[go: up one dir, main page]

Stripe Apps Developer Agreement

Last Updated: May 1, 2023

This Stripe App Developer Agreement (“Agreement”) is a legal agreement between Stripe Payments Europe, Limited. (“Stripe”, “us”, or “we”) and the entity or person (“you”, “your”, or “Developer”) who uses their Stripe Account to develop an Application for Stripe Business Users.

1. Definitions.

“Application” means any software application, functionality, website, product or service that you create for the purpose of extending, enhancing, customizing, or integrating with Stripe's products, APIs, or ecosystem.

“Business Account” means the Stripe account that chooses to install your Stripe Application.

“Business Account Data” means any information (including Personal Data) that the Business Account authorizes Stripe to share with your Stripe Application. 

“Business User” means any individual who is lawfully entitled to access and operate a Business Account.

“CCPA” means the California Consumer Privacy Act of 2018, as may be amended from time to time.

“Confidential Information” means non-public information, know-how, or trade secrets in any form: (1) that a reasonable person knows or reasonably should understand to be confidential based on the nature of the information or the manner by which the information is disclosed by Stripe, or (2) that Stripe designates as confidential. Information is not Confidential Information if it: (a) is or becomes publicly available without you breaching this Agreement; (b) is already known to you lawfully without an obligation to keep it confidential; (c) is received by you from another source that has authority to disclose it lawfully and has no obligation to keep it confidential; or (d) is independently developed by you.

“Content” means information obtained by Stripe from publicly available sources or its third party content providers and made available to you through the Covered Services, as may be described in the Documentation.

“Covered Services” means Stripe Apps and the Stripe Apps Marketplace.

“Data Breach” means a breach of security associated with the Developer’s Stripe Application leading to the accidental, unlawful, or unauthorized use, destruction, loss, alteration, disclosure of, or access to, Business Account, Business Account Data, Confidential Information; or that might adversely affect the security of the Stripe systems.

“Data Controller” means the entity which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data, which may include, as applicable, a “Business” as defined under the CCPA.

“Data Processor” means the entity that Processes Personal Data on behalf of the Data Controller.

“Data Subject” means an identified or identifiable natural person to which Personal Data pertains.

“Developer” means you, your organization, its agents, employees and consultants.  

“Developer Data” means electronic data and information submitted by you to the Covered Services. Developer Data includes, among other things, technical and operational data submitted by you in connection with your Stripe App and feedback provided by you to Stripe in connection with the Covered Services. Developer Data does not include: (1) Content, (2) reports, data, assessments, analyses or compilations collected by, derived from, created by or returned by the Covered Services, including any derivative works, (3) your Stripe Application(s), (4) Developer Personal Data or Confidential Information unless it is needed for your Stripe App Listing. 

“Documentation” means resources and documentation that Stripe makes available to developers through Stripe’s support pages, API documentation, and other websites.

“DP Law” means all laws and regulations that apply to Processing of Personal Data under this Agreement, including applicable international, national, federal, state, provincial, and local laws, rules, regulations, directives and governmental requirements currently in effect, and as they become effective, relating in any way to privacy, data protection, or security, as well as the Payment Card Industry (“PCI”) Data Security Standards.

“Listing” means the information provided for listing the Application on Stripe’s App Marketplace.

“Mark” means a trademark, service mark, design mark, logo or stylized script.

“Necessary Condition” means any of the following: (1) it is required by applicable law, rule, or regulation or otherwise required or requested by a court order or governmental authority; (2) Stripe suspects that you or your Stripe App have Processed Business Account Data in violation of the terms of this Agreement or other applicable terms or policies; (3) you enter into a change of control transaction or transfer (or request to transfer) any of your rights or obligations under the terms of this Agreement or other applicable terms or policies; (4) Stripe determines in our sole discretion it is necessary to ensure that you and your Stripe App have deleted Business Account Data in accordance with the terms of this Agreement and all other applicable terms and policies; or (5) we determine in our sole discretion it is necessary to ensure proper remediation of any non-compliance revealed by an audit.

“Personal Data” means any information relating to a Data Subject (who can be identified, directly or indirectly, in particular by reference to an identifier such as name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person) that is collected, disclosed, stored, accessed or otherwise Processed under the Agreement. 

