Privacy facts at a glance
- Jurisdictions
- US · IN · IE · CO · MY · PH · GB · JP · CA · AU
- Subprocessors
- 34
- Retention
- Stripe processes Personal Data for the Term and any period required to perform post-termination obligations, and will delete or return Personal Data following termination unless retention is required by law or the Agreement.
- Breach notification
- Stripe will notify User without undue delay of a Data Incident, and no later than 48 hours after becoming aware for incidents affecting Personal Data subject to GDPR or UK GDPR.
- Transfer mechanism
- Data Privacy Framework (EU-US DPF, UK Extension, Swiss-US DPF); Data Transfer Addendum also referenced
- DPA available
- Yes
- Certifications
- PCI Service Provider Level 1 · SOC 1 Type II · SOC 2 Type II · SOC 3 · EMVCo Level 1 and 2 · PCI PA-DSS · CBPR · PRP · EU-US Data Privacy Framework · UK Extension to EU-US DPF · Swiss-US Data Privacy Framework
- GDPR addressed
- Yes
- CCPA addressed
- Yes
Named subprocessors
Amazon Web Services, Inc.
Amazon Internet Services Private Limited
Sprinklr, Inc.
Salesforce, Inc.
Twilio, Inc.
Intuition Machines, Inc.
Verifi, Inc.
Jack Henry & Associates, Inc.
Mitek Systems, Inc.
TELUS International (Cda)
AML Rightsource
Teleperformance Colombia S.A.S.
Tracked documents
Recent changes
Public summary; per-account review history visible to subscribers tracking this vendor.
Track Stripe in your workspace.
Get notified when Stripe adds a subprocessor, changes retention, updates their DPA, or quietly amends their privacy posture.
Start tracking — 14-day trialNo card required.