The agreement states that a Stripe Connect Platform may designate itself as a data controller and instruct Stripe to process the user's data, subject to the terms of the separately negotiated Platform Provider Agreement. This creates a data processing structure in which the platform controls how Stripe processes the user's data.
This analysis describes what Stripe's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision establishes a data processing relationship in which a third-party platform holds data controller authority over the user's data processed by Stripe, which has direct implications for data subject rights fulfillment, lawful basis documentation, and accountability obligations under GDPR and equivalent frameworks.
Interpretive note: The precise allocation of controller and processor roles between the platform and Stripe depends on the content of the Platform Provider Agreement, which is not included in this document, and may vary by jurisdiction and processing activity.
Under this clause, a Stripe Connect Platform may act as a data controller and direct Stripe to process the user's data, meaning the platform's instructions govern how the user's data is handled within Stripe's infrastructure, subject to the Platform Provider Agreement.
How other platforms handle this
We may share your personal information with our affiliates, meaning entities that control, are controlled by, or are under common control with Consensys. We also share information with service providers who assist in operating our services, subject to confidentiality obligations.
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
RedCard. We share information with our financial partners to operate the Target RedCard program.
Monitoring
Stripe has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"A Stripe Connect Platform may conduct Activity on User's behalf and act as a data controller to instruct Stripe to process User Data (as defined below), as long as it does so according to User's Platform Provider Agreement.— Excerpt from Stripe's Stripe Connect Platform Agreement
(1) REGULATORY LANDSCAPE: This provision directly implicates GDPR Articles 4(7), 26, and 28 regarding the definition of data controller, joint controllers, and controller-processor contracts. Where the platform acts as controller and instructs Stripe as processor, a Data Processing Agreement must be in place. Where the platform and Stripe exercise joint control over processing purposes and means, the requirements of GDPR Article 26 regarding joint controller arrangements may apply. The relevant supervisory authorities are national data protection authorities within the EU/EEA and the UK ICO for UK-based users. CCPA may be implicated for California residents. (2) GOVERNANCE EXPOSURE: High. The provision creates a tripartite data processing structure where the user's data subject rights may need to be fulfilled through or against the platform as controller, rather than directly against Stripe, depending on how processing roles are allocated in the Platform Provider Agreement. This structure requires careful documentation to satisfy GDPR accountability obligations. (3) JURISDICTION FLAGS: EU/EEA and UK users have the most significant exposure given GDPR and UK GDPR requirements for documented controller-processor arrangements, lawful basis for processing, and data subject rights mechanisms. The provision's reference to the Platform Provider Agreement as the governing instrument for the controller designation means that data protection compliance depends on terms not contained in this document. (4) CONTRACT AND VENDOR IMPLICATIONS: Data protection officers should obtain the Data Processing Agreement between the platform and Stripe and assess whether the allocation of controller and processor roles is consistent with the actual decision-making over processing purposes and means. Where the platform and Stripe may both be determining processing purposes, a joint controller arrangement under GDPR Article 26 may be required. (5) COMPLIANCE CONSIDERATIONS: Organizations should update their Records of Processing Activities to reflect the platform's controller role and Stripe's processor role where applicable. Consent mechanisms and privacy notices presented to end users should accurately reflect the tripartite processing structure. Data subject rights request workflows should identify whether requests should be directed to the platform or Stripe.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 10 platforms + same-day alerts. No credit card required.
ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.
Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision establishes a data processing relationship in which a third-party platform holds data controller authority over the user's data processed by Stripe, which has direct implications for data subject rights fulfillment, lawful basis documentation, and accountability obligations under GDPR and equivalent frameworks.
Under this clause, a Stripe Connect Platform may act as a data controller and direct Stripe to process the user's data, meaning the platform's instructions govern how the user's data is handled within Stripe's infrastructure, subject to the Platform Provider Agreement.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Stripe.