“Process”, “Processing” or “Processed” means to perform any operation or set of operations on data (including Personal Data and Business Account Data), such as collecting, recording, organizing, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing by transmission, disseminating or otherwise making available, aligning or combining, restricting, erasing or destroying.

“Records” mean books, agreements, access logs, third-party reports, policies, processes, and other records regarding the Processing of Business Account Data. 

“Stripe Application”, “Stripe App”, or “App” means a software application, including source code, provided by Developer or a third party to Stripe that may interoperate with the Covered Services, including an application developed by or for Developer, or that is listed on a marketplace.  

“Stripe App Marketplace” or “Marketplace” means Stripe’s online marketplace site where your Stripe Application may be discovered and installed by Business Accounts.

“Sell” means the definition prescribed to it in the CCPA.

“Service Provider” means an entity you use to provide services in connection with your Stripe App. 

2. Developer Responsibilities to Stripe. You agree to: (1) be solely responsible for the accuracy, quality, integrity and legality of your Stripe Application; (2) use commercially reasonable efforts to prevent unauthorized access to or use of your Stripe Application, and notify us promptly of any such unauthorized access or use (see “Data Breach Reporting to Stripe” below); and (3) use the Covered Services only in accordance with the terms of this Agreement, all other applicable terms and policies, Documentation, and applicable laws and government regulations. 

3. Service and Content. Stripe will make the Covered Services available to you, subject to: (1) the terms of this Agreement; (2) the Documentation; and (3) your agreement to process payments triggered by core functionality of your app on Stripe unless another payment processor is approved in writing by Stripe.

4. Developer Code of Conduct. Stripe’s users always come first. By choosing to develop an Application with the Covered Services, you agree: (1) you will not make any misrepresentations to or mislead our users or any third party; (2) you will avoid any conflict of interest or engage in any intentional unethical conduct; and (3) you will not cause any reputational harm to Stripe. 

5. License Granted by Developer.  You grant Stripe the license to host, copy, transmit and display your Stripe Application and Developer Data for use with the Covered Services. In addition, you grant Stripe a revocable, non-exclusive, worldwide, royalty-free license to host your Stripe Application on Stripe servers and publish any information you provide to Stripe in furtherance of Stripe’s hosting and distributing of your Stripe Application.

6. Marks Usage: Subject to the terms of this Agreement, each party grants to the other party a worldwide, non-exclusive, non-transferable, non-sublicensable, royalty-free license during the term of this Agreement to use the Marks of the grantor party solely to identify your Stripe App and your use of the Covered Services. Accordingly, Stripe may use your Marks: (a) on Stripe web pages and apps that identify Stripe Apps and Stripe App developers; (b) in Stripe sales/marketing materials and communications; and (c) in connection with promotional activities to which the parties agree in writing. When using Stripe’s Marks, you must comply with the Stripe Marks Usage Terms and all additional usage terms and guidelines that Stripe provides to you in writing (if any). All goodwill generated from the use of any Marks will inure to the sole benefit of the Mark owner.

7. Data Use by Stripe. Stripe may use Developer Data solely to the extent necessary to fulfill its obligations under this Agreement. Stripe will not sell, disclose, or share any Developer Data, in whole or in part, to or with any third-party. Once you submit your Application for use with the Covered Services, Stripe will maintain appropriate, industry-standard technical and organizational measures to protect any data and information, including Personal Data, that it collects, accesses, processes or receives from you under the terms of this Agreement in accordance with applicable DP Laws. Stripe agrees to comply with all applicable DP Laws in performing its obligations under this Agreement.

8. Proprietary Rights. Subject to the rights granted under this Agreement, Stripe and its licensors reserve all rights, title and interest in and to the Covered Services (including reports, data, assessments, analyses or compilations of Developer Data, collected by, derived from, created by or returned by the Covered Services, including any derivative works thereof) and Content, including all related intellectual property rights. No rights are granted to the Developer other than as set forth in this Agreement. Subject to the limited licenses granted herein, Stripe acquires no right, title or interest from Developer or its licensors under this Agreement in or to the Stripe Applications. You represent and warrant that your Stripe Applications do not and will not violate, misappropriate or infringe upon the intellectual property or other rights of any third party. You also agree to defend, indemnify, and hold harmless Stripe and its affiliates from and against any third-party claim alleging that your Stripe Application infringes any third party rights.

