ✓ strong | ✓ strong | ~ WRITE strong; READ export-job-gated, no realtime | ~ Overdraft = charge-card-like, available DE (credit approval) | AMBER + offboarding risk | MEDIUM, rising (Pleo AP module; DE processing-only launch) | Baseline |
| Qonto | ~ good, not best | ~ good, not best | ✓ READ best-in-class; WRITE bank-shaped (no CoA concept) | ~ deferred-debit "credit mode" (Jan 2026) but eligibility-gated ~6 mo | RED (arms) / AMBER (adjacent) | MED-HIGH → HIGH (Regate absorbed; "autonomous accounting") | Disqualified / conditional |
| Spendesk | ~ adequate (acceptance issues) | ✓ strong | ✗ WRITE unproven; webhooks "experimental"; Premium-gated | ✗ prepaid wallet only | AMBER / RED-risk (Adyen weapons ban in stack) | MED-HIGH, rising | Disqualified |
| Yokoy / Perk | ~ AMBER | ✓ relative bright spot | ✓ read+write CRUD; webhooks unverified; hourly export jobs | ✗ strictly prepaid, no charge/credit option | AMBER-minus (3-party issuer chain) | HIGH (Yokoy Invoice ≈ Orcha, same brand) | Disqualified |
| Circula | ✓ strong | ✓ strong (G2 4.6) | ✗✗ no public API at all | ✓ real credit card (Pliant/Varengold) | GREEN (best of field) | MEDIUM, rising (AP module "coming soon") | Disqualified |
| finway | ~ adequate | ✗ weak / buggy | ✗✗ no public API at all | ✗ explicitly "not a credit or charge card" | AMBER → RED (Paynetics weapons exclusion) | HIGH (it is an AP product; no cards-only SKU) | Disqualified |
Circula — no public API. Confirmed again: no developer portal, no OpenAPI spec, no API keys, no iPaaS connectors, no webhooks. Orcha can read nothing and write nothing programmatically. This is painful because Circula is otherwise excellent for this customer — GREEN on defense (German hosting, platform ISO 27001, no industry exclusion), a genuine credit card, and a well-reviewed cards + receipt app. But "very good API for read and write" is a load-bearing requirement, and Circula offers zero. Disqualified on that priority alone.
finway — fails on four axes. No public API, prepaid-only ("not a credit or charge card"), a weak/buggy mobile app, and — worst — HIGH cannibalization: finway is an AP-automation product, there is no cards-only SKU, and the €209/mo plan bundles a direct Orcha competitor. Recommending finway-for-cards means paying to install a competitor in the customer's stack. Disqualified comprehensively.
Qonto — defense exclusion. Qonto's published prohibited-activities policy explicitly names "military activities, including the sale of weapons, military vehicles, and their copies," group-wide, with no carve-out or pre-clearance channel. For an actual arms business this is a hard RED — recommending it steers the customer toward near-certain refusal or offboarding. For a defense-adjacent business it is AMBER, but even then the non-prepaid "credit mode" card is eligibility-gated (≈6 months as a Qonto customer first), so a new customer would run on pre-funded debit during migration. Plus MED-HIGH→HIGH cannibalization. Disqualified for arms; only conditionally viable for defense-adjacent customers who also want banking consolidation.
Spendesk — prepaid, and the write API is unproven. Spendesk is a pre-funded wallet model with no charge-card or credit option anywhere in current materials — a direct miss on priority 4. On top of that, the WRITE side of the API is not publicly enumerated (confirmed writes are limited to card issuance, payment triggers, webhook CRUD), and webhooks are still flagged "experimental." Defense is AMBER with RED-risk: Spendesk's own T&C are silent, but Adyen is woven into the stack and Adyen explicitly bans weapons trading. Disqualified.
Yokoy / Perk — prepaid, and the highest cannibalization risk. Yokoy cards are strictly pre-funded — the customer must bank-transfer funds in before cards work, with no auto-replenish and no charge/credit option. That alone fails priority 4. And Yokoy Invoice is a feature-for-feature description of Orcha's core product — AI line-item extraction, smart coding that learns the team's patterns, VAT/tax compliance, ZUGFeRD/XRechnung, DATEV export — sold under the same brand, one upsell away. Disqualified.
Ramp / Brex — disqualified in earlier research: no DATEV integration of any kind, and no self-serve EU onboarding for a German company in 2026.
Payhawk is still the best fit on the customer's four stated priorities. But the 2026-05-14 verification + devil's-advocate pass surfaced two blockers and corrected one factual error in the earlier draft. The honest verdict is "leading candidate of a flawed field, not yet recommendable."
