Last updated: November 11, 2025
This Data Processing Agreement (“DPA”) is between the Stripe entity specified in the Agreement (and its Affiliate(s), collectively “Stripe”) and the Supplier entity specified in the Agreement (and its Affiliate(s), collectively “Supplier”), and is subject to and incorporated by reference into the Agreement. This DPA, including the Exhibits, sets out the data protection and security requirements that apply to Supplier’s Processing of Personal Data to provide the Services.
DPA
Stripe and Supplier agree as follows:
1. Roles of the Parties.
1.1 Supplier as a Data Processor of Stripe Data.
Supplier may Process Stripe Processor Data only as necessary to provide the Services. For the Processing of Stripe Processor Data, Stripe is a Data Controller, and Supplier is a Data Processor or Sub-processor acting on Stripe’s behalf. Where Supplier Processes Stripe Processor Data, it will do so only according to Stripe’s instructions set out in Section 2 (Instructions), an SOW (if any), and the Agreement.
1.2 Supplier as a Data Controller of Stripe Data.
Supplier may Process Stripe Controller Data only as necessary to provide the Services. For the Processing of Stripe Controller Data, Stripe is a Data Controller, and Supplier is an independent Data Controller, not a joint Data Controller with Stripe. Where Supplier Processes Stripe Controller Data, it will do so only as: (a) set out in an SOW (if any) and the Agreement and necessary to provide the Services; and (b) necessary to comply with Law or DP Law.
1.3 Stripe as a Controller of Supplier Data.
For the Processing of Supplier Data, Supplier is a Data Controller, and Stripe is an independent Data Controller, not a joint Data Controller with Supplier. Stripe will Process Supplier Data as DP Law permits and according to Stripe’s Privacy Policy and the Agreement, including this DPA.
1.4 Role of STC.
STC is a party to this DPA as the Data Exporter and to the extent it is a Data Controller or Data Processor of the Personal Data.
2. Instructions.
Supplier will Process Stripe Processor Data on behalf of and in accordance with Stripe’s Instructions and DP Law. Supplier will inform Stripe if, in its opinion, the Instructions are inconsistent with DP Law. Supplier must not sell, retain, use, or share Stripe Processor Data (a) for any purpose other than those set out in the Agreement; (b) for any commercial purpose; or (c) outside of the direct business relationship between the parties.
3. Compliance.
3.1 General Compliance.
Supplier will comply with applicable DP Law and this DPA when Processing Personal Data and provide reasonable assistance to support Stripe’s compliance with its obligations under DP Law. Supplier warrants that it has all necessary rights, consents, and permissions to collect, Process, share, and transfer Supplier Data to Stripe for the purpose(s) stated in an SOW or the Agreement, as well as Stripe’s marketing, sales, or recruiting purposes. Supplier will maintain and, upon Stripe's request, make available all records of Processing activities and documentation of disclosures, consents, and permissions related to the Services.
3.2 CCPA Compliance.
Supplier will only use, retain, or disclose Personal Data for the specific purpose of providing the Services to Stripe. Supplier warrants it will not: (i) sell, transfer, share, or provide access to any Personal Data for monetary or other valuable consideration; (ii) accept Personal Data as consideration for Services; or (iii) combine Personal Data with personal data from other sources except to achieve CCPA-defined “business purposes”. Supplier will maintain the privacy protections required by CCPA and notify Stripe if it determines it can no longer meet these obligations.
3.3 Department of Justice Bulk Data Rule Compliance.
Supplier represents it will not knowingly disclose or transfer Covered Data to any Covered Person in a Country of Concern, as defined under applicable Department of Justice regulations, and will impose equivalent restrictions on all Sub-processors of Stripe Data.
4. Confidentiality.
Supplier must limit Stripe Data access to authorized individuals with a need-to-know basis and ensure all those individuals are bound by confidentiality obligations.
5. Access and Data Subject Rights.
5.1 Data Subject Requests.
Supplier must promptly inform Stripe of all Data Subject Requests Supplier receives from Data Subjects. Supplier will not respond to Data Subject Requests other than to: (i) request information about the Data Controller; (ii) identify the Data Subject; and (iii) if applicable, direct the Data Subject to Stripe as Data Controller.
