Thinking about migrating away from Stripe
In light of recent court rulings against European businesses using google analytics or Stripe because they transmit data in the US, I'm a bit worried if there's a real possibility getting sued as a European business for using Stripe. I've asked their support about this and am waiting for an answer (it's only been two days, they said they need to check this internally and will get back to me).
In the meantime, I've been looking at other payment providers to use instead of Stripe. Stripe offers to export customer data to a new psp so in theory, I should be able to move my existing customer base over to somewhere else.
So far, only Mollie and Adyen seem to be good options:
- Mollie is pretty much like Stripe in terms of APIs and the things they offer (stuff like automatically charging customers for recurring payments) and seem to be priced relatively similar to Stripe. However, they can't import data from Stripe. They don't mention this on their website but their support confirmed it. Essentially, this would mean I would need to collect payment details again from all of my existing customers which will probably be a huge pain.
- Adyen is a lot more bare-bones. I'd need to rebuild a lot of the billing stack and do things like recurring charges myself instead of relying on Adyen to handle them for me, even if they have some mechanisms around this to make retrying etc easier for me as a user of their API. They are able to import data from Stripe and are also quite a bit cheaper than both Stripe and Mollie. I think being the cheaper option is something that would only matter to me in the long run, not something which alone would be worth the hassle of switching right now.
Do any of you have experience switching payment providers? Any fellow European businesses here with thoughts about this?
Update (2022-01-27): Stripe has sent me a long answer about this:
Thank you for reaching out. We’re happy to provide you with information about Stripe programmes and practices. Stripe respects the privacy of everyone that engages with our products and services, and we are committed to being transparent about our privacy processes and policies.
Stripe is a global service provider and data may be transferred outside of the EEA, UK and Switzerland. However, Stripe has a robust data protection program to keep our users’ data secure and meet the strict requirements imposed by EU data protection law.
To help you assess compliance needs in relation to international data transfers, we want to highlight the following safeguards and commitments that make up our 5 layers of compliance:
Contractual Measures: Stripe's Data Processing Agreement (“DPA”) includes the modernised Standard Contractual Clauses (“SCCs”) approved by the EC as a contractual legal mechanism to transfer data outside of the EEA/UK/ Switzerland. In addition, we have implemented supplemental measures and safeguards in tandem with the model clauses to help demonstrate an adequate level of protection of personal data. We confirm how we handle government data access requests, how we deal with authority requests from third countries and what security measures and additional safeguards we provide for. If you seek to have a DPA, please go here.[0]
Technical and organisational measures: Stripe has committed to implementing and maintaining technical and organisational measures for the protection of the security, confidentiality and integrity of users’ data. Those measures are contractually embedded within the DPA and the SCCs and include, inter alia, details about Stripe’s privacy and security programs and policies, risk and asset management controls, training and awareness practices, access controls, incident response program, separation and disclosure controls, encryption, etc.
Our approach to conducting transfer impact assessments: In Stripe’s capacity as data controller, Stripe Payments Europe Limited (“SPEL”) is the exporter of personal data and has carried out transfer impact assessments. While these are confidential to Stripe, to support User’s diligence of Stripe as a service provider, we have prepared an information pack which includes a description of the assessment of the risks associated with data transfers of Stripe Personal data to third countries, as well as any supplementary measures we have implemented.
Government requests for data: Stripe receives requests for access to data from law enforcement agencies or other government bodies seeking access to users’ data, and we review each request with the goal of responding with the minimum amount of required information in response to legitimate, legally mandated requests. We are committed to ensuring that our users’ data can continue to flow freely between the EU and the U.S., and we will continue to partner with regulators, industry groups and similarly situated companies to make sure our users’ needs are met.
Sub-processors: To support Stripe in delivering its global services, we engage Service Providers, Sub-processors and affiliates to assist Stripe with its data processing activities on behalf of our users. As part of Stripe’s commitment to privacy and security, we’ve recently updated our external Service Providers page [1] to include additional information about our existing service providers and Sub-processors (e.g. their location, privacy statements), and add details on how users can subscribe to receive notifications about updates to the page. Before engaging any service provider, we perform due diligence, including a vendor security assessment. Our service providers are subject to contract terms designed to require that they process personal data in line with our commitments to Users and applicable data protection laws.
