// Trust & Security Report
Stripe, Inc.
Stripe AI comprises AI-powered payment optimization features integrated into Stripe's core platform, including personalized checkout, fraud detection (Radar), revenue recovery (Smart Retries), payment intelligence, and the Stripe Payments Foundation Model (a self-supervised foundation model trained on tens of billions of transactions that distills each payment into an embedding; described by Stripe as a foundation model, not a large language model). Includes specialized products: Agentic Commerce Suite, Machine Payments Protocol, and Link digital wallet for AI agents.
Certifications held
13
Maturity
Enterprise
Trains on your data
Yes
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on docs.stripe.com“PCI Service Provider Level 1 - Highest certification level for online payment processing”
Verify on docs.stripe.com“SOC 1 Type II - Annual compliance audits (available upon request)”
Verify on docs.stripe.com“SOC 2 Type II - Annual compliance audits available upon request through trust.stripe.com, typically within 24-48 hours after NDA execution”
Verify on docs.stripe.com“SOC 3 - Public report on internal controls for security, availability, and confidentiality, available without NDA”
Verify on docs.stripe.com“PCI PA-DSS - Global security standard for payment applications”
Verify on docs.stripe.com“EMVCo Level 1 & 2 - EMV® specifications for card and terminal security and interoperability”
Verify on docs.stripe.com“NIST Cybersecurity Framework - Information security policies and design alignment”
Verify on docs.stripe.com“CBPR Certification - Cross-Border Privacy Rules compliance”
Verify on docs.stripe.com“PRP Certification - Privacy Recognition Program”
Verify on docs.stripe.com“EU-US Data Privacy Framework (DPF) compliance for transatlantic data transfers”
Verify on docs.stripe.com“UK extension to EU-US Data Privacy Framework for UK-US data transfers”
Verify on docs.stripe.com“Swiss-US Data Privacy Framework compliance”
Verify on stripe.com“GDPR compliant via Data Privacy Framework certifications (EU-US DPF, UK extension, Swiss-US DPF). Personal data handling documented in Data Processing Agreement.”
> Show 6 unconfirmed / not-held certifications
source: docs.stripe.comNo public evidence found on Stripe's own domain of an ISO 27001 certification. Stripe's security page (docs.stripe.com/security) enumerates PCI Level 1, SOC 1/2/3, PA-DSS, EMVCo, NIST CSF, CBPR, PRP, and the Data Privacy Frameworks, but does not list ISO 27001. (Stripe requires ISO 27001 of its own suppliers, which is not the same as Stripe holding it.)
source: docs.stripe.comNo public evidence found of Stripe offering a HIPAA Business Associate Agreement (BAA); Stripe does not present itself as HIPAA compliant on its own domain. Stripe can be used in payment workflows only when no Protected Health Information (PHI) is transmitted or stored through it. Treat as unsuitable for PHI use cases absent a BAA.
source: docs.stripe.comNo public evidence found of Stripe holding ISO 27017 certification despite delivering cloud-based payment services
source: docs.stripe.comNo public evidence found of Stripe holding ISO 27018 certification despite processing PII in cloud environments
source: marketplace.fedramp.govNo public evidence found of a FedRAMP authorization; Stripe does not appear on the FedRAMP Marketplace registry. Absent an authorization, treat as unsuitable for federal government workloads requiring FedRAMP.
source: docs.stripe.comNo public evidence found of Stripe holding an ISO 42001 AI management system certification on its own domain, despite shipping a large-scale payments foundation model.
// Privacy & AI training
Trains on customer data
Yes
Data processing agreement
Offered
Data region
Multiple regions with regional compliance (EU, UK, US, Swiss frameworks supported)
Stripe's Payments Foundation Model trains on billions of historical transactions to optimize payment processing. Training data includes: authorization/decline history (cards, customers, merchants), transaction features (merchant, amount, decline reason), and card features (BIN, issuer, expiry). US customers have right to opt out of sale/sharing of personal information. Merchants must disclose data sharing with Stripe to their end customers per the Data Processing Agreement.
