Last modified: July 3, 2023
This Financial Connections Security Addendum (“Security Addendum”) applies to users of the Stripe Financial Connections Service. This Security Addendum sets out data security requirements relating to your collection, use or disclosure of any Connections Data for as long as you possess or control the Connections Data. Capitalized terms that are not defined in this Addendum will have the meaning given in the applicable Stripe Services Agreement.
1. Obligation to maintain a Security Program
1.1 General
You must develop, implement, maintain and enforce a comprehensive information security program, including administrative, technical, and physical safeguards appropriate to the nature and risk of your business activities and the sensitivity of the Connections Data in your possession or control (“Security Program”).
1.2 Security Program objectives
You must design the Security Program in a manner that achieves the following objectives: (a) maintaining data integrity and ensuring the Connections Data is kept secure and confidential; (b) protecting against any anticipated threats or hazards to the security or integrity of Connections Data; and (c) preventing Connections Data from any unauthorized access or use that could result in substantial harm or inconvenience to an End User. You must take into account evolving technologies and the changing threat landscape while providing a level of protection commensurate with the risks associated with the Connections Data.
1.3 Compliance with Law
You must ensure that the Security Program complies with any Laws applicable to your collection, use, retention or disclosure of the Connections Data, including the GLBA Safeguards Rule (16 CFR Part 314) if applicable.
2. Security Program requirements
Without limiting the foregoing, your Security Program must address how you will perform the following:
2.1 Periodically assess (A) the adequacy of the Security Program and (B) risks related to the security of Connections Data;
2.2 Protect all Connections Data, both in transit over external networks and at rest, via secure encryption techniques no less protective than industry security standards;
2.3 Delete Connections Data (A) where required by Law, or (B) if deletion is not required by Law, reasonably promptly, and to the extent reasonably feasible, once retention of the Connections Data is not necessary for any of the following purposes: (1) the Authorized Purpose, (2) business operations or other legitimate business purposes, or (3) compliance with Law;
2.4 Perform periodic vulnerability assessments and penetration testing on systems where Connections Data is stored or otherwise processed;
2.5 Oversee any of your service providers (including cloud providers) who access Connections Data by taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the Connections Data and contractually requiring those service providers to implement and maintain appropriate security measures for the Connections Data that are consistent with the terms of this Security Addendum;
2.6 Maintain reasonable access controls to ensure that only authorized individuals that have a business need for accessing Connections Data are able to access Connections Data;
2.7 Monitor your systems that store Connections Data for any unauthorized access and log any suspected unauthorized access;
2.8 Patch vulnerabilities in a timely fashion;
2.9 Store Connections Data only within the fifty (50) states of the U.S. or in the District of Columbia, unless Stripe agrees in advance in writing;
2.10 Maintain a level of insurance that is reasonable based on the risk associated with your collection, use, retention and disclosure of Connections Data; and
2.11 To the extent permitted by Law, conduct appropriate background checks of personnel who will receive access to unencrypted Connections Data.
3. Data Incident Notification
You must notify Stripe immediately at fc-intake @ stripe.com if you become aware of any unauthorized (a) access to or loss of Connections Data in your or any of your service providers’ possession or control; and (b) use, disclosure or modification of Connections Data by you or any of your service providers.