Information Security Guidelines

Introduction

Stripe is a technology company that seeks to increase the GDP of the internet by building cost-effective platforms that support internet payment processing. Stripe supports companies of all sizes, from new startups to public companies. that use Stripe's services to accept payments and manage their online business transactions.

As part of Stripe's goal to be the internet's payment platform, Stripe processes important information related to our users and their customers. To establish trust between Stripe and its users, it is critical that Stripe protects its payment services platform and the data that travels through it.

Stripe takes this very seriously and is committed to building and maintaining a Security First culture.

Security at Stripe

The core of Stripe's commitment to Security is its Global Information Security Policy (the "Policy"), which sets out how Stripe will protect its payment services platform and its data.

The Policy is reviewed and approved annually by its senior Information Security executives and the Board of Directors.

Stripe's Information Security Policy encompasses the following key Information Security Principles:

  • Confidentiality: to ensure that information is not accessed by or disclosed to unauthorized individuals or companies;
  • Integrity: to ensure that information is not unduly altered, protecting its accuracy and integrity; and
  • Availability: to ensure that information is available to authorised individuals whenever necessary.

Objectives

To meet Stripe's Information Security goals and policies, Stripe has implemented a robust Information Security Programme focused on its People, Processes, and Platform.

Stripe's Information Security Program has controls in place to address the following issues:

People - All Stripe personnel are expected to assist in supporting Stripe's Security First goals. Stripe strives to ensure that its teams are prepared to support these expectations by providing training and awareness to keep everyone informed of security risks and events. Controls are in place such as:
- Dedicated Information Security Teams and Leadership
- Technology Risk Management Programme
- Personnel Background Checks
- Security Awareness Programme
- Documented secure coding guidelines and approaches

Processes - Stripe has defined business processes to ensure that its information security objectives are met through security governance, secure development, and security operations. The processes include:
- User Access Processes that support least privilege concepts
- Formal Development Playbook that integrates security analysis and testing
- Vulnerability management processes
- Malware protection
- Security monitoring and alert processes
- Third-party security risk assessments
- Incident management and response

Platform - Stripe's production infrastructure is designed to support secure and highly available systems to ensure Stripe's services are protected and available to meet the demands of its customers. Stripe's platform comprises:
- Cloud Infrastructure-as-a-Service (IAAS) Providers for Industry Leverage
- A distributed disaster-resistant infrastructure across multiple datacentres
- Automated leverage system development processes to ensure consistently secure systems are built
- Data Replication
- Encrypted network connectivity internally and externally

Information Security Compliance

As a payment transaction processor, Stripe is subject to a multitude of industry and global regulatory standards. To assist in managing these obligations, Stripe maintains a Security Compliance programme that helps identify, track, and support the many different information security requirements to which it is subject. Stripe's information security compliance programme obtains and maintains third-party certifications, for example:
- PCI DSS Level 1 Certification
- SOC2 Type 2 Authentications
- Required Cybersecurity Certification - UK

These authentications and certifications are performed annually, and the results are available to Stripe's customers upon request.