Those are fair points and something to investigate further but for point 1 our tool only uses the restricted API keys with minimal access, so both parties would have to agree on using the tool but I believe we should protect ourselves legally against such cases. For point 2, Stripe seems to be quite good for backwards compatibility on core objects but it's good to agree on a minimal supported version. Thanks!