// Security controls
Card Data Vault (CDV)
Tokenization of card data with separate secure storage; PCI DSS Level 1 audit includes CDV assessment
docs.stripe.comFraud Detection
Radar machine learning system reduces fraud by ~38% on average; uses ML-driven authorization optimization
stripe.comStrong Customer Authentication (SCA)
PSD2-compliant SCA implementation for European transactions
stripe.comOFAC Sanctions Screening
Real-time screening for Office of Foreign Assets Control sanctions lists
stripe.comAvailability
99.999% historical uptime of Stripe services; 99.9999% uptime during Black Friday-Cyber Monday 2025 peak
stripe.com// Products & data scope
data: Card data (tokenized), transaction amounts, merchant data, authorization/decline history
Core payment processing with PCI DSS Level 1 compliance. Stripe tokenizes card data to avoid PCI scope for merchants.
data: Historical transaction patterns, customer behavior, fraud signals, authorization trends
Trained on billions of transactions. Includes Radar (fraud detection), Smart Retries (revenue recovery ~57% of failed recurring payments), personalized checkout (11.9% revenue increase avg), and Authorization Boost (2.2% approval rate increase).
data: Purchase data, product catalog, customer intent signals
Enables businesses to sell inside AI apps and agents. Partnership with Google for sales in Gemini and AI Mode. Announced at Sessions 2026.
data: Payment credentials, transaction history, agent authorization tokens
250M+ global users. Enables autonomous AI agents to make payments on behalf of users.
data: Microtransaction data, recurring payment instructions, stablecoin/fiat settlement data
Real-time payments streaming for AI-native business models. Includes programmatic microtransactions and stablecoin/fiat settlement.
data: Aggregated payment patterns, authorization/decline signals, merchant-customer-card relationships (anonymized at inference)
Self-supervised foundation model trained on tens of billions of transactions, distilling each payment into a versatile embedding. Stripe describes it as a payments foundation model (not a large language model). Used across Radar, Smart Retries, and other AI products.
// What to watch
- IDENTITY CLARITY: 'stripe-ai' in AIFoxx appears to refer to Stripe's AI-powered payment features (e.g., Payments Foundation Model, Radar, Smart Retries), not a standalone AI product. Stripe is fundamentally a payment/fintech company with enterprise maturity, not an AI tool vendor. AIFoxx listing should clarify whether this is positioning Stripe as an 'AI tool' based on its AI features, or if it is mislabeled.
- DATA TRAINING: Stripe's Payments Foundation Model trains on customer transaction data at scale (billions of transactions). While US customers have opt-out rights per the Privacy Act, EU customers' rights should be explicitly confirmed via GDPR legal review. Merchants must disclose data usage to end customers.
- HIPAA NOT SUPPORTED: Stripe explicitly does not offer HIPAA BAA and is not suitable for healthcare/PHI use cases without additional wrappers. This is a hard boundary.
- FEDRAMP GAP: No FedRAMP authorization. If a user requires federal government compliance, Stripe is not suitable.
- ISO GAP: No public evidence found on Stripe's own domain of ISO 27001, ISO 27017 (cloud security), or ISO 27018 (cloud PII) certifications. Stripe's security page relies on PCI Level 1, SOC 1/2/3, and the Data Privacy Frameworks instead. (Original draft claimed ISO 27001 held=true sourced to a third-party compliance blog, not Stripe's domain; corrected to held=false during QA.)
- AI GOVERNANCE: Stripe has not published ISO 42001 (AI governance) certification despite shipping a large-scale foundation model. This may indicate no formal AI governance framework audit, or it is unannounced. Recommend follow-up with Stripe's security team on AI-specific governance practices.
- TRUST CENTER UX: trust.stripe.com exists but is partially JavaScript-rendered and requires NDA for SOC reports. Not as transparent as some competitors' trust centers.
// At a glance
Pricing model
Usage-based (per transaction) with fixed + variable fee structure. Varies by product (Payments, Radar, Billing, etc.). No minimum.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Stripe, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.stripe.com