The document includes Stripe corporate affiliates alongside third-party sub-processors, disclosing that intra-group entities may also process personal data in connection with Stripe's services.
This analysis describes what Stripe's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision establishes that Stripe's intra-group data sharing involves entities that are themselves subject to sub-processor disclosure obligations, which is relevant to merchant compliance with GDPR Article 28 and equivalent frameworks requiring disclosure of all processing entities.
The document establishes that personal data processed through Stripe may be accessed by Stripe's own affiliated corporate entities, each listed with the same disclosure format as third-party sub-processors, indicating that intra-group transfers form part of the disclosed processing chain.
Cross-platform context
See how other platforms handle Stripe Affiliates as Data Processors and similar clauses.
Compare across platforms →Monitoring
Stripe has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
REGULATORY LANDSCAPE: Intra-group transfers remain subject to GDPR Chapter V transfer requirements when they cross EEA borders, and Stripe affiliates in non-EEA jurisdictions are subject to the same transfer mechanism requirements as third-party sub-processors. The inclusion of affiliates in the sub-processor list is consistent with GDPR Article 28 practice, which requires disclosure of all entities processing data on behalf of a controller regardless of corporate relationship. GOVERNANCE EXPOSURE: Low to Medium. The inclusion of affiliates is standard practice for GDPR-compliant sub-processor lists. However, merchant organizations should confirm that their DPA with Stripe covers affiliate processing on the same terms as third-party sub-processor processing. JURISDICTION FLAGS: EU and UK organizations must ensure that intra-group transfers to non-EEA Stripe affiliates are covered by appropriate transfer mechanisms. Organizations in countries with localization requirements should separately assess whether transfers to Stripe affiliates outside their jurisdiction are permissible. CONTRACT AND VENDOR IMPLICATIONS: Merchant DPAs should expressly confirm that the sub-processor obligations apply to Stripe affiliates as well as third-party processors. Where Stripe affiliates are located in non-EEA countries, the Data Transfer Addendum should be confirmed as covering those intra-group transfers. COMPLIANCE CONSIDERATIONS: Data mapping documentation should distinguish between third-party sub-processors and Stripe affiliates where that distinction is operationally or regulatorily relevant. Legal teams should confirm that affiliate-specific processing purposes are adequately described to satisfy records of processing requirements.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 3 platforms + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision establishes that Stripe's intra-group data sharing involves entities that are themselves subject to sub-processor disclosure obligations, which is relevant to merchant compliance with GDPR Article 28 and equivalent frameworks requiring disclosure of all processing entities.
The document establishes that personal data processed through Stripe may be accessed by Stripe's own affiliated corporate entities, each listed with the same disclosure format as third-party sub-processors, indicating that intra-group transfers form part of the disclosed processing chain.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Stripe.