// Trust & Security Report

    Stripe, Inc. logo

    Stripe, Inc.

    Stripe AI comprises AI-powered payment optimization features integrated into Stripe's core platform, including personalized checkout, fraud detection (Radar), revenue recovery (Smart Retries), payment intelligence, and the Stripe Payments Foundation Model (a self-supervised foundation model trained on tens of billions of transactions that distills each payment into an embedding; described by Stripe as a foundation model, not a large language model). Includes specialized products: Agentic Commerce Suite, Machine Payments Protocol, and Link digital wallet for AI agents.

    Certifications held

    13

    Maturity

    Enterprise

    Trains on your data

    Yes

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    PCI Service Provider Level 1
    HELD

    PCI Service Provider Level 1 - Highest certification level for online payment processing

    Verify on docs.stripe.com
    SOC 1 Type II
    HELD

    SOC 1 Type II - Annual compliance audits (available upon request)

    Verify on docs.stripe.com
    SOC 2 Type II
    HELD

    SOC 2 Type II - Annual compliance audits available upon request through trust.stripe.com, typically within 24-48 hours after NDA execution

    Verify on docs.stripe.com
    SOC 3
    HELD

    SOC 3 - Public report on internal controls for security, availability, and confidentiality, available without NDA

    Verify on docs.stripe.com
    PCI Payment Application Data Security Standard (PA-DSS)
    HELD

    PCI PA-DSS - Global security standard for payment applications

    Verify on docs.stripe.com
    EMVCo Level 1 & 2
    HELD

    EMVCo Level 1 & 2 - EMV® specifications for card and terminal security and interoperability

    Verify on docs.stripe.com
    NIST Cybersecurity Framework
    HELD

    NIST Cybersecurity Framework - Information security policies and design alignment

    Verify on docs.stripe.com
    CBPR (Cross-Border Privacy Rules) Certification
    HELD

    CBPR Certification - Cross-Border Privacy Rules compliance

    Verify on docs.stripe.com
    PRP (Privacy Recognition Program) Certification
    HELD

    PRP Certification - Privacy Recognition Program

    Verify on docs.stripe.com
    EU-US Data Privacy Framework (DPF)
    HELD

    EU-US Data Privacy Framework (DPF) compliance for transatlantic data transfers

    Verify on docs.stripe.com
    UK Extension to EU-US DPF
    HELD

    UK extension to EU-US Data Privacy Framework for UK-US data transfers

    Verify on docs.stripe.com
    Swiss-US Data Privacy Framework
    HELD

    Swiss-US Data Privacy Framework compliance

    Verify on docs.stripe.com
    GDPR
    HELD

    GDPR compliant via Data Privacy Framework certifications (EU-US DPF, UK extension, Swiss-US DPF). Personal data handling documented in Data Processing Agreement.

    Verify on stripe.com
    > Show 6 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    No public evidence found on Stripe's own domain of an ISO 27001 certification. Stripe's security page (docs.stripe.com/security) enumerates PCI Level 1, SOC 1/2/3, PA-DSS, EMVCo, NIST CSF, CBPR, PRP, and the Data Privacy Frameworks, but does not list ISO 27001. (Stripe requires ISO 27001 of its own suppliers, which is not the same as Stripe holding it.)

    source: docs.stripe.com
    HIPAA
    NOT CONFIRMED

    No public evidence found of Stripe offering a HIPAA Business Associate Agreement (BAA); Stripe does not present itself as HIPAA compliant on its own domain. Stripe can be used in payment workflows only when no Protected Health Information (PHI) is transmitted or stored through it. Treat as unsuitable for PHI use cases absent a BAA.

    source: docs.stripe.com
    ISO 27017 (Cloud Data Security)
    NOT CONFIRMED

    No public evidence found of Stripe holding ISO 27017 certification despite delivering cloud-based payment services

    source: docs.stripe.com
    ISO 27018 (Cloud PII Protection)
    NOT CONFIRMED

    No public evidence found of Stripe holding ISO 27018 certification despite processing PII in cloud environments

    source: docs.stripe.com
    FedRAMP
    NOT CONFIRMED

    No public evidence found of a FedRAMP authorization; Stripe does not appear on the FedRAMP Marketplace registry. Absent an authorization, treat as unsuitable for federal government workloads requiring FedRAMP.

    source: marketplace.fedramp.gov
    ISO 42001 (AI Management System)
    NOT CONFIRMED

    No public evidence found of Stripe holding an ISO 42001 AI management system certification on its own domain, despite shipping a large-scale payments foundation model.

    source: docs.stripe.com

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Offered

    Data region

    Multiple regions with regional compliance (EU, UK, US, Swiss frameworks supported)

    Stripe's Payments Foundation Model trains on billions of historical transactions to optimize payment processing. Training data includes: authorization/decline history (cards, customers, merchants), transaction features (merchant, amount, decline reason), and card features (BIN, issuer, expiry). US customers have right to opt out of sale/sharing of personal information. Merchants must disclose data sharing with Stripe to their end customers per the Data Processing Agreement.