5.2 Public Authority Requests.
Unless Law prohibits it, Supplier must immediately, but in no event more than 3 business days after receipt, inform Stripe of each public authority’s request for Supplier to (i) disclose Personal Data Processed in relation to the Services; or (ii) participate in an investigation involving Personal Data.
6. Impact Assessments and Consultations.
Supplier will provide reasonable assistance to Stripe in connection with any data protection impact assessment or consultation with a supervisory authority that is required under applicable DP Law. Upon Stripe’s written request, Supplier will promptly provide all necessary information that demonstrates Supplier’s compliance with this DPA.
7. Audit Rights.
Stripe, or a qualified third-party Stripe selects, may perform an audit according to its rights under DP Law and subject to Exhibit A (Audit Rights) of this DPA.
8. Data Breach.
If Supplier becomes aware that a Personal Data Breach occurred, Supplier must notify Stripe according to the terms of Exhibit A (Security Monitoring and Incident Response). In addition to the requirements set out in Exhibit A, Supplier must provide Stripe an assessment of the Personal Data Breach’s impact, communicate regular updates, and confer with Stripe regarding Stripe’s notice obligations arising from the Personal Data Breach. Supplier must not notify Stripe’s affected Data Subjects about any Personal Data Breach without Stripe’s prior written authorization.
9. Data Security Measures.
Supplier must implement, maintain, and comply with the technical and organizational Security Requirements set out in Exhibit A to this DPA.
10. Sub-Processors.
Stripe may authorize Sub-processors to Process Stripe Processor Data as necessary to perform the Services if: (a) Supplier provides Stripe an up-to-date list of Supplier's Sub-processors before allowing any of those Sub-processors to Process Stripe Data; (b) Supplier provides Stripe at least 30 days' notice of any change to Sub-processors by emailing suppliersubprocessors@stripe.com; (c) Supplier has conducted due diligence on its Sub-processors; (d) Supplier represents that it has, and warrants that it will have, entered into a written contract with each Sub-processor that contains equally protective data protection terms to this DPA and obligates Sub-processors to comply with DP Law; and (e) Supplier remains liable for any breach of this DPA that its Sub-processor’s act, error, or omission caused. If Stripe objects to Supplier's proposed use of any additional or replacement Sub-processor(s), the parties will discuss commercially reasonable alternatives in good faith. If the parties cannot reach resolution, Supplier will not allow the Sub-processor(s) to process Stripe Data, and Stripe may suspend or terminate the Agreement.
11. Data Deletion or Return.
Upon Stripe’s request, or within 30 days of termination or expiration of the Agreement, Supplier must delete or return all Stripe Data in Supplier’s control or possession, except that Supplier may retain Stripe Data to the extent necessary to comply with Law. (Identity verification suppliers must delete all Stripe Data immediately after verification occurs and will not retain Stripe Data in any form for any reason.) Upon Stripe’s request, Supplier must promptly provide written confirmation that it deleted Stripe Data that was not returned.
12. Cross-Border Data Transfer Mechanisms.
To the extent Stripe’s use of the Services requires an onward Data Transfer Mechanism to lawfully transfer Personal Data from one jurisdiction to another, the terms stated in the Supplier Data Transfers Addendum, which is incorporated into this DPA, will apply.
13. Entire Agreement.
This DPA supersedes all prior or contemporaneous data processing agreements between the parties in relation to the Services.
14. Conflict.
If there is any conflict or ambiguity between: (a) this DPA and the Agreement, then this DPA supersedes for all matters concerning Processing Personal Data; or (b) this DPA and the Data Transfer Mechanisms (if applicable), then the Data Transfer Mechanisms will supersede.
Definitions
When used in this DPA, the following terms have the following meanings. All capitalized terms not defined in this DPA have the meanings set out in the Agreement.
“CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code Sections 1798.100-1798.199, and its implementing regulations.
“DP Law” means all laws and regulations that apply to Personal Data Processing in connection with any services provided by Supplier, including applicable international, federal, state, provincial, and local laws, rules, regulations, directives and governmental requirements currently in effect, and as they become effective, relating in any way to data privacy, data protection, data transfer, data security, and the Payment Card Industry Data Security Standards and in each case as amended, repealed or replaced from time to time.
