Checkout.com processes payment card data and personal data on behalf of merchants, which creates obligations under PCI DSS and applicable data protection laws including GDPR. Merchants are typically required to enter into a data processing agreement as part of the onboarding process.
This analysis describes what Checkout.com's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
As a payment processor handling card data, Checkout.com's data practices directly affect how sensitive financial information belonging to end customers is stored, processed, and protected.
Interpretive note: The specific data processing terms were not rendered in the truncated document; this analysis is based on standard regulatory requirements applicable to Checkout.com's business model and the document's references to privacy policies in its legal hub navigation.
End customers whose card details are processed through Checkout.com have their payment data subject to Checkout.com's security and data protection practices, making the adequacy of those practices material to cardholder security.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
We use information to enhance the quality, reliability, and/or accuracy of our AI Features by creating, developing, training, testing, improving, and maintaining AI and ML models run by Strava or our service providers. We use aggregated, de-identified data for this purpose. We also use personal info...
Monitoring
Checkout.com has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
(1) REGULATORY LANDSCAPE: Payment card data handling engages PCI DSS as the primary technical standard, GDPR and UK GDPR for personal data processed about EU and UK data subjects, and the Payment Card Industry Security Standards Council's requirements. The UK ICO and EU data protection authorities enforce GDPR compliance. In the US, state privacy laws including CCPA may apply depending on the cardholder's location. (2) GOVERNANCE EXPOSURE: High. As a data processor for merchants, Checkout.com's data processing agreement must satisfy GDPR Article 28 requirements. Merchants act as data controllers and bear accountability for ensuring the processor agreement is adequate. Failure to execute a compliant DPA creates regulatory exposure for the merchant, not just Checkout.com. (3) JURISDICTION FLAGS: EU and UK merchants face mandatory DPA requirements under GDPR and UK GDPR. California merchants and those serving California residents should assess CCPA data sharing implications. Cross-border data transfers outside the EEA require appropriate transfer mechanisms such as Standard Contractual Clauses. (4) CONTRACT AND VENDOR IMPLICATIONS: Procurement teams must obtain and review Checkout.com's data processing addendum prior to go-live. The DPA should specify data retention periods, sub-processor lists, breach notification timelines, and data subject rights support obligations. (5) COMPLIANCE CONSIDERATIONS: Data mapping exercises should document the flow of payment and personal data through Checkout.com's infrastructure. Breach notification procedures should be aligned with Checkout.com's stated timelines and applicable regulatory requirements of 72 hours under GDPR.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
As a payment processor handling card data, Checkout.com's data practices directly affect how sensitive financial information belonging to end customers is stored, processed, and protected.
End customers whose card details are processed through Checkout.com have their payment data subject to Checkout.com's security and data protection practices, making the adequacy of those practices material to cardholder security.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Checkout.com.