Data Processing Agreement - FAQS

What is a Data Processing Agreement or “DPA”?

A Data Processing Agreement or “DPA” is a contract between a data controller and a data processor that describes the roles and responsibilities of the parties when personal data is processed. A DPA must satisfy a number of requirements in order to be compliant with data privacy laws, including the EU General Data Protection Regulation (“GDPR”).

Does Stripe offer a DPA?

Yes. If you are a business with a Stripe account located in the United States, your Data Processing Agreement forms part of your Stripe Services Agreement (“SSA”). If you are a business with a Stripe account located outside of the United States, we will soon be making the Data Processing Agreement available to you. Until then, please contact us or your account manager and we will send you our DPA.

What are the Standard Contractual Clauses?

The Standard Contractual Clauses (“SCCs”) are a data transfer mechanism issued by the European Commission that are used for the transfer of personal data from the European Economic Area (“EEA”) and Switzerland. The SCCs are required by the GDPR for transfers of personal data to certain countries, including the United States.

Does Stripe offer the Standard Contractual Clauses?

We offer the modernized SCCs published in 2021 (“SCCs”) for cross-border transfers outside of the EEA and Switzerland.

Users located in the United States. If you are a business with a Stripe account located in the United States, and your use of the Stripe services results in you transferring personal data from an EEA country or Switzerland to Stripe (for example, if your customers are located in these countries), your SCCs are incorporated into your Data Processing Agreement and form part of your Stripe Services Agreement.

Users located outside the United States. If you are a business with a Stripe account located outside the United States, and your use of the Stripe services results in the same transfer of personal data as described in the previous paragraph, we will soon be making the Data Processing Agreement available to you, which will incorporate the SCCs. Until then, please contact us or your account manager and we will send you the SCCs.

If you have signed an older version of the standard contractual clauses (being those that were developed prior to the GDPR), these will remain valid for transfers of personal data from the EEA and Switzerland until 27 December, 2022. Please contact us or your account manager and we will send you the latest SCCs. Alternatively, on your acceptance of the Data Processing Agreement, the SCCs incorporated into the Data Processing Agreement will replace any prior version of the SCCs you have signed.

Does Stripe offer the UK Addendum or International Data Transfer Agreement?

On 21 March 2022, the Information Commissioner’s Office’s International Data Transfer Agreement and the amended Addendum to the SCCs (“UK Addendum”) came into force in the UK. For transfers of personal data from the UK, Stripe offers the UK Addendum.

If you are a business with a Stripe account located in the United States, and your use of the Stripe services results in you transferring personal data from the UK to Stripe (for example, if your customers are located in the UK), your UK Addendum is incorporated into your Data Processing Agreement and forms part of your Stripe Services Agreement.

If you are a business with a Stripe account located outside the United States, and your use of the Stripe services results in the same transfer of personal data as described in the previous paragraph, we will soon be making the Data Processing Agreement available to you, which will incorporate the UK Addendum. Until then, please contact us or your account manager and we will send you the UK Addendum.

If you have signed an older version of the standard contractual clauses (being those that were developed prior to the GDPR), these remain valid for transfers of personal data from the UK until 21 March, 2024.

Will the online DPA affect other terms that I have agreed to with Stripe?

You can find our Data Processing Agreement at www.stripe.com/legal/dpa. If you have agreed other terms with Stripe relating to the data processing activities or the privacy and security obligations of Stripe and its affiliates in connection with Stripe’s services, and those terms take precedence over the Data Processing Agreement, those other terms are unaffected by the Data Processing Agreement.

Does Stripe use Sub-processors?

To support Stripe in delivering its Services, we engage service providers, sub-processors and affiliates to assist with our data processing activities on behalf of our business users. Visit Stripe Service Providers, Sub-Processors & Affiliates for more information.

Where can I find more information?

Stripe respects the privacy of everyone that engages with our platform, and we are committed to being transparent about our privacy processes and policies. Visit the Stripe Privacy Center for more information about our practices. If you have any questions regarding this page, please contact us or your account manager.