For more information please see our Privacy Center. [2]
I'm not quite sure what to take from this. It sounds a lot like the usual "we care about your privacy" stuff you hear everywhere. The thing is, even if Stripe does a number of things to comply with the law and the law says "you cannot legally transfer data in the us as a European business" that doesn't help me much.
As far as I understand it, the GDPR still can hold me accountable for things a third party company I do business with does wrong, even if I have a DPA with them.
German here. I am also concerned about this, but don't think you must do the switch any time soon. Considering how fast politics moves we will eventually see a EU-wide ruling for this, but I don't expect this any time soon, i.e. at least not before 2024-2025.
I think it is also likely that the US will implement something similar to GDPR which brings the EU and US back on par (at least on paper), but this could also take some time.
Note: we implemented Stripe last year and plan to stick with it for the foreseeable future.
That sounds very plausible. Thank you, that calms me down a bit.
I'll definitely watch the space closely in the future but probably won't migrate off Stripe any time soon, given the hassle doing so would bring with it. But it will be very interesting to see whether they will do something like privacy shield again (which would then be killed again by Max Schrems and his org).
Hi, this EU based data is exactly why I use Mollie for EU customers, though I really love Stripe as a product and their API. For non-EU customers I will be using Paddle.com since that makes international taxes so much easier, but the Paddle costs are higher indeed. Within the EU it's not that hard but sales tax around the world...
For my SaaS I have been using eCurring.com for EU customers, which is a recurring Stripe-like app on top of Mollie, with its own API. I'm based in the Netherlands and I have a lot of B2B customers from NL/BE/DE.
At some point Mollie acquired eCurring and for now they stopped taking new clients for eCurring.com, as Mollie's own product https://www.mollie.com/nl/recurring is roughly the same, although one great eCurring.com feature that Mollie recurring is missing, is that it creates proper invoices with all bells and whistles that EU B2B clients love (full address, VAT id, incremental invoice nr etc, etc).
I asked them whether they will go accept new clients for eCurring.com since it is exactly what you need in EU and they have storage of customer data in EU. The docs are here https://docs.ecurring.com/
Apart from the ability to generate proper invoices, it seems https://www.mollie.com/nl/recurring does roughly the same.
For SEPA / PayPal customers you can write your own import script it seems using https://docs.mollie.com/reference/v2/mandates-api/create-mandate (but for CC they have to do a first payment). And you can import clients/subscriptions with the customers/subscription API's but that requires some custom development on your side of course.
Ah okay, thanks for the pointer. If Mollie aquired eCurring.com, they'll probably have their features in their product at some point, I guess?
Biggest downside about Mollie seems so far that I'd need to ask all of my customers to enter their credit card data again - not the best thing to do in terms of retention etc. I think some of them might bounce. On the other hand, I don't have a lot to loose..
I wouldn't worry too much about it. These things take time, and the wind can change.
It will hit Stripe long before it hits you, and I'm confident Stripe will have found a way to make sure they don't lose European businesses.
And if Stripe doesn't, you can be sure the EU alternatives will fight to make sure switching is bliss (ok, easier, at the minimum).
Yeah probably. I'll definitely keep an eye on this...
Note that Adyen nowadays only works with big players mostly, if you have under $5k MRR I don't think they will even talk to you.
Yeah that might very well be - my MRR isn't that much. But it would make sense, given their marketing and positioning.
Hi, @kolaente when building Wide Angle Analytics (https://wideangle.co) I was considering Adyen. Mostly because it is an EU business. AFAIK they support recurring payments. Have different levels of Payment Processes (pop-up, inline, API) so you can do all the things you would normally do with Stripe. And their support for SEPA payments is very attractive in Europe.
Eventually, I went with Paddle. It is not perfect, and they do use Google Analytics so it is about to be seen how that evolves.
But the advantage of Paddle, compared to Stripe AND Adyen is handling of Sales Tax.
To summarize:
I almost used Paddle for my upcoming project but decided against it in the end and went with Stripe... perhaps it's laziness, but I know the Stripe API and docs are top quality and it just felt like a safer bet.
I've looked at paddle as well but I don't really like the fact that you're not selling your product anymore if you use them. That's more of a gut thing, but it doesn't feel good to me.
@kolaente This is something you don't really have to worry about as a business on Stripe. We're closely watching the developments here and are partnering with regulators. (