Last modified: December 11, 2024

1. Stripe Vault and Forward Terms.

These terms (“Stripe Vault and Forward Terms”) supplement the Stripe Services Agreement and govern your use of the Stripe Vault and Forward Services.

2. Overview.

Stripe offers APIs that enable you to send Forwarded Data to yourself or your Third Party PSPs, and capture and store response data from Third Party PSPs’ APIs (“Stripe Vault and Forward Services”).

3. Use of Stripe Vault and Forward Services.

3.1. Security Credentials.

Where Stripe requires Security Credentials to allow you to send Forwarded Data to a Third Party PSP, you authorize Stripe and its affiliates to store and use your Security Credentials along with any related data.

3.2. Restrictions on Use.

Where you use the Stripe Vault and Forward Services to send Forwarded Data to Third Party PSPs, you must (a) not share any Forwarded Data with any Third Party PSP that does not comply with applicable Law (including AML and Sanctions Law), or data security standards imposed by Law or financial partners (including PCI-DSS); (b) validate each Third Party PSP’s compliance with PCI-DSS on an annual basis, list each Third Party PSP as your third-party service provider in your PCI attestation of compliance, and immediately notify Stripe if you become aware that a Third Party PSP is not complying with PCI-DSS or is otherwise failing to safeguard the Forwarded Data; (c) upon request, validate each Third Party PSP’s compliance with AML and Sanctions Law on an annual basis; (d) use the Stripe Vault and Forward Services only to facilitate transactions in countries permitted by Stripe; and (e) upon request, provide Stripe with information about a Third Party PSP required to permit Stripe to comply with applicable Law or otherwise fulfill its obligations to you, your Customers, its users, and its financial partners.

3.3. Representations and Warranties.

You represent as of the date you enter into these Stripe Vault and Forward Terms, and warrant during the term of these Stripe Vault and Forward Terms, that:

(a) you have all rights, consents, approvals, and authorizations, and have provided all disclosures to Customers, required to allow Stripe and its affiliates to lawfully:

(i) provide the Stripe Vault and Forward Services; and

(ii) collect, use, retain and disclose the data Stripe receives in connection with the Stripe Vault and Forward Services, as the Stripe Services Agreement and our Privacy Policy describe; and

(b) your use of the Stripe Vault and Forward Services complies with:

(i) all applicable agreements with and obligations owed to Third Party PSPs, if any;

(ii) all applicable guidelines, bylaws, rules and regulations maintained by the payment card networks; and

(iii) all applicable data security standards imposed by applicable Law or financial partners (including PCI-DSS).

3.4 Responsibility for Merchants.

If you are using the Stripe Vault and Forward Services in connection with transactions where the merchant is your affiliate or a Sub-user of your affiliate, then you must:

(a) promptly notify Stripe of the identity of that merchant, upon request;

(b) ensure that merchant is subject to and will comply with the terms of these Stripe Vault and Forward Terms and the Agreement as if references to “you” were references to that merchant; and

(c) have sufficient controls in place to ensure that none of those transactions (i) involve goods or services prohibited under AML and Sanctions Law, nor (ii) are for the benefit of Sanctioned Persons.

4. Indemnification.

You agree to (a) defend Stripe and its affiliates, directors, employees, and agents from any claims arising from a Third Party PSP’s failure to comply with applicable Law, payment card network requirements, data security standards, or any of its agreements with or obligations to you, Sub-users, customers, or any other party, or failure to protect Forwarded Data provided to the Third Party PSP, and (b) indemnify Stripe and its affiliates, directors, employees, and agents for losses arising out of or relating to those claims, in each case in accordance with the indemnification provisions in the Agreement.

5. Definitions.

“AML and Sanctions Law” means all applicable anti-money laundering and sanctions laws, rules, regulations and other binding requirements of any regulator or other governmental agency or entity with jurisdiction in the United States, or with jurisdiction over the Stripe Vault and Forward Services, Stripe or its affiliates, you or your affiliates, or a Third Party PSP, as applicable.

“API” means application programming interface.
“Forwarded Data” means payment card and transaction-related data that you forward using the Stripe Vault and Forward Services, including payment card transaction authorization and charge requests.

“Sanctioned Persons” means people or entities that are subject to sanctions (e.g., prohibitions or asset freezes) under AML and Sanctions Law, including if they are (a) on an applicable sanctions list, such as the sanctions lists identified by the United States Office of Foreign Asset Control and the European Commission; (b) owned or controlled by a person on an applicable sanctions list; or (c) ordinarily resident in a jurisdiction identified as high risk in Stripe's Prohibited and Restricted Business List.

“Security Credentials” means your (or if applicable, your affiliate’s) API license keys and other security credentials for Third Party PSPs.

“Sub-users” means the users of your or your affiliate’s platform services that the applicable user entity has enabled to accept card payments.

“Third Party PSP” means a third-party card payment services provider to you or your affiliate (such as a provider of payments processing, payments orchestration services, or token management services) to whom you directly or indirectly route Forwarded Data.