Stripe

PaymentsMedium RiskVerified 2026-03-05

Overview

Headquarters🇺🇸 USSan Francisco

US IncorporatedYes

CLOUD Act ExposureYes

NotesStripe does not offer HIPAA compliance and will not sign a Business Associate Agreement. PCI DSS Level 1 Service Provider.

Regions (2 in 2 countries)

🇺🇸 US

US · San Francisco

🇮🇪 IE

EU Dublin · Dublin

Compliance & Data

✓ SOC 2✓ ISO 27001✓ GDPR✗ HIPAA✓ PCI DSS

Payment DataPII

Applicable Laws (4)

Applies to businesses meeting revenue or data volume thresholds that handle California residents' data.

Max fine: USD 7,500 per intentional violationvia 🇺🇸 US

CLOUD ActUnited States

Any US-incorporated provider or subsidiary may be compelled to disclose data regardless of where it is stored.

Max fine: Contempt of court penaltiesvia 🇺🇸 US

Cross-border transfers to non-adequate countries require SCCs, BCRs, or other safeguards.

Max fine: 4% of global annual turnover or EUR 20Mvia 🇮🇪 IE

US providers may be subject to surveillance orders targeting non-US persons, creating risk for EU data subjects.

Max fine: Contempt of court penaltiesvia 🇺🇸 US