Data Transfers Addendum

Last modified: October 18, 2024

1. Introduction

This Data Transfers Addendum is incorporated by reference into the data processing agreement between you and the Stripe contracting party to that agreement (“Stripe”), which governs Stripe’s and its Affiliates’ Processing of Personal Data (“DPA”). You may be referred to as “you” or “User” in your Stripe services agreement (“Agreement”) or your DPA. If you are referred to as “User” in your Agreement or DPA, any reference to “you” and “your” in this Data Transfers Addendum is to be construed as “User” and “User’s” on incorporation into your DPA. Any capitalized terms not defined in this Data Transfers Addendum have the meanings given to them in your DPA or Agreement.

2. Order of Precedence

If, in connection with Stripe providing the Services to you, more than one Data Transfer Mechanism could apply to a transfer of Personal Data, you and Stripe agree that the transfer will be subject to one Data Transfer Mechanism only, according to the following order of precedence: 

(a) the Data Privacy Framework; 

(b) the EU SCCs;  

(c) the UK International Data Transfer Addendum; and

(d) any other data transfer mechanism available under DP Law that is incorporated into your DPA, including this Data Transfers Addendum.

3. Data Privacy Framework

Stripe, Inc. (“SINC”) is self-certified under the Data Privacy Framework. When you transfer Personal Data originating from the EEA, the UK or Switzerland to SINC, SINC will receive the Personal Data under the Data Privacy Framework and, when processing that personal data, will comply with the data privacy principles and relevant supplemental principles set out in the Data Privacy Framework.

Stripe will notify you without undue delay if its self-certification under the Data Privacy Framework is withdrawn, terminated, revoked, or otherwise invalidated (in which case, an alternative Data Transfer Mechanism will apply according to this Data Transfers Addendum). Stripe’s Data Privacy Framework Policy is available at https://stripe.com/legal/data-privacy-framework.

4. The EU Standard Contract Clauses

Module 1 (Transfer: Controller to Controller) and Module 2 (Transfer: Controller to Processor) of the EEA SCCs, each as completed and supplemented as set out in this Data Transfers Addendum, apply to a transfer by you to SINC of Personal Data that is subject to DP Law in the EEA and Processed under your DPA.

5. UK International Data Transfer Addendum

The UK International Data Transfer Addendum, completed and supplemented according to this Data Transfers Addendum, applies to a transfer by you to SINC of Personal Data that is subject to DP Law in the United Kingdom and Processed under your DPA.

6. Personal Data transfers from Switzerland

The EEA SCCs, supplemented by this Data Transfers Addendum and adapted as follows, applies to a transfer by you to SINC of Personal Data that is subject to DP Law in Switzerland and Processed under your DPA:

6.1. A reference to “Member State” will not be interpreted to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland).

6.2. To the extent the transfer of personal data is governed by the Swiss Federal Act on Data Protection, the Swiss Federal Data Protection and Information Commissioner will act as the competent supervisory authority; to the extent the transfer of personal data is governed by the GDPR, the supervisory authority determined in Annex IC of the EEA SCCs will act as the competent supervisory authority; any references to the "competent supervisory authority" will be interpreted accordingly.

7. Personal Data transfers from Thailand

The EEA SCCs, supplemented by this Data Transfers Addendum and adapted as follows, applies to a transfer by you of Personal Data that is subject to the Personal Data Protection Act B.E. 2562 (“PDPA”) to Stripe and its Affiliates located in jurisdictions that do not, for the purposes of the PDPA, have adequate Personal Data protection standards, and is Processed under your DPA:

7.1. A reference to “applicable laws” will be interpreted to include the PDPA; and

7.2. References to the “European Union”, “Union”, “EU”, “EU Member State”, “Member State” and “EU or Member State” are replaced with “Thailand”.

8. Personal Data transfers from CBPR and PRP participating economies

Stripe Processes Personal Data in accordance with the Cross Border Privacy Rules (“CBPR”) and Privacy Rules for Processor (“PRP”) frameworks. Where CBPR and/or PRP are recognized as a valid transfer mechanism under DP Law, Stripe will transfer Personal Data in accordance with the CBPR and PRP certifications SINC has obtained.

9. Supplemental Clauses to the EEA SCCs

9.1. Personal Data will be encrypted both in transit and at rest using encryption technology by SINC.

9.2. SINC will resist, to the extent permitted by Law, any request under Section 702 of Foreign Intelligence Surveillance Act (“FISA”).

9.3. SINC will use reasonably available legal mechanisms to challenge any demands for data access through the national security process that it may receive in relation to data exporter’s data.

9.4. No later than the date on which your acceptance of the DPA that incorporates or references this Data Transfers Addendum becomes effective, SINC will notify you of any binding legal demand for the Personal Data it has received, including national security orders and directives, which will encompass any process issued under Section 702 of FISA, unless prohibited under Law.

9.5. SINC will ensure that its data protection officer has oversight of SINC’s and its Affiliates’ approach to international data transfers.

10. Operation of the EEA SCCs

You and Stripe agree that the application of the EEA SCCs to each transfer made under this Data Transfers Addendum will be interpreted as follows:

10.1. Clause 8.1(a) of the EEA SCCs, Module 2 (Transfer: Controller to Processor): Instructions. The DPA and the Agreement are your complete and final instructions at the time of execution of the DPA for the Processing of Personal Data. Any additional or alternate instructions must be agreed separately in writing by you and Stripe. For the purposes of Clause 8.1(a) of Module 2 (Transfer: Controller to Processor) of the EEA SCCs, the Processing described in the DPA is deemed an instruction by you to Process Personal Data.

10.2. Clause 8.9 of the EEA SCCs, Module 2 (Transfer: Controller to Processor): Audit. You acknowledge and agree that you exercise your audit right under Clause 8.9 of Module 2 (Transfer: Controller to Processor) of the EEA SCCs by instructing SINC to comply with the audit measures described in the DPA.

10.3. Clause 9(c) of the EEA SCCs, Module 2 (Transfer: Controller to Processor): Copies of Sub-processor Agreements. You and Stripe agree that, following your request, SINC will provide copies of the Sub-processor agreements that must be provided to you under Clause 9(c) of Module 2 (Transfer: Controller to Processor) of the EEA SCCs, provided that SINC may (i) redact or remove all commercial information or clauses unrelated to the EEA SCCs or their equivalent and (ii) determine the manner in which to provide the copy agreements to you.

10.4. Application of the Agreement. The EEA SCCs are incorporated into the Agreement. As between you, and SINC and its Affiliates, to the greatest extent permitted by Law, the limitations and exclusions of liability set out in the Agreement apply to the EEA SCCs.