- What is Stripe.com?
Security at Stripe
- Securing your integration
For more about being PCI compliant and establishing good security practices, check out our integration security guide
Stripe has been audited by a PCI-certified auditor and is certified to PCI Service Provider Level 1. This is the most stringent level of certification available in the payments industry. To accomplish this, we use the best-in-class security tools and practices to maintain a high level of security at Stripe.
- HTTPS and HSTS for secure connections
Stripe forces HTTPS for all services using TLS (SSL), including our public website and the Dashboard.
- Stripe.js is served only over TLS
- Stripe’s official libraries connect to Stripe’s servers over TLS and verify TLS certificates on each connection
We regularly audit the details of our implementation, including the certificates we serve, the certificate authorities we use, and the ciphers we support. We use HSTS to ensure that browsers interact with Stripe only over HTTPS. Stripe is also on the HSTS preloaded lists for both Google Chrome and Mozilla Firefox.
- Encryption of sensitive data and communication
All card numbers are encrypted at rest with AES-256. Decryption keys are stored on separate machines. None of Stripe’s internal servers and daemons can obtain plaintext card numbers but can request that cards are sent to a service provider on a static allowlist. Stripe’s infrastructure for storing, decrypting, and transmitting card numbers runs in a separate hosting environment, and doesn’t share any credentials with Stripe’s primary services (API, website, etc.).
- Vulnerability disclosure and reward program
Stripe maintains a private, invite-only bug bounty program, with the assistance of HackerOne. Invited researchers are eligible for a payment. While those who were not invited to the program may still submit a security bug or vulnerability to Stripe via HackerOne, such reports may not be eligible for a payment. To learn more about obtaining an invitation to the private bug bounty program, please see HackerOne’s website on invitations.
By submitting a security bug or vulnerability to Stripe via HackerOne, you acknowledge that you have read and agreed to the Program Terms and Conditions set forth below. By providing a submission, you agree that you may not publicly disclose your findings or the contents of your submission to any third parties without Stripe’s prior written approval.
- Submit Vulnerability via HackerOne
You are about to submit a report to Stripe via HackerOne. Detailed and quality reporting is important to Stripe. You must include a working Proof of Concept.
- Program Terms and Conditions
Your participation in our program is voluntary and subject to the below terms and conditions:
- You need to show that you could exploit a vulnerability, but you must not actually exploit it. You must not: access, modify, copy, download, delete, compromise or otherwise misuse others’ data; access non-public information without authorization; degrade, interrupt or deny services to our users; and/or incur loss of funds that are not your own.
- If you are performing research, please use your own accounts and do not interact with other users’ accounts or data.
- You must not leverage the existence of a vulnerability or access to sensitive or confidential data to make threats, extortionate demands, or ransom requests.
- Your testing must not violate any applicable laws or regulations.
- You are prohibited from participating in the program if you are a resident of any U.S. embargoed jurisdiction, including but not limited to Iran, North Korea, Cuba, the Crimea region, and Syria; or if you are on the U.S. Treasury Department’s list of Specially Designated Nationals or the U.S. Department of Commerce Denied Person’s List or Entity List. By participating in the program, you represent and warrant that you are not located in any such country or on any such list.
- By providing a submission, you agree that you may not publicly disclose your findings or the contents of your submission to any third parties without Stripe’s prior written approval.
- You will be responsible for any tax implications related to any bounty payment you receive, as determined by the laws of your jurisdiction.
- You must be 18 years of age or older.
- You must not be employed by Stripe or any of its affiliates. You must also not be an immediate family member of someone employed by Stripe or any of its affiliates.
- By reporting a bug, you grant Stripe and its affiliates a perpetual, irrevocable, worldwide, royalty-free license to use, copy, adapt, develop, create derivative work from, or share your submission for any purpose. You waive all claims, including breach of contract or implied-in-fact contract, arising out of your submission.
- By reporting a bug, you agree to allow HackerOne to share with Stripe the personal information that you provide to HackerOne relating to your tax forms so Stripe can perform compliance checks.
- Whether to provide a payment for the disclosure of a bug and the amount of the payment is entirely at our discretion, and we may cancel or modify the program at any time.
- Only the first, responsibly-disclosed submission of a vulnerability instance will be marked as valid, any subsequent reports will not be eligible for our program.
