a. Confidentiality: Stripe will maintain User Data in our possession as your confidential information, and will only use such User Data as permitted by this Agreement, by other agreements between you and us, or as otherwise directed by you. You will maintain any Data you receive through the Services that is not User Data as Stripe’s confidential information, may not disclose or distribute any such Data, and you will only use such Data in conjunction with the Services and as permitted by this Agreement or by other agreements between you and us. Neither party may use any Personal Data for marketing purposes unless it has received the express consent from a specific Customer to do so. You may not disclose Payment Data to others except in connection with processing Transactions requested by Customers and consistent with applicable Laws and Network Rules.
You affirm that you are now and will continue to be compliant with all applicable Laws governing privacy and your use of Data that you provide to us or access through your use of the Services. You also affirm that you have obtained all necessary rights and consents under applicable Laws to disclose to Stripe — or allow Stripe to collect, use, retain, and disclose — any Personal Data that you provide to us or authorize us to collect, including Data that we may collect directly from Customers using cookies or other similar means. As may be required by Law and in connection with this Agreement, you are solely responsible for disclosing to Customers that Stripe processes Transactions (including payment Transactions) for you and may receive Personal Data from you. Additionally, where required by Law or Network Rules, we may delete or disconnect a Customer’s Personal Data from your Stripe Account when requested to do so by the Customer.
We will comply with our obligations under Law if we become aware that we caused a loss, theft, or breach of a Customer’s Personal Data. We will also notify you and provide you sufficient information regarding the loss, theft or breach to help you mitigate any negative impact on the Customer.
c. PCI Compliance: If you use Payment Services to accept payment card Transactions, you must comply with the Payment Card Industry Data Security Standards (PCI-DSS) and, if applicable to your business, the Payment Application Data Security Standards (PA-DSS) (collectively, the “PCI Standards”). Stripe provides tools to simplify your compliance with the PCI Standards, but you must ensure that your business is compliant. The specific steps you will need to take to comply with the PCI Standards will depend on your implementation of the Payment Services. You can find more information about implementing Stripe in a manner compliant with the PCI Standards in our Documentation. You will promptly provide us with documentation demonstrating your compliance with the PCI Standards upon our request. If you elect to store, hold and maintain “Account Data”, as defined by the PCI Standards (including Customer card account number or expiration date), you further agree that you will either maintain a PCI-compliant system or use a compliant service provider to store or transmit such Account Data; further, you agree to never store any “Sensitive Authentication Data”, as defined by the PCI Standards (including CVC or CVV2), data at any time. You can find information about the PCI Standards on the PCI Council’s website.