The document is published within the same legal portal as Stripe's Data Processing Agreement and Data Transfer Addendum, which are cross-referenced as the instruments governing sub-processor obligations and international transfer safeguards.
This analysis describes what Stripe's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The sub-processor list operates in conjunction with Stripe's DPA and Data Transfer Addendum, meaning that the rights and obligations applicable to sub-processor changes, objection periods, and transfer safeguards are defined in those separate instruments rather than in this document alone.
Interpretive note: The specific terms governing sub-processor notifications and objection rights are contained in Stripe's DPA rather than this document, and the rights available to any given merchant depend on the version of the DPA they have executed.
The document establishes that the legal framework governing sub-processor processing and cross-border transfers is set out in Stripe's separately published Data Processing Agreement and Data Transfer Addendum, which merchant organizations must review to understand their full rights and obligations in relation to this list.
Cross-platform context
See how other platforms handle Reference to Data Processing Agreement and Data Transfer Addendum and similar clauses.
Compare across platforms →Monitoring
Stripe has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
REGULATORY LANDSCAPE: GDPR Article 28 requires that sub-processor arrangements be governed by binding contracts imposing equivalent obligations. Stripe's DPA is the primary contractual instrument for this purpose. The Data Transfer Addendum addresses cross-border transfer safeguards under GDPR Chapter V and UK GDPR. Compliance with these instruments is reviewable by EU national data protection authorities and the Irish DPC. GOVERNANCE EXPOSURE: Medium. The sub-processor list is a disclosure document rather than a standalone contractual instrument. Merchant organizations that have not executed a DPA with Stripe, or whose DPA does not include sub-processor objection rights, may not have enforceable rights in relation to sub-processor additions disclosed in this list. JURISDICTION FLAGS: EU and UK organizations are most directly affected by DPA requirements. Organizations in other jurisdictions should assess whether their applicable data protection law requires a formal data processing agreement and whether Stripe's standard DPA satisfies those requirements. CONTRACT AND VENDOR IMPLICATIONS: Procurement teams should confirm that an executed DPA with Stripe is in place and that it expressly references this sub-processor list as an exhibit or incorporated document. The DPA should specify the advance notice period for sub-processor additions and the mechanism for exercising objection rights. Teams should also confirm that the Data Transfer Addendum covers all non-EEA sub-processors listed in this document. COMPLIANCE CONSIDERATIONS: Legal teams should review the DPA to identify the sub-processor change notification mechanism and the objection window. If the DPA does not specify these terms, legal teams should seek clarification from Stripe or assess whether the absence of an objection right affects their compliance posture. Annual DPA reviews should incorporate updates to the sub-processor list.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 3 platforms + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The sub-processor list operates in conjunction with Stripe's DPA and Data Transfer Addendum, meaning that the rights and obligations applicable to sub-processor changes, objection periods, and transfer safeguards are defined in those separate instruments rather than in this document alone.
The document establishes that the legal framework governing sub-processor processing and cross-border transfers is set out in Stripe's separately published Data Processing Agreement and Data Transfer Addendum, which merchant organizations must review to understand their full rights and obligations in relation to this list.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Stripe.