- Ineligible Vulnerabilities
Furthermore, Stripe does not consider the following to be eligible vulnerabilities:
- Denial of service
- Reports of spam
- Social engineering
- Content/text spoofing
- Unconfirmed reports from automated vulnerability scanners
- Disclosure of server or software version numbers
- Hypothetical sub-domain takeovers without supporting evidence
- Session invalidation or other improved-security related to account management when a credential is already known (e.g., password reset link does not immediately expire, adding MFA does not expire other sessions, etc.)
- Perceived security weaknesses without concrete evidence of the ability to compromise a user (e.g., missing rate limits, missing headers, etc.)
- Reports exploiting the behavior of, or vulnerabilities in, outdated browsers
- User/merchant enumeration
- Best practice reports without a valid exploit (e.g. use of “weak” TLS ciphers)
- In Scope
Valid reports for assets in the following domains are eligible for reward:
Valid reports of critical vulnerabilities for assets in the following domains are eligible for reward:
- Out of Scope
Reports for assets in the following domains are not eligible for reward:
Last updated: April 28, 2021
See here for our Summary of Updates
Stripe provides economic infrastructure for the internet. Businesses of all sizes use our software and services to accept payments and manage their businesses online. Stripe cares about the security and privacy of the personal data that is entrusted to us.
This policy describes the Personal Data that we collect, how we use and share it, your rights and choices, and how you can contact us about our privacy practices.
We may collect and use personal data when we do business with you or when you do business with those that use our services. Some of our services may be accessed directly by you, including through our websites that reference this policy (e.g. stripe.com) (collectively “Sites”). Many of our services are provided to others in connection with their own business and activities, and you may engage with Stripe services as part of another’s service, such as when you make a payment to a merchant and we provide the payment processing services to that merchant through Stripe Checkout (collectively, we refer to Sites and direct and indirect services as “Services”). This policy applies to Stripe’s own Services. Websites, products and services of third-parties and some affiliates of Stripe are subject to their own separate privacy policies.
- Personal Data We Collect
- How We Use Personal Data
- How We Disclose Personal Data
- Your Rights and Choices
- Security and Retention
- International Data Transfers
- Use by Minors
- Links To Other Websites
- Controllers and Jurisdiction-specific Provisions
- Contact Us
Stripe obtains Personal Data about you from various sources. “You” may be a visitor to one of our Sites (“Visitor”), a user of one or more of our Services (“User” or “Stripe User”), or a direct or indirect customer of a User (“Customer”). If you are a Customer, your agreement with the relevant Stripe User should explain how the Stripe User shares your Personal Data with Stripe. If you have questions about this sharing, then you should direct those questions to the Stripe User.
You can also visit Stripe Privacy Center for more information about our privacy practices.
- Personal Data We Collect
- Personal Data that we collect about you
Personal Data is any information that relates to an identified or identifiable individual, and can include information about how you engage with our Services (e.g. device information, IP Address). In many cases, the Personal Data that you provide directly to us through our Services will be apparent from the context in which you provide the data:
- When you register for a Stripe account on our Site we collect your full name, email address, and account log-in credentials.
- When you fill-in our online form to contact our sales team, we ask for your name, contact information, country, and other information about your interest in our Services.
- When you authorize us to store information about you in connection with Stripe Checkout, we collect your name and contact information and information about your stored payment methods (e.g. payment card number, CVC code and expiration date). Learn More.
- When you submit your ID and/or a “Selfie” for purposes of verification. Learn More.
- When you respond to Stripe emails or surveys, we collect your email address, name and any other information you choose to include in the body of your email or responses. If you contact us by phone, we will collect the phone number you use to call Stripe, as well as other information you may provide during the call. If you are a Stripe User or Customer, when you contact us, we may collect additional information in order to verify your identity.
- If you are a Stripe User, you will provide your contact details, such as name, postal address, telephone number, and email address. As part of your business relationship with us, we may also collect financial and personal information about you, such as your date of birth and government identifiers associated with you and your organization (such as your social security number, tax number, or Employer Identification Number). You may also choose to provide bank account information.
- If you are a Customer, when you make payments to, or transact with a User through Stripe’s Services or a Stripe provided device, we will receive your transaction information. If you are transacting directly with Stripe, we receive the information directly from you. If you are transacting with a User, depending on how they integrated our Services, we may receive this information directly from you, from the Stripe User or third parties. The information that we collect will include payment method information (such as credit or debit card number, or bank account information), purchase amount, date of purchase, and in some cases, some information about your purchases. Different payment methods may require the collection of different categories of information. The payment method information that we collect will depend upon the payment method that you choose to use from the list of available payment methods that are offered to you at the time of check-out. We may also receive your name, email, billing or shipping address and in some cases, your transaction history to authenticate you.
In connection with fraud monitoring, prevention, detection, and compliance activities for Stripe and its Users, we receive identity related from the following sources:
- From Customers (including through their devices (e.g. IP Addresses)) related to Customers.
- From Users about themselves and their Customers, including as collected through our Services.
- From our business partners, financial service providers, identity verification services, and publicly available sources.
This Personal Data (e.g., name, address, phone number, country) helps us to confirm identities and prevent fraud. We may also use technology to assess the fraud risk associated with an attempted transaction by a Customer with a Stripe User.
You may also choose to submit information to us via other methods, including: (i) in response to marketing or other communications, (ii) through social media or online forums, (iii) through participation in an offer, program or promotion, (iv) in connection with an actual or potential business relationship with us, or (v) by giving us your business card or contact details in connection with trade shows or other events.
- Information that we collect automatically on our Sites and through marketing of our products
- Browser and device data, such as IP Address, device type, operating system and Internet browser type, screen resolution, operating system name and version, device manufacturer and model, language, plug-ins, add-ons and the language version of the Sites you are visiting.
- Usage data, such as time spent on the Sites, pages visited, links clicked, language preferences, and the pages that led or referred you to our Sites.
- Online activities. We collect information about your online activities on websites and connected devices over time and across third-party websites, devices, apps and other online services.
- We collect information when you engage with our marketing messages and when you click on links included in ads for our products. We use Google Analytics on our Sites to help us analyze your use of our Sites and diagnose technical issues.
- How We Use Personal Data
- Our Services
We rely upon a number of legal grounds to enable our use of your Personal Data. We use Personal Data to facilitate the business relationships we have with our Users, to comply with our financial regulatory and other legal obligations, and to pursue our legitimate business interests. We also use Personal Data to complete transactions and to provide payment-related services to our Users.
- Marketing and events-related communications
We may send you email marketing communications about Stripe products and services, invite you to participate in our events or surveys, or otherwise communicate with you for marketing purposes, provided that we do so in accordance with applicable law, including any consent requirements. For example, when you submit your contact information to us or when we collect your business contact details through our participation at trade shows or other events, we may use the information to follow-up with you regarding an event, send you information that you have requested on our products and services and, with your permission, include you on our marketing information campaigns.
We do not use, share, rent or sell the Personal Data of our Users’ Customers for interest-based advertising. We do not sell or rent the Personal Data of our Users, their Customers or our Site Visitors.
- How We Disclose Personal Data
Stripe does not sell or rent Personal Data to marketers or unaffiliated third parties. We share your Personal Data with trusted entities, as outlined below.
We share Personal Data with other Stripe affiliated entities in order to provide our Services and for our administration purposes.
- Service providers
We share Personal Data with certain of our service providers subject to contract terms that limit their use of Personal Data. We have service providers that provide services on our behalf, such as identity verification services, website hosting, data analysis, marketing service, information technology and related infrastructure, customer service, email delivery, and auditing services. These service providers may need to access Personal Data to perform their services. We authorize such service providers to use or disclose the Personal Data only to perform services on our behalf or comply with legal requirements. We require such service providers to contractually commit to protect the security and confidentiality of Personal Data they process on our behalf. Our service providers are predominantly located in the European Union and the United States of America. Learn More.
- Business partners
We share Personal Data with third party business partners in connection with our Services to our Users. Examples of third parties to whom we may disclose Personal Data for this purpose are banks and payment method providers (such as credit card networks) when we provide payment processing services, and the professional services firms that we partner with to deliver Stripe Atlas. Learn more about what Stripe does with other third parties.
- Our Users and third parties authorized by our Users
- Corporate transactions
- Compliance and harm prevention
We share Personal Data as we believe necessary: (i) to comply with applicable law, or rules imposed by payment method in connection with use of that payment method; (ii) to enforce our contractual rights; (iii) to protect the Services, rights, privacy, safety and property of Stripe, you or others; and (iv) to respond to requests from courts, law enforcement agencies, regulatory agencies, and other public and government authorities, which may include authorities outside your country of residence.