“Data Controller” means the entity which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data, which may include, as applicable, a “Business” as defined under the CCPA.
“Data Exporter” means STC, to the extent required, for transfers of Personal Data in accordance with Section 12 of this DPA and the Supplier Data Transfers Addendum.
“Data Privacy Framework” means, as applicable, the EU-US, Swiss-US, or UK-US Data Privacy Framework self-certification program operated by the US Department of Commerce.
“Data Processor” means the entity that Processes Personal Data on behalf of the Data Controller, which may include, as applicable, a “Service Provider” as defined under the CCPA.
“Data Subject” means an identified or identifiable natural person.
“Data Subject Request” means a request from a Data Subject (including “Verifiable Consumer Requests” as defined in the CCPA) exercising the Data Subject’s right of access to (right to know to under the CCPA), or correction or erasure of, their Personal Data, their right to restrict or object to Supplier’s Processing, or their right to data portability.
“Data Transfer Mechanism” means a transfer mechanism that enables the lawful cross-border transfer of Personal Data under DP Law, which includes transfer mechanisms that are required under DP Law in the EEA, Switzerland and the UK, such as the Data Privacy Framework, the EEA Standard Contractual Clauses, the UK International Data Transfer Addendum and any data transfer mechanism available under DP Law that is incorporated into this DPA.
“GDPR” means the General Data Protection Regulation (EU) 2016/679, as amended or replaced from time to time.
“Harmful Code” means a virus, “Trojan horse”, worm, time bomb, malicious script, or any type of code that causes harm to a computer system or network.
“Information Security Breach” means, each or collectively, an inadvertent disclosure of data by Supplier, a data breach of the Supplier Systems, or a Personal Data Breach of the Supplier Systems.
“Instructions” means this DPA and any further written agreement or documentation by way of which the Data Controller instructs the Data Processor to perform specific Processing of Personal Data for that Data Controller.
“Law” means all applicable laws, rules, regulations and other binding requirements of any governmental or supervisory authority with jurisdiction over the Services, Stripe, or Supplier, as applicable.
“Personal Data” means any information relating to a Data Subject that is Processed in connection with any services provided by Supplier and includes “personal data” as defined by the GDPR and “personal information” as defined by the CCPA.
“Personal Data Breach” means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
“Process”, “Processing”, or “Processed” means to perform any operation or set of operations on Personal Data or sets of Personal Data, such as collecting, recording, organizing, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing by transmission, disseminating or otherwise making available, aligning or combining, restricting, erasing or destroying, as defined or described under DP Law.
“Security Requirements” means technical and organizational measures that Supplier must implement to secure Stripe Data to a level appropriate for the risk of the Processing, which include measures protecting Stripe Data from misuse; accidental or unlawful loss; and unauthorized access, disclosure, alteration, or destruction.
“Services” has the meaning given to that term in the Agreement and, if not defined in the Agreement, means the services Supplier provides to Stripe under the Agreement.
“SOW” has the meaning given to that term in the Agreement and, if not defined in the Agreement, means an executed statement of work that states the Services Supplier will provide to Stripe.
“STC” means Stripe Technology Company, Limited, a private limited company organized under the laws of Ireland with company number 564555.
“Stripe Data” means all data (including Personal Data) (i) Supplier collects, receives, stores, or maintains in connection with Supplier’s provision of the Services (including data and information Supplier collects through cookies); (ii) Stripe provides to Supplier; or (iii) derived from (i) or (ii).
“Stripe Controller Data” means any Personal Data that Supplier Processes as a Controller under this DPA.
“Stripe Processor Data” means any Personal Data that Supplier Processes under this DPA as a Processor that is not Stripe Controller Data.
“Supplier Data” means any Personal Data Stripe receives from Supplier under the Services.
“Supplier Systems” means Supplier’s procedures, applications, and IT infrastructure on or through which Supplier or stores, transmits, or accesses Stripe Data. “Sub-processor” means an entity engaged by the Data Processor (or any Sub-processor of the Data Processor) to Process Personal Data in order to provide parts of the Services.