What holds up (verified against primary sources):
Suppliers: create and update is confirmed in the current Help Center API overview (the earlier "no POST /suppliers" caveat was stale — corrected). Real-time webhooks: 22 event types, free on all plans, 15 req/s. Open items: no public OpenAPI spec, sandbox is request-gated, receipt-URL TTL still unverifiable without a probe, and mark-as-exported / CoA-write rest only on Summer-2025 release notes — confirm directly.Defense — AMBER, downgraded to RED-RISK at the issuer layer. (Earlier draft was wrong here.) Payhawk's own Restricted Activities terms carry no defense/arms exclusion — that part holds. But Payhawk's EEA cards run on two issuers: Payhawk Financial Services UAB (Lithuanian EMI) and Paynetics AD (Bulgarian EMI), and Paynetics' published Acceptable Use Policy explicitly bans "weapons, firearms, munitions of any sort" and reserves discretionary termination for "reputational risk." This is corroborated independently (the finway research found the same Paynetics policy). For an actual arms/munitions manufacturer this is a latent RED, not an AMBER. The open question that decides it: can Payhawk issue this customer's cards entirely under its own Lithuanian EMI, keeping Paynetics out of the BIN chain? If yes, the issue is contained; if no, Payhawk is not viable for an arms business. Security posture remains the best of the field — ISO 27001:2022, SOC 1 & 2 Type 2, PCI-DSS L1, DORA, CSA STAR L1, IDW PS 880, German data in Frankfurt — but no BSI C5.
Commercial terms — a newly-surfaced risk. Reviewers (including German customers on GetApp.de) consistently report 3-year contracts with no exit clause, early-termination disputes escalated to debt collection, and a 22% mid-contract price increase pushed in April 2025. Combined with the issuer-offboarding risk this creates a real trap: if Paynetics' KYB review exits the customer in year 2, they are cardless and still contractually bound to Payhawk. The earlier "contained, low-risk change" framing was too comfortable — contract terms (shorter term, exit clause, price-lock) must be negotiated, not assumed.
Cannibalization — MEDIUM-HIGH (upgraded from MEDIUM). The earlier rating assumed Payhawk's AP capability was a separate paid module the customer wouldn't buy. That assumption is now weak: in March 2026 Payhawk shipped AI "Financial Controller" agents that retrieve, code, and submit invoices, going GA later in 2026 "at no additional cost" — i.e. the AP-automation layer is being folded into the core platform, with DATEV export already wired. Recommending Payhawk hands a warm, pre-integrated AP-automation capability into Orcha's own customer. Still not HIGH (no AP acquisition; extraction is shallower than Orcha's GoBD-grade coding), but the trajectory is clearly into Orcha's lane.
Strengths: best German data residency of the field (GCP Frankfurt exclusively), own BaFin e-money licence and own Mastercard BIN (no stacked third-party issuer policy), platform-wide ISO 27001, funds safeguarded at Deutsche Bank. Moss Credit is a true revolving credit line (0% interest, 30–60 day terms) — matches priority 4. Cards and the receipt app are a genuine core strength.
Flaw 1 — no card API. Moss's API has improved (suppliers and dimensions now support create/update) but there is no card API at all and no webhooks (polling only). The customer's #1 priority is employee cards, and Orcha's whole reason to integrate is to read card-transaction data — Moss cannot expose that programmatically. This is a functional disqualifier for the specific use case, not just a strategic nit.
Flaw 2 — HIGH cannibalization. Moss is the most directly competitive vendor in the field. Its AP/invoice module is first-class, and the 2026 roadmap moves straight into Orcha's territory: purchase orders, goods-receipt notes (3-way match), and an enhanced DATEV integration with two-way master-data sync. Moss sells the "all-in-one" consolidation pitch — structurally anti-Orcha. Recommending Moss means inviting Orcha's most direct competitor into the customer.
Verdict: only consider Moss if Payhawk fails defense pre-clearance and the customer can live without programmatic card-data access. The cannibalization risk should give Orcha pause regardless.
Defense — AMBER, with a real catch. No published Acceptable Use Policy or restricted-industries list; the only binding language is a broad "sole discretion" clause in the MSA. No explicit defense exclusion — but no permission either. Latent offboarding risk is real: Pleo's surveillance team closes accounts "outside risk appetite" and calls such decisions "final"; the customer sits on a discretionary clause re-evaluated at every KYB review with no defense carve-out. Being on Pleo today is not a safe harbour — it is arguably a reason to move to a vendor with a clearer stance.