- Your Rights and Choices
You may have choices regarding our collection, use and disclosure of your Personal Data:
- Opting out of receiving electronic communications from us
If you no longer want to receive marketing-related emails from us, you may opt-out via the unsubscribe link included in such emails. We will try to comply with your request(s) as soon as reasonably practicable. Please note that if you opt-out of receiving marketing-related emails from us, we may still send you other messages in connection with providing our Services.
- How you can see or change your account Personal Data
If you would like to review, correct, or update Personal Data that you have previously disclosed to us, you may do so by signing in to your Stripe account or by contacting us.
- Your data protection rights
Depending on your location and subject to applicable law, you may have the following rights with regard to the Personal Data we control about you:
- The right to request confirmation of whether Stripe processes Personal Data relating to you, and if so, to request a copy of that Personal Data;
- The right to request that Stripe rectifies or updates your Personal Data that is inaccurate, incomplete or outdated;
- The right to request that Stripe erase your Personal Data in certain circumstances provided by law;
- The right to request that Stripe restrict the use of your Personal Data in certain circumstances, such as while Stripe considers another request that you have submitted (including a request that Stripe make an update to your Personal Data);
- The right to request that we export your Personal Data that we hold to another company, where technically feasible;
- Where the processing of your Personal Data is based on your previously given consent, you have the right to withdraw your consent at any time; and/or
- In some cases, you may also have the right to object to the processing of your Personal Data.
- Process for exercising data protection rights
To exercise your data protection rights please also see Stripe Privacy Center. We will comply with your request to the extent required by applicable law. We will not be able to respond to a request if we no longer hold your Personal Data. If you feel that you have not received a satisfactory response from us, you may have the right under applicable laws to consult with the data protection authority in your country.
For your protection, we may need to verify your identity before responding to your request, such as verifying that the email address from which you send the request matches your email address that we have on file. If we no longer need to process Personal Data about you in order to provide our Services or our Sites, we will not maintain, acquire or process additional information in order to identify you for the purpose of responding to your request.
If you are a Customer of a Stripe User, please direct your requests directly to the User. For example, if you are making, or have made, a purchase from a merchant using Stripe as a payment processor, and you have a request that is related to the payment information that you provided as part of the purchase transaction, then you should address your request directly to the merchant.
- Security and Retention
We retain your Personal Data as long as we are providing the Services to you or our Users (as applicable). Even after we stop providing Services directly or indirectly to you, and even if you close your Stripe account or complete a transaction with a Stripe User, we keep your Personal Data in order to comply with our legal and regulatory obligations. We may also keep it to assist with our fraud monitoring, detection and prevention activities. We also keep Personal Data to comply with our tax, accounting, and financial reporting obligations, where we are required to retain the data by our contractual commitments to our financial partners, and where data retention is mandated by the payment methods you used. In all cases where we keep data, we do so in accordance with any limitation periods and records retention obligations that are imposed by applicable law.
- International Data Transfers
We are a global business. Personal Data may be stored and processed in any country where we do business or our service providers do business. We may transfer your Personal Data to countries other than your own country, including to the United States. These countries may have data protection rules that are different from your country. When transferring data across borders, we take measures to comply with applicable data protection laws related to such transfer. Officials (such as law enforcement or security authorities) in those other countries may be entitled to access your Personal Data.
If you are located in the European Economic Area (“EEA”), the UK or Switzerland, we comply with applicable laws to provide an adequate level of data protection for the transfer of your Personal Data to the US. For more information, please see Stripe Privacy Center. Where applicable law requires that a data transfer legal mechanism, we use one or more of the following: EU Standard Contractual Clauses with a data recipient outside the EEA or the UK, verification that the recipient has implemented Binding Corporate Rules, or other legal method available to us under applicable law.
While Stripe Inc. remains self-certified under the E.U.-U.S. Privacy Shield and the Swiss-U.S. Privacy Shield, it is not currently relying on these frameworks for the transfer of personal data to the U.S. For more information, please see Stripe Privacy Center.
- Use by Minors
The Services are not directed to minors, including children under the age of 13, and we request that they not provide Personal Data through the Services. In some countries, we may impose higher age limits as required by applicable law. We do not sell any Personal Data of Customers, Visitors or Users, including those aged between 13 to 16.
- Links To Other Online Services
- Controllers and Jurisdiction-specific Provisions
To exercise your rights, you may contact our DPO. If you are a resident of the EEA or we have identified Stripe Payments Europe Limited as your data controller, and believe we process your information in scope of the General Data Protection Regulation (GDPR), you may direct your questions or complaints to the Office of the Data Protection Commissioner. If you are a resident of the UK, you may direct your questions or concerns to the UK Information Commissioner’s Office.