9. Feedback. You may provide and we encourage ongoing feedback directly to us regarding the Covered Services. You grant to Stripe a royalty-free, worldwide, irrevocable, perpetual license to use and incorporate into the Covered Services any suggestion, enhancement request, recommendation, correction or other feedback you provide relating to the operation of the Covered Services for use by Stripe and users of its offerings.

10. Protection of Confidential Information.  You, as a Developer, may receive from Stripe updates and information that is Confidential Information.  You agree not to disclose such Confidential Information or any announcements that Stripe notes as embargoed.  

11. Relationship between Parties and Sale. Stripe and Developer agree that neither is the Data Processor of the other party, nor are the parties acting together as joint Data Controllers. Stripe and Developer agree that no monetary or other valuable consideration is provided to either party in exchange for Personal Data and that data sharing conducted pursuant to this Agreement does not constitute a Sale of Personal Data.

12. Data Use by Developer. You agree to comply with all applicable DP Laws in performing your obligations under this Agreement. Including and without limitation, you will:

(1) provide notices of Data Breach to the Data Subject and appropriate government authorities as required by applicable DP Law;

(2) make the privacy notice or privacy policy applicable to your Stripe Application readily available to the Business User, including via a link in your Stripe App listing in the Stripe Apps Marketplace;

(3) Process Business Account Data only in accordance with the above-referenced privacy notice or privacy policy, and only to provide or meaningfully improve the quality of the Business User’s experience in your Stripe Application for which the Business Account shared its Business Account Data;

(4) not sell Business Account Data; 

(5) not use Business Account Data to determine eligibility for credit or insurance, to be used primarily for personal, family, or household purposes, or in any other way that would cause the Business Account Data to constitute a “consumer report” under Fair Credit Reporting Act, 15 U.S.C. § 1681, et seq. (“FCRA”); nor use Business Account Data to take “adverse action” as that term is described in FCRA and the Equal Credit Opportunity Act, 15 U.S.C. § 1681, et seq. (ECOA) and their implementation regulations, against any individual;

(6) only share Business Account Data with a third party: (a) when required under applicable law or regulations; (b) when the third-party is a Service Provider that satisfies the terms of this Agreement; and (c) when a Business User expressly directs you to share its Business Account Data with the third party;

(7) implement reasonable measures to ensure that your Stripe Application is not used by users under the age of 13 and does not collect Personal Data from users known to be under the age of 13 (or such age that would require parental consent under applicable DP Laws).

13. Service Providers. You must ensure that any Service Provider you engage: (1) uses Business Account Data solely for you and at your direction in order to provide services you requested in a manner that is consistent with the terms of this Agreement, all other applicable terms and policies, your privacy policy, and applicable DP Law, and for no other individual or entity and for no other purpose, including for the Service Provider’s own purposes; (2) in the event the Service Provider engages another Service Provider (“Sub-Service Provider”) in order to provide the services requested, requires the Sub-Service Provider to comply with the above requirements; (3) promptly ceases Processing Business Account Data and delete all such data in their possession or control when you cease using the Service Provider or Sub-Service Provider. Upon our request, you must provide a list of your Service Providers and Sub-Service Providers. We may prohibit your use of any Service Provider or Sub-Service Provider in connection with your use of Business Account Data if we believe that (4) they have violated the terms of this Agreement or other applicable terms or policies or (5) they are negatively impacting Stripe, Marketplace, other Stripe products or services, or people who use Stripe products and services, and will provide notice to you if we do. Upon such notice, you must promptly stop using that Service Provider or Sub-Service Provider in connection with your use of Business Account Data.