API — the original problem persists. WRITE is strong (full CRUD on vendors, CoA, tags, tax codes). READ is the weak point: expense data is gated behind customer-triggered export jobs in the Pleo UI — the API cannot trigger them, so there is no real-time pull. 24h receipt URLs. API needs the Advanced plan (~€109/mo). This READ limitation is what started the whole evaluation.
Funding & UX: natively pre-funded, but Pleo Overdraft (HSBC-backed revolving line, interest-free if repaid by month-end, confirmed available in Germany) makes it operable as a charge-card-like product. Cards and the receipt app are genuinely good; support quality and the READ API are the weak spots.
Cannibalization — MEDIUM, rising: "Pleo Invoices" is now "Pleo Accounts Payable," and Pleo recently launched a processing-only AP version aimed at lean German finance teams — squarely Orcha's profile and geography.
The ranking, worst to best for Orcha:
| Risk | Vendors | Why |
|---|---|---|
| HIGH | finway, Moss, Yokoy | finway is an AP product (no cards-only SKU). Moss has first-class AP + a 2026 roadmap of POs/GRN/3-way-match/two-way DATEV sync + an "all-in-one" pitch. Yokoy Invoice is feature-for-feature Orcha under one brand. |
| MED–HIGH → HIGH | Qonto, Payhawk | Qonto: Regate (AP/AR platform) fully absorbed, "autonomous accounting." Payhawk: AI "Financial Controller" invoice agents going GA "at no additional cost" — AP folding into the core platform, not an optional module. |
| MEDIUM (rising) | Pleo, Spendesk, Circula | Pleo's AP is rising (DE processing-only launch); Spendesk ships AP features every release; Circula's AP is still pre-GA. |
The strategic point. Every modern spend tool now has some AP capability — there is no zero-risk choice. What separates them is structure and trajectory. finway, Moss, Yokoy and Qonto either are AP products or are visibly converging on becoming one. Payhawk was previously rated lower on the assumption its AP was an unbundled module — the March-2026 "Financial Controller" agents at no extra cost weaken that assumption and move Payhawk up. Pleo keeps AP as a still-separable module with shallower extraction than Orcha's. The uncomfortable truth: there is no viable card vendor for this customer that is also clearly safe from a cannibalization standpoint — Payhawk is now MED-HIGH, the alternatives (Moss, Qonto) are HIGH. The choice is least-bad, not safe.
Policy implication: treat "is this vendor structurally an AP competitor?" as a standing filter in vendor recommendations — not just "does it have an API."
Payhawk is the leading candidate, but do NOT recommend it to the customer yet. Three things must be cleared first — and the first two are potential hard stops, not formalities:
Blockers to clear before recommending (see §7):
Why Payhawk still leads despite the blockers:
If Payhawk fails blocker 1 or 2: do not fall through to a weak alternative by default. Escalate — the realistic outcomes are (a) negotiate Payhawk onto its own EMI + acceptable contract terms, (b) stay on Pleo and accept the offboarding/READ-API risk, or (c) widen the search to a different category of provider (e.g. a German Hausbank card programme) outside this spend-tool field.
Do not recommend Qonto, Spendesk, Yokoy, Circula, or finway for this customer, for the reasons in §3.
Hard gates (a "wrong" answer changes the recommendation):
Verification items (unlikely to change the recommendation, but confirm before build):
6. Payhawk credit-line terms — renewal conditions, what happens if turnover dips, whether Payhawk can unilaterally cut the line, and whether the credit sits on Payhawk's balance sheet or a partner's. Docs are currently silent.
7. Payhawk API gaps — confirm mark-as-exported and CoA-write endpoints still exist (currently only in Summer-2025 release notes); note there is no public OpenAPI spec and the sandbox is request-gated.
8. Payhawk receipt-URL TTL — empirical sandbox probe (carried over from original research).
9. Payhawk DATEV edge cases — documented limitations: image compression on export, exported expenses can't be corrected (manual DATEV delete), no KOST1/KOST2 auto-pull, double FX translation when card currency ≠ DATEV base currency, line-item-sum mismatches hard-fail the export. Scope these against the customer's DATEV setup.
10. Payhawk Lithuanian EMI licence number — cited inconsistently across sources (LB002199 / LB002200 / "No. 95"); confirm before putting in writing to the customer.
Status-quo risk to surface to the customer: 11. Pleo offboarding exposure — their current setup sits on a broad discretionary clause with no defense carve-out. This is a risk on staying put, not just on moving.
Per-vendor integration research (each now carries a ## Addendum 2026-05-14 section):
Defense-sector context: