Last updated: June 8, 2022
To support Stripe in delivering its Services, Stripe engages Service Providers, Sub-Processors and Affiliates to assist Stripe with its data processing activities on behalf of Stripe Business Users as defined in our Stripe Services Agreement.
What is a Sub-processor?
When Stripe engages third party service providers in our capacity as a data processor for our Business Users’ personal data, the General Data Protection Regulation (“GDPR”) calls these third-party service providers sub-processors. Sub-processors are service providers who have or potentially will have access to or process personal data that Stripe processes for, and on behalf of, Stripe’s Business Users.
The list outlines the types of service providers, sub-processors, and affiliates we utilize, where they are located, and a description of the work they carry out.
Due Diligence
Before engaging any service provider, we perform due diligence, including a vendor security assessment. Our service providers are subject to contract terms designed to ensure that these service providers process personal data only for the purposes of providing services to Stripe and in accordance with our commitments to Business Users and applicable data protection laws.
List of Service Providers
The below list of service providers are some key third parties Stripe works with across our products and services. You will also find some service providers that Stripe works with for a specific Stripe product or service.
NAME | DATA | PURPOSE OF PROCESSING | ENTITY COUNTRY |
---|---|---|---|
Business User data | eSignatures | United States | |
Business User data, End Customers’ data and Visitors’ data | Email, file storage, collaboration tools, and services to help protect our Sites (e.g. ReCAPTCHA) and to measure interactions on our Sites | United States | |
Business User data | Marketing tool | United States | |
Business User data | Customer relationship management platform which stores Business User contact information as well as supporting information about the business relationship | United States | |
Business User data, insofar as that is shared in spoken word between the conversing parties | Video conferencing system | United States | |
Business User data | Provide sanctions screening services | United States | |
Business User data | Provide merchant monitoring services | United States | |
User and Sales support service providers | Information included in the queries raised by the individuals contacting Stripe support | Provide user and sales support in several languages and timezones | Various |
Verification service providers | Business User data and End Customer data | Help verify the identity of Stripe Business Users and End Customers, and mitigate fraud | Various |
Stripe Issuing | |||
Cardholder name, PAN, CVV, expiration date, shipping address | Printing the cards for Stripe Issuing | United States | |
Stripe Terminal | |||
The Phoenix Group | Business User name and address for shipping purposes | To enable hardware ordered from Stripe to be shipped to Business Users in the US and CA | United States |
Business User name and address for shipping purposes | To enable hardware ordered from Stripe to be shipped to Business Users in Europe | United Kingdom |
Updates to this Page
Due to the nature of our global business and the volume of Business Users, our business needs and services providers may change from time to time. For example, we may deprecate a service provider to consolidate and minimize our use of service providers. Similarly, we may add a service provider if we believe that doing so will enhance our ability to deliver our Services.
We will periodically update this page to reflect additions and removals to our list of service providers. If you are a Business User, you may subscribe to receive email notifications of updates to this page here.
Under the terms of our Data Processing Agreement (DPA), a Business User may reasonably object in writing to the processing of its personal data by a new sub-processor within 30 days following the update of this page. If a Business User does not object during the 30 day time period, the appointment of the new sub-processor shall be deemed accepted by the Business User. If you are a Business User and want to know more about our DPA, please contact us.
For more information on Stripe’s privacy practices, please visit our Privacy Policy. If you have any questions regarding this page, please contact us.