Legal > Supplier Data Transfers Addendum

On this page

Exhibit A – Description of Processing and Transfers

1. Introduction

1.1 This Supplier Data Transfers Addendum (“SDTA”) is incorporated by reference into the Data Processing Agreement (“DPA”) between Supplier and the Stripe contracting party to that agreement (“Stripe”), which governs Supplier’s Processing of Personal Data. Any capitalized terms not defined in this Supplier Data Transfers Addendum have the meanings given to them in the underlying DPA or Agreement.

2. Relationship of the Parties

2.1 Supplier as Processor of Stripe Processor Data. The Parties agree that, with regard to the Processing of Stripe Processor Data, Stripe acts as a Data Controller and Supplier is acting as Stripe’s Data Processor or Stripe’s Sub-processor. Supplier shall Process Stripe Processor Data in accordance with Stripe’s instructions as set forth in the Agreement, including the DPA and this SDTA.

2.2 Supplier as Controller of Stripe Controller Data. The Parties agree that, with regard to the Processing of Stripe Controller Data, Stripe acts as a Data Controller and Supplier is acting as an independent Data Controller (and for clarity, not as a joint Data Controller with Stripe). Where Supplier Processes Stripe Controller Data, it will do so in accordance with the applicable SOW or underlying Agreement.

2.3 Stripe and Supplier as Independent Controllers of Supplier Data. To the extent applicable to the Agreement, the Parties agree that, with regards to Supplier Data, Stripe and Supplier are each independent controllers that will process Stripe Supplier Data as permitted by the DPA and this SDTA.

3. Cross Border Data Transfer Mechanisms

3.1 Order of Precedence. If Supplier has certified its participation under the Data Privacy Framework (as recorded on the Data Privacy Framework website accessed here), then subsections (a) - (c) of this Section 3.1 apply:

(a) If, in connection with the Agreement, more than one Data Transfer Mechanism could apply to a transfer of Personal Data, the Parties agree that the transfer will be subject to one Data Transfer Mechanism only, according to the following order of precedence:

(i) the Data Privacy Framework;

(ii) the EU Standard Contractual Clauses;

(iii) the UK Data Transfer Addendum; and

(iv) Any other data transfer mechanism available under DP Law that is incorporated into the DPA, including this Supplier Data Transfers Addendum.

(b) Supplier is self-certified under the Data Privacy Framework. If EEA/UK/Swiss Data is transferred to Supplier, Supplier will receive the Personal Data under the Data Privacy Framework and, when Processing that Personal Data, will comply with the data privacy principles and relevant supplemental principles stated in the Data Privacy Framework.

(c) Supplier will promptly notify Stripe in writing at privacy@stripe.com if Supplier’s self-certification under the Data Privacy Framework is withdrawn, terminated, revoked, or otherwise invalidated (in which case, an alternative Data Transfer Mechanism will apply).

3.2 The EU Standard Contract Clauses. For transfers of Personal Data from the EEA to any jurisdiction that is not recognized as having an adequate level of protection for Personal Data under DP Law, the EEA Standard Contractual Clauses apply, are incorporated into this SDTA, and are completed as follows:

(a) Module One of the EEA Standard Contractual Clauses shall apply to the extent Stripe and Supplier, as independent controllers, process Supplier Data originating in the European Economic Area.

(b) Module Two of the EEA Standard Contractual Clauses shall apply to the extent Stripe transfers Stripe Processor Data to Supplier under the Agreement.

(i) The optional docking clause of Clause 7 shall not apply;

(ii) Option 2 of Clause 9 shall apply, and the time period for prior notice shall be as set forth in the DPA.

(iii) The optional language in Clause 11 shall not apply;

(iv) Option 1 will apply in Clause 17 and the EEA Standard Contractual Clauses shall be governed by Irish law;

(v) Under Clause 18, all disputes shall be resolved before the courts of Ireland;

(vi) Annex I of the EEA Standard Contractual Clauses shall be deemed completed as set out in Exhibit A of this SDTA.

(vii) Annex II of the EEA Standard Contractual Clauses shall be deemed completed as set out in Exhibit A of the DPA.

3.3 The UK International Data Transfer Addendum. For all transfers of Personal Data from the UK to any jurisdiction that is not recognized as having an adequate level of protection for Personal Data under DP Law, the UK Data Transfer Addendum applies, is incorporated into this DPA, and is completed as follows:

(a) The data exporter and importer shall be as set out in Sections 2 and 3.2 of this SDTA;

(b) Table 1 of the UK Data Transfer Addendum is deemed to be populated with the information set out in Section 2 of this SDTA, the underlying Agreement, and Exhibit A of the DPA, as applicable;

(c) For purposes of Table 2 of the UK Data Transfer Addendum, the version of the “Approved EU SCCs” (including the appendix information, modules, and selected clauses) appended to the UK Data Transfer Addendum is the EEA Standard Contractual Clauses, as supplemented by Sections 2 and 3.2(a-c) of this SDTA.

(d) Table 3 of the UK Data Transfer Addendum is deemed to be populated with the information set out in Exhibit A of the SDPA and Exhibit A of this SDTA, as applicable;

(e) For purposes of Table 4 of the UK Data Transfer Addendum, the “importer” and “exporter” options shall apply;

(f) Under Part 2, the mandatory clauses of the UK Data Transfer Addendum will apply; and

(g) By entering into this Agreement, the data importer and data exporter are deemed to have signed the UK Data Transfer Addendum, as of the DPA Effective Date.

3.4 Personal Data Transfers from Switzerland. For all data transfers from Switzerland to any jurisdiction that is not recognized as having an adequate level of protection for Personal Data under DP Law, the EEA Standard Contractual Clauses, as outlined in Section 3.2 and as supplemented as follows, apply:

(a) Any reference to “Member State” will not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland); and

(b) To the extent the transfer of Personal Data is governing by the Swiss Federal Act on Data Protection, the Swiss Federal Data Protection and Information Commissioner will act as the competent supervisory authority; to the extent the transfer of data is governing by the GDPR, the supervisory authority set forth in Exhibit A of this SDTA will act as the competent supervisory authority; and any references to the “competent supervisory authority” will be interpreted accordingly.

3.5 Personal Data Transfers from Thailand. The EEA SCCs, supplemented by this Data Transfers Addendum and adapted as follows, applies to a transfer of Personal Data by the Parties that is subject to the Personal Data Protection Act B.E. 2562 (“PDPA”) to any jurisdiction that does not, for the purposes of the PDPA, have adequate Personal Data protection standards, and is Processed under the Agreement:

(a) Any reference to “applicable laws” will be interpreted to include the PDPA; and

(b) References to the “European Union”, “Union”, “EU”, “EU Member State”, “Member State” and “EU or Member State” are replaced with “Thailand”.

3.6 Personal Data Transfers from Brazil. The Brazilian Standard Contractual Clauses (“Brazilian SCCs”), supplemented by this SDTA and adapted as set out in Sections 2 and 3.2 of this SDTA, as well as Exhibit A of this SDTA, apply to the transfer of Personal Data subject to the Brazilian General Data Protection Law (“LGPD”), from Brazil to a third country or territory without an adequacy decision from the Brazilian National Data Protection Authority.

3.7 Personal Data Transfers from CBPR Participating Economies. Stripe Processes Personal Data in accordance with the Cross Border Privacy Rules (“CBPR”) framework. Where CBPR is recognized as a valid transfer mechanism under DP Law, Stripe will transfer Personal Data in accordance with the CBPR and PRP certifications SINC has obtained.

3.8 Supplemental Clauses to the EEA Standard Contractual Clauses. As applicable to the Processing under the Agreement, Supplier will comply with the supplemental terms of the EEA Standard Contractual Clauses as set forth in Annex IV of this SDTA.

4. Conflict

If there is any conflict or ambiguity between the provisions of the SDTA, the DPA, or any provision contained in the EEA Standard Contractual Clauses or the UK Data Transfer Addendum, as applicable, the provisions of the EEA Standard Contractual Clauses or the UK Data Transfer Addendum, as applicable, will prevail.

5. Definitions

All capitalized terms not otherwise defined in this SDTA have the meanings set out in the Statement of Work or Agreement, including the DPA.

“Data Privacy Framework” means, as applicable, the EU-US, Swiss-US, or UK-US Data Privacy Framework self-certification program operated by the US Department of Commerce.

“EEA/UK/Swiss Data” means Personal Data about a Data Subject that is transferred from the European Economic Area, Switzerland or the United Kingdom.

“EEA Standard Contractual Clauses” mean Module 2 (Transfer: Controller to Processor) of the standard contractual clauses set out in the European Commission Implementing Decision (EU) 2021/914 on standard contractual clauses for the transfer of personal data to third countries pursuant to the GDPR, as amended or replaced from time to time by a competent authority under the relevant DP Law.

“GDPR” means the General Data Protection Regulation (EU) 2016/679, as amended or replaced from time to time.

“UK Data Transfer Addendum” means the international data transfer addendum to the EEA Standard Contractual Clauses issued by the UK Information Commissioner in accordance with section 119A of the UK Data Protection Act 2018, as amended or replaced from time to time by a competent authority under DP Law.

“UK GDPR” means the GDPR, as transposed into United Kingdom national law by operation of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019, as amended or replaced from time to time.

Exhibit A – Description of Processing and Transfers

ANNEX I

A. LIST OF PARTIES

I. Data exporter(s) and Data importer(s):

a. Name: Stripe or Supplier, as applicable.

b. Address: As set out in the Agreement

c. Contact details: Stripe: privacy@stripe.com; Supplier: Supplier's publicly-available email address for receiving privacy-related notices.

d. Activities relevant to the data transferred under these Clauses: Processing of Personal Data in connection with Stripe's use of the Services under the Agreement.

e. Data Exporter Role: The Data Exporter's role is set forth in Section 2 (Relationship of the Parties) of this Addendum

f. Data Importer Role: The Data Importer's role is set forth in Section 2 (Relationship of the Parties) of this Addendum.

g. Signature and date: By entering into the Agreement, the data exporter and data importer are deemed to have signed these 2021 Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date of the Agreement.

B. DESCRIPTION OF TRANSFER

I. Categories of data subjects whose personal data is transferred

a. The personal data transferred concern the following categories of data subjects or consumers:

● Prospective users and/or users of Stripe's online and mobile payment services.

● The customers and donors of the Stripe's users

● Stripe's employees and/or potential employees

II. Categories of personal data transferred

a. The personal data transferred concern the following: Personal Data necessary to provide the services under the Agreement and the DPA.

b. The categories of personal data may include, but are not limited to, the following:

● Contact details, name, address

● IP addresses, usage data, cookies data, location data

● Financial data: cardholder name, bank account details, payment card details, card expiration date, CVC code, date/time/amount of transaction

● Identifiers: unique customer identifier, order ID, merchant name/ID and location

● Employment data: employee ID, performance data, compensation

● Device identifiers and characteristics

● Browsing and activity indicators

● Sensitive information: Driver's license number, Social security number (SSN), Tax ID / TIN, Other government-issued ID number

● Other: As specified in the Statement of Work and the Agreement

III. Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

a. Special categories of data may include, but are not limited to, the following:

● ID documents

● Facial recognition data and / or behavioral biometrics

● Health data

● Other: As specified in the Statement of Work and the Agreement

IV. The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

As specified in the Statement of Work and the Agreement.

V. Nature of the processing

a. The nature of the processing comprises various operations to achieve the purposes of the processing and may also include:

● collection,

● recording,

● organization,

● structuring,

● storage,

● adaptation or

● alteration,

● retrieval,

● consultation,

● use,

● disclosure by transmission,

● dissemination

● or otherwise making available, alignment or combination, restriction, erasure or destruction of data

VI. Purpose(s) of the data transfer and further processing

a. The subject matter and purpose(s) as set out in the Statement of Work and the Agreement.

VII. The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

a. The period for which the personal data will be retained is set out in the DPA.

VIII. For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

a. The subject matter and nature of the processing related to transfers to sub-processors is set out at Annex III to these clauses. Subject to the DPA, the duration of the processing is the duration of the Agreement, unless otherwise agreed in writing.

C. COMPETENT SUPERVISORY AUTHORITY

I. The competent supervisory authority in accordance with Clause 13 is the Irish Data Protection Commission.