What is a Data Processing Agreement or “DPA”?
A Data Processing Agreement or “DPA” is a contract between a data controller and a data processor that describes the roles and responsibilities of the parties when personal data is processed. A DPA must satisfy a number of requirements in order to be compliant with data privacy laws, including the EU General Data Protection Regulation (“GDPR”).
Does Stripe offer a DPA?
Yes. The Data Processing Agreement forms part of your Stripe Services Agreement (“SSA”).
Is Stripe certified under the EU-U.S Data Privacy Framework?
Stripe has certified its participation in the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework. Stripe will not rely on the Swiss-U.S. Data Privacy Framework until it enters into force, but we adhere to its required commitments in anticipation of that. You can learn more about our certification and read the Stripe Data Privacy Framework Policy at https://stripe.com/legal/data-privacy-framework.
What is Stripe’s approach to international data transfers?
Stripe’s Data Transfers Addendum is incorporated into your Data Processing Agreement. The Data Transfers Addendum sets out the data transfer mechanisms which may apply when Stripe provides services to you. If more than one data transfer mechanism applies, the DPF takes precedence. We incorporate multiple transfer methods to ensure that data transfers can continue in case the DPF is invalidated or Stripe is otherwise prevented from relying on the DPF.
What are the Standard Contractual Clauses?
The Standard Contractual Clauses (“SCCs”) are a data transfer mechanism issued by the European Commission that are used for the transfer of personal data from the EEA and Switzerland. Under Article 46 GDPR, the SCCs are one of the ways that organizations can transfer personal data to certain countries, outside of the European Economic Area, including the United States.
Does Stripe offer the Standard Contractual Clauses?
The SCCs published in 2021 for cross-border transfers of personal data from the EEA, together with an adapted version of those SCCs for transfers of personal data from Switzerland are incorporated into Stripe’s Data Transfers Addendum.
Does Stripe offer the UK Addendum or International Data Transfer Agreement?
On 21 March 2022, the Information Commissioner’s Office’s International Data Transfer Agreement and the amended Addendum to the SCCs (“UK International Data Transfer Addendum”) came into force in the UK. For transfers of personal data from the UK, the UK International Data Transfer Addendum is incorporated into Stripe’s Data Transfers Addendum.
Will the online DPA affect other terms that I have agreed to with Stripe?
You can find our Data Processing Agreement at www.stripe.com/legal/dpa. If you have agreed other terms with Stripe relating to the data processing activities or the privacy and security obligations of Stripe and its affiliates in connection with Stripe’s services, and those terms take precedence over the Data Processing Agreement, those other terms are unaffected by the Data Processing Agreement.
Does Stripe use Sub-processors?
To support Stripe in delivering its Services, we engage service providers, sub-processors and affiliates to assist with our data processing activities on behalf of our business users. Visit Stripe Service Providers, Sub-Processors & Affiliates for more information.
Where can I find more information?
Stripe respects the privacy of everyone that engages with our platform, and we are committed to being transparent about our privacy processes and policies. Visit the Stripe Privacy Center for more information about our practices. If you have any questions regarding this page, please contact us or your account manager.