Stripe · Stripe Service Providers (Sub-Processors) · View original document ↗

Reference to Data Processing Agreement and Data Transfer Addendum

Medium severity Medium confidence Inferredfromcontext Unique · 0 of 352 platforms
Share 𝕏 Share in Share 🔒 PDF
Recent governance activity Stripe recorded 2 documented changes in the last 30 days.
Start monitoring updates
Monitor governance changes for Stripe Create a free account to receive the weekly governance digest and monitor one platform for governance changes.
Create free account No credit card required.
Document Record

What it is

The document is published within the same legal portal as Stripe's Data Processing Agreement and Data Transfer Addendum, which are cross-referenced as the instruments governing sub-processor obligations and international transfer safeguards.

This analysis describes what Stripe's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology

ConductAtlas Analysis

Why it matters (compliance & governance perspective)

The sub-processor list operates in conjunction with Stripe's DPA and Data Transfer Addendum, meaning that the rights and obligations applicable to sub-processor changes, objection periods, and transfer safeguards are defined in those separate instruments rather than in this document alone.

Interpretive note: The specific terms governing sub-processor notifications and objection rights are contained in Stripe's DPA rather than this document, and the rights available to any given merchant depend on the version of the DPA they have executed.

Consumer impact (what this means for users)

The document establishes that the legal framework governing sub-processor processing and cross-border transfers is set out in Stripe's separately published Data Processing Agreement and Data Transfer Addendum, which merchant organizations must review to understand their full rights and obligations in relation to this list.

Cross-platform context

See how other platforms handle Reference to Data Processing Agreement and Data Transfer Addendum and similar clauses.

Compare across platforms →

Monitoring

Stripe has changed this document before.

Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.

Get Monitor Or create a free account →
ConductAtlas Analysis

Institutional analysis (Compliance & governance intelligence)

REGULATORY LANDSCAPE: GDPR Article 28 requires that sub-processor arrangements be governed by binding contracts imposing equivalent obligations. Stripe's DPA is the primary contractual instrument for this purpose. The Data Transfer Addendum addresses cross-border transfer safeguards under GDPR Chapter V and UK GDPR. Compliance with these instruments is reviewable by EU national data protection authorities and the Irish DPC. GOVERNANCE EXPOSURE: Medium. The sub-processor list is a disclosure document rather than a standalone contractual instrument. Merchant organizations that have not executed a DPA with Stripe, or whose DPA does not include sub-processor objection rights, may not have enforceable rights in relation to sub-processor additions disclosed in this list. JURISDICTION FLAGS: EU and UK organizations are most directly affected by DPA requirements. Organizations in other jurisdictions should assess whether their applicable data protection law requires a formal data processing agreement and whether Stripe's standard DPA satisfies those requirements. CONTRACT AND VENDOR IMPLICATIONS: Procurement teams should confirm that an executed DPA with Stripe is in place and that it expressly references this sub-processor list as an exhibit or incorporated document. The DPA should specify the advance notice period for sub-processor additions and the mechanism for exercising objection rights. Teams should also confirm that the Data Transfer Addendum covers all non-EEA sub-processors listed in this document. COMPLIANCE CONSIDERATIONS: Legal teams should review the DPA to identify the sub-processor change notification mechanism and the objection window. If the DPA does not specify these terms, legal teams should seek clarification from Stripe or assess whether the absence of an objection right affects their compliance posture. Annual DPA reviews should incorporate updates to the sub-processor list.

Full compliance analysis

Regulatory citations, enforcement risk, and due diligence action items.

Track 3 platforms — free Get Monitor

Free: track 3 platforms + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.

Applicable agencies

  • FTC
    The FTC has jurisdiction to review whether companies' data processing agreements and disclosed practices are consistent with representations made to business customers and consumers
    File a complaint →

Provision details

Document information
Document
Stripe Service Providers (Sub-Processors)
Entity
Stripe
Document last updated
July 6, 2026
Tracking information
First tracked
July 6, 2026
Last verified
July 6, 2026
Record ID
CA-P-013429
Document ID
CA-D-00929
Evidence Provenance
Source URL
Wayback Machine
Content hash (SHA-256)
35932b974ac23587985419f2d0afe53bb7af26b05d44dc33afd495f516ece468
Analysis generated
July 6, 2026 23:04 UTC
Methodology
Evidence
✓ Snapshot stored   ✓ Hash verified
Citation Record
Entity: Stripe
Document: Stripe Service Providers (Sub-Processors)
Record ID: CA-P-013429
Captured: 2026-07-06 23:04:41 UTC
SHA-256: 35932b974ac23587…
URL: https://conductatlas.com/platform/stripe/stripe-service-providers-sub-processors/reference-to-data-processing-agreement-and-data-transfer-addendum/
Accessed: July 7, 2026
Permanent archival reference. Stable identifier suitable for legal filings, compliance documentation, and research citation.
Classification
Severity
Medium
Categories

Other risks in this policy

Compliance Governance Intelligence

Need to monitor specific governance provisions?

Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.

Arbitration clauses AI governance Data rights Indemnification Retention policies
Get Compliance

Or start with Monitor →

Built from archived source documents, structured governance mappings, and historical version tracking.

Frequently Asked Questions

What does Stripe's Reference to Data Processing Agreement and Data Transfer Addendum clause do?

The sub-processor list operates in conjunction with Stripe's DPA and Data Transfer Addendum, meaning that the rights and obligations applicable to sub-processor changes, objection periods, and transfer safeguards are defined in those separate instruments rather than in this document alone.

How does this clause affect you?

The document establishes that the legal framework governing sub-processor processing and cross-border transfers is set out in Stripe's separately published Data Processing Agreement and Data Transfer Addendum, which merchant organizations must review to understand their full rights and obligations in relation to this list.

Is ConductAtlas affiliated with Stripe?

No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Stripe.