14. Data Breach Reporting to Stripe. You agree to implement a data security incident management program which addresses how you and your Stripe App will detect and manage data security incidents, including Data Breaches. You will notify Stripe at stripe-apps-security@stripe.com without undue delay - but in no event later than 48 hours - after becoming aware of a Data Breach. Upon becoming aware of the Data Breach, you will, at your own cost, immediately begin remediation of the incident leading to the Data Breach and reasonably cooperate with Stripe, including by informing Stripe in reasonable detail of the impact of the incident upon Business Account Data, specific Business Accounts and Business Users affected by the incident, and corrective actions being taken, and keeping Stripe updated about your compliance with any notification or other requirements under applicable DP Laws. 

15. Security Measures. You will implement and maintain technical and organizational safeguards for your Stripe App that: (1) meet or exceed industry standards proportionate to the sensitivity of Business Account Data it processes, (2) comply with applicable DP Laws, and (3) are designed to prevent any Data Breach or unauthorized Processing of Business Account Data under the terms of this Agreement or any other applicable terms or policies. In the event of a suspected Data Breach or event triggering a  Necessary Condition, Stripe may impose limitations on your Stripe App, your Marketplace Listing, or your ability to use any portion of the Covered Services and require you to undergo a Compliance Review (see “Compliance Review” below) or other security testing. .

16. Data Storage. To the extent that you use Stripe Apps interfaces to store data, you agree that you will not store Personal Data (except as needed for your Stripe App Listing), personal health data, or data that could be construed to infringe upon intellectual property rights.

17. Term. This Agreement begins on the Date you accept these terms and is effective until terminated in accordance with Section 21 (Termination and Notices). As a result of your use of the Covered Services and the grants given by the Developer under this Agreement, Stripe may develop products, services and features utilizing Developer Data which may be made available beyond the Term.

18. Retention and deletion of data. Unless required to keep Business Account Data under applicable law or regulation, you must delete all Business Account Data as soon as reasonably possible: (1) when retaining the Business Account Data is no longer necessary for a legitimate business purpose that is consistent with the terms of this Agreement and all other applicable terms and policies; (2) when you stop operating the Stripe Application through which the Business Account Data was acquired; (3) when we request you delete the Business Account Data; (4) when the Business User requests their Business Account Data to be deleted or no longer has an account with you; and (5) when required by applicable law or regulations, including DP Laws.  

19. Compliance Review. We may conduct an audit from time to time, but no more than once a calendar year unless there is a Necessary Condition, to ensure that your and your Stripe App’s Processing of Business Account Data is and has been in compliance with the terms of this Agreement and all other applicable terms and policies upon reasonable notice. You will cooperate (and cause your Service Providers to cooperate) with the audits, including by providing information and assistance as reasonably requested (including making your personnel who are knowledgeable about your or your App’s Processing of Business Account Data available for our questioning). If an audit reveals any non-compliance by you or your Service Provider(s) then you will reimburse us for all of our reasonable costs and expenses associated with conducting the audit and any related follow-up audits. 

20. Certifications. From time to time, we may request you to certify, in writing, that you are in compliance with these Terms and all other applicable terms and policies, and the purpose or use of the Business Account Data you have access to, and that each such purpose or use complies with these Terms and all other applicable terms and policies. All such certifications and attestations must be provided by an authorized representative of yours. 

21. Termination and Notices. You may terminate this Agreement without cause upon thirty (30) days’ written notice to Stripe at contract-notices@stripe.com. If after termination you use the Covered Services again, this Agreement will apply with an Effective Date that is the date on which you first use the Developer Services again.  Stripe may terminate this Agreement (or any part) or close your Stripe Account at any time for any or no reason, in accordance with the Stripe Services Agreement, by notifying you. Either party may terminate this Agreement immediately upon notice to the other party if the other party materially breaches this Agreement, and if capable of cure, does not cure the breach within 10 days after receiving notice specifying the breach. If the material breach affects only certain Covered Services, the non-breaching party may choose to terminate only the affected Covered Services.  Terminating this Agreement will not immediately terminate the Stripe Services Agreement. Stripe and you may only terminate the Stripe Services Agreement according to its terms. This Agreement will automatically terminate if the Stripe Services Agreement terminates.