SRA (Exhibit A)
This Security Requirements Addendum (“SRA”) sets out the Security Requirements and is incorporated into and subject to the Agreement. All capitalized terms not defined in this SRA have the meanings set out elsewhere in the Agreement. Supplier’s non-compliance with these Security Requirements will be deemed a material breach of the Agreement.
1. Single Sign-On (SSO).
For any cloud-hosted Services accessible to Stripe, Supplier will implement single sign-on via SAML 2.0 (“SSO”) enabling Stripe authorized users access through a centralized login system, with SSO replacing username/password authentication for all Stripe user accounts.
2. Authentication and Access Management.
Supplier will implement multi-factor authentication controls on Supplier Systems and manage access based on the principle of least privilege. Supplier will ensure that only individuals with requisite permissions can access Stripe Data on a need-to-know basis, and will maintain processes for proper provisioning, deprovisioning, and regular access reviews.
3. Security Testing and Remediation.
Supplier will maintain industry-standard vulnerability management practices for Supplier Systems including regular scanning and annual third-party penetration testing. Critical security vulnerabilities will be remediated as soon as possible, and all other security findings will be addressed within a commercially reasonable timeframe not exceeding 30 days. Upon request, Supplier will provide evidence of testing and remediation efforts.
4. Device and Endpoint Security.
Supplier will maintain an inventory of devices connecting to Supplier Systems, apply defined secure configurations, and programmatically monitor and protect these devices. Supplier will deploy industry-standard anti-virus and anti-malware technologies to ensure devices remain free from Harmful Code, with immediate remediation of any detected threats.
5. Data Protection.
Supplier will maintain a data classification framework that identifies sensitive data and applies appropriate security controls based on data sensitivity. Supplier must encrypt all Stripe Data using industry-standard protocols, including encryption in transit (minimum TLS 1.2) and at rest (minimum AES-256).
6. Security Governance.
Supplier will maintain a documented information security program that includes: (a) formal security policies reviewed annually by management; (b) a risk management framework to identify, assess, and address security risks; (c) security awareness training for all authorized individuals with access to Stripe Data; and (d) third-party background checks on all authorized individuals with access to Stripe Data.
7. Third-Party Management.
Supplier will maintain a third-party risk management program and ensure all third parties that may access or process Stripe Data implement industry-standard technical and organizational security measures and are contractually obligated to notify Supplier of any data breach. Supplier will obtain Stripe’s approval before allowing any Sub-processor to process Stripe Data and ensure all approved Sub-processors comply with the security requirements in this Agreement.
8. Secure SDLC.
Supplier will implement secure software development lifecycle (“SDLC”) practices and industry-standard change management control procedures.
9. Security Monitoring and Incident Response.
Supplier will maintain systems to monitor and protect the security of Supplier Systems, including intrusion detection and prevention, log management, and anomaly detection. Supplier will maintain and annually review an incident response plan with designated responders. In the event of an Information Security Breach affecting Stripe Data, Supplier will notify Stripe within 48 hours at privacy@stripe.com, take all possible steps to mitigate the impact, and provide relevant information about the incident to Stripe upon request. Supplier may redact information provided to Stripe to protect Confidential Information unrelated to Stripe.
10. Industry Certification.
If Supplier is Processing Personal Data, Supplier represents and warrants during Supplier’s provision of the Services that it has at least one of the following active certifications covering its organization or systems that handle Stripe Data: ISO 27001, SOC 2 Type 2, or PCI Attestation of Compliance. Supplier will provide current certification documentation to Stripe at least annually.
11. Audit Rights.
No more than once annually, upon reasonable notice and at Stripe’s expense, Supplier will allow Stripe to carry out, through a qualified third-party auditor, an audit or vulnerability assessment of the Supplier Systems (a “Security Audit”). Following an Information Security Breach that affected Stripe Data, , Supplier will carry out, at its own reasonable expense and through a qualified third-party auditor Stripe approves, a forensic investigation to determine the Information Security Breach’s cause, extent, and impact. (a “Forensic Audit”).
12. Stripe TPSRA.
No more than once annually, upon Stripe’s request, Supplier will complete Stripe’s third-party security risk assessment (“TPSRA”) and remediate any identified security gaps.