Mexican residents may exercise data protection rights to access, correction, deletion, opposition or revocation under applicable law. You may be provided with further information about the steps to exercise your privacy rights, including identity verification, timing, the way to get in touch with the organization responding to your request for further communications about your request, and how your request may be honored. If you are a Mexican resident and a Customer of a Stripe User, please direct your requests directly to the Stripe User with whom you shared your personal information.
Thailand residents may have additional rights under applicable laws. If we process your Personal Data due to a legal obligation or contractual right, and you do not provide us with personal Information, we may not be able to lawfully provide you services.
United States – California
If you are a consumer located in California, we process your personal data in accordance with the California Consumer Privacy Act (CCPA). This section provides additional details about the personal information we collect and use for purposes of CCPA.
- How We Collect, Use, and Disclose your Personal Information
- Your CCPA Rights and Choices
As a California consumer and subject to certain limitations under the CCPA, you have choices regarding our use and disclosure of your personal information:
- Exercising the right to know: You may request the following information about the personal information we have collected about you:
- the categories and specific pieces of personal information we have collected about you;
- the categories of sources from which we collected the personal information;
- the business or commercial purpose for which we collected the personal information;
- the categories of third parties with whom we shared the personal information; and
- the categories of personal information about you that we disclosed for a business purpose, and the categories of third parties to whom we disclosed that information for a business purpose.
- Exercising the right to delete: You may request that we delete the personal information we have collected from you, subject to certain limitations under applicable law.
- Exercising the right to opt-out from a sale: You may request to opt out of any “sale” of your personal information that may take place. As described in Advertising, we do not use, share, rent or sell the Personal Data of our Users’ Customers for interest-based advertising. We do not sell or rent the Personal Data of our Users, their Customers or our Site visitors.
- Non-discrimination: The CCPA provides that you may not be discriminated against for exercising these rights.
To submit a request to exercise any of the rights described above, contact our DPO.
When exercising your rights, we may need to verify your identity before responding to your request, such as verifying that the email address from which you send the request matches your email address that we have on file. Authentication based on a government-issued and valid identification document may be required. If you are a Customer of a Stripe User, please direct your requests directly to the Stripe User with whom you shared your personal information.
III. What is delivery method?
After we receive your payment, my own server will automatically create the download in your account and immediately send the download link to your email address and it’s a permanent link. Since it is a digital copy, my suggestion is to download and save it to your hard drive. In case the link is broken for any reason, please notify me and I will resend the link.
In case the link is broken or expired, you can email us for updates or wait up to a few hours, we will send you a new link again.
In addition, you can manage products directly downloaded on the website
- Refund policy?
All products on our site were double checked before selling. Therefore, we will not provide a refund after you make a payment. We only perform a refund for the products that we cannot provide.
100% money back guarantee! Due to the nature of Digital purchases, Digital Downloads such as MP3s, MP4s, and PDF are non-refundable. But we will refund if the fault is ours (unavailable products, missing content, corrupt file, low quality, wrong product… all of our faults).
All products’s contents were checked very carefully and “Excepted” these contents: “Online coaching, Software, Facebook group, Skype and Email support from Author.” So we will not have refund policy for these contents issue. We only refund for the product that we can not provide.
Please note: all product’s contents were checked very carefully and “Excepted” these contents:
+ Coaching call or weekly/monthly call from author
+ Access author private facebook group or web portal of the course
+ Software, Tools, App (please contact us to confirm that)
+ Access author private membership forum
+ Email support from author or their team
- Conditions of Use at Forimc.com
Normally, most of product downloads will come to you immediately, for some products that have not yet been able to synchronize the download link cloud in your account, we will confirm your order and let you know the status of the product (within a few hours) please don’t worry.
All product’s contents were checked very carefully and “Excepted” these contents: “Online coaching, Software, Facebook group, Skype and Email support from Author.” So we will not have refund policy for these contents issue. We only refund for the product that we can not provide.
All registration information and your email address are automatically encrypted and anonymous, so it’s safe. We use my private server to send the download link to my customers. Therefore, all the information will be kept autonomous. We are totally safe and secure here with us.
Again, if you have enough money and feel good. We encourage you to buy this product from the original Author to get full other “Excepted” contents from them.
Thank you for reading!