22. Developer Responsibilities in Stripe Accounts. You are responsible for all activities that occur in your Stripe account(s) and for compliance with this Agreement.  You are also responsible for all activity your Stripe Application executes within the account of any Stripe Business User that has installed your Stripe Application.

23. No Warranty. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE COVERED SERVICES AND CONTENT ARE PROVIDED “AS-IS” AND “AS AVAILABLE,” WITH ALL FAULTS AND EXCLUSIVE OF ANY WARRANTY WHATSOEVER WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE. STRIPE DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW. STRIPE DISCLAIMS ALL LIABILITY FOR ANY HARM OR DAMAGES CAUSED BY ANY THIRD-PARTY HOSTING PROVIDERS. The Covered Services may contain bugs or errors. Any participation in or use of the Covered Services or Content is at your sole risk. You acknowledge that Stripe may discontinue the Covered Services at any time in its sole discretion.

24.  Updates to this Agreement. We reserve the right to change this Agreement at any time at our discretion. We will give you notice of the changes by posting an updated version of this Agreement online or by emailing you at an email address you have provided. Any other changes to the Agreement will be effective 15 days after we post them or otherwise notify you of them, unless we specify a different effective date when we make a particular change. However, we may change this Agreement with effect as of the date we post the changes or otherwise notify you of them, to change existing features or add additional features to the Covered Services that do not materially adversely affect your Stripe Application, or for legal, regulatory, fraud or abuse prevention, or security reasons. You are responsible for checking for Agreement updates. If you continue to make your Stripe App available after the effective date of any changes, it constitutes your acceptance of the changes. If you do not agree to a change, you must delete your Stripe Application and terminate this Agreement.

25. No Damages. EXCEPT AS MAY BE REQUIRED BY APPLICABLE LAW, IN NO EVENT SHALL STRIPE HAVE ANY LIABILITY TO DEVELOPER FOR ANY DAMAGES WHATSOEVER, INCLUDING BUT NOT LIMITED TO DIRECT, INDIRECT, SPECIAL, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES, OR DAMAGES BASED ON LOST PROFITS, DATA OR USE, HOWEVER CAUSED AND, WHETHER IN CONTRACT, TORT OR UNDER ANY OTHER THEORY OF LIABILITY, WHETHER OR NOT DEVELOPER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

26. Relationship to Other Agreements. Developer may be or become entitled to receive access to other Stripe services under a separate agreement with Stripe. In that case, that separate agreement will govern your access to the other Stripe services, but will not govern your access to Content accessed via the Covered Services, except as otherwise noted in this Agreement.

27. Miscellaneous. Developer may not assign any of its rights or obligations hereunder, whether by operation of law or otherwise, without the prior written consent of Stripe (not to be unreasonably withheld). This Agreement shall be governed exclusively by the internal laws of the State of California, without regard to its conflicts of laws rules. Each party hereby consents to the exclusive jurisdiction of the state and federal courts located in San Francisco County, California to adjudicate any dispute arising out of or relating to this Agreement. Notwithstanding the foregoing, Stripe will be entitled to seek injunctive remedies or other types of urgent legal relief in any jurisdiction. There are no third-party beneficiaries under this Agreement. This Agreement constitutes the entire agreement between the parties, and supersedes all prior and contemporaneous agreements, proposals or representations, written or oral, concerning its subject matter. No modification, amendment, or waiver of any provision of this Agreement shall be effective unless in writing and signed by the party against whom the change is to be asserted. In the event of any conflict or inconsistency among the following documents, the order of precedence shall be: (1) any exhibit, schedule or addendum to this Agreement, (2) the body of this Agreement, and (3) the Documentation. This Agreement may be executed by facsimile and in counterparts. Titles and headings of sections of this Agreement are for convenience only and shall not affect the construction of any provision of this Agreement. You understand Stripe may be independently creating (or may receive from third parties) features, applications, content, or other products or services that may be similar to or competitive with the Application, and nothing in these Terms will be construed as restricting or preventing Stripe from doing so.

28. Survival. The following provisions: “Proprietary Rights,” “Protection of Confidential Information,” “Developer Responsibilities,” “No Warranty,” “No Damages,” “Relationship to Other Agreements” and “Miscellaneous” shall survive the termination of this agreement.