    // Security controls

    Encryption in Transit

    TLS 1.2 and above for all data transmission

    docs.stripe.com

    Encryption at Rest

    AES-256 encryption for sensitive data at rest

    docs.stripe.com

    Card Data Vault (CDV)

    Tokenization of card data with separate secure storage; PCI DSS Level 1 audit includes CDV assessment

    docs.stripe.com

    Fraud Detection

    Radar machine learning system reduces fraud by ~38% on average; uses ML-driven authorization optimization

    stripe.com

    Strong Customer Authentication (SCA)

    PSD2-compliant SCA implementation for European transactions

    stripe.com

    OFAC Sanctions Screening

    Real-time screening for Office of Foreign Assets Control sanctions lists

    stripe.com

    Availability

    99.999% historical uptime of Stripe services; 99.9999% uptime during Black Friday-Cyber Monday 2025 peak

    stripe.com

    // Products & data scope

    Stripe PaymentsPayment Processing

    data: Card data (tokenized), transaction amounts, merchant data, authorization/decline history

    Core payment processing with PCI DSS Level 1 compliance. Stripe tokenizes card data to avoid PCI scope for merchants.

    Stripe AI / Payments Intelligence SuiteAI-Powered Payment Optimization

    data: Historical transaction patterns, customer behavior, fraud signals, authorization trends

    Trained on billions of transactions. Includes Radar (fraud detection), Smart Retries (revenue recovery ~57% of failed recurring payments), personalized checkout (11.9% revenue increase avg), and Authorization Boost (2.2% approval rate increase).

    Agentic Commerce SuiteAI Commerce Integration

    data: Purchase data, product catalog, customer intent signals

    Enables businesses to sell inside AI apps and agents. Partnership with Google for sales in Gemini and AI Mode. Announced at Sessions 2026.

    Link Digital Wallet for AgentsAI-Enabled Wallet

    data: Payment credentials, transaction history, agent authorization tokens

    250M+ global users. Enables autonomous AI agents to make payments on behalf of users.

    Machine Payments ProtocolAI Payment Infrastructure

    data: Microtransaction data, recurring payment instructions, stablecoin/fiat settlement data

    Real-time payments streaming for AI-native business models. Includes programmatic microtransactions and stablecoin/fiat settlement.

    Stripe Payments Foundation ModelAI/ML Model (Payments Foundation Model)

    data: Aggregated payment patterns, authorization/decline signals, merchant-customer-card relationships (anonymized at inference)

    Self-supervised foundation model trained on tens of billions of transactions, distilling each payment into a versatile embedding. Stripe describes it as a payments foundation model (not a large language model). Used across Radar, Smart Retries, and other AI products.

    // What to watch

    • IDENTITY CLARITY: 'stripe-ai' in AIFoxx appears to refer to Stripe's AI-powered payment features (e.g., Payments Foundation Model, Radar, Smart Retries), not a standalone AI product. Stripe is fundamentally a payment/fintech company with enterprise maturity, not an AI tool vendor. AIFoxx listing should clarify whether this is positioning Stripe as an 'AI tool' based on its AI features, or if it is mislabeled.
    • DATA TRAINING: Stripe's Payments Foundation Model trains on customer transaction data at scale (billions of transactions). While US customers have opt-out rights per the Privacy Act, EU customers' rights should be explicitly confirmed via GDPR legal review. Merchants must disclose data usage to end customers.
    • HIPAA NOT SUPPORTED: Stripe explicitly does not offer HIPAA BAA and is not suitable for healthcare/PHI use cases without additional wrappers. This is a hard boundary.
    • FEDRAMP GAP: No FedRAMP authorization. If a user requires federal government compliance, Stripe is not suitable.
    • ISO GAP: No public evidence found on Stripe's own domain of ISO 27001, ISO 27017 (cloud security), or ISO 27018 (cloud PII) certifications. Stripe's security page relies on PCI Level 1, SOC 1/2/3, and the Data Privacy Frameworks instead. (Original draft claimed ISO 27001 held=true sourced to a third-party compliance blog, not Stripe's domain; corrected to held=false during QA.)
    • AI GOVERNANCE: Stripe has not published ISO 42001 (AI governance) certification despite shipping a large-scale foundation model. This may indicate no formal AI governance framework audit, or it is unannounced. Recommend follow-up with Stripe's security team on AI-specific governance practices.
    • TRUST CENTER UX: trust.stripe.com exists but is partially JavaScript-rendered and requires NDA for SOC reports. Not as transparent as some competitors' trust centers.

    // At a glance

    Pricing model

    Usage-based (per transaction) with fixed + variable fee structure. Varies by product (Payments, Radar, Billing, etc.). No minimum.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Stripe, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.stripe.com

    > Browse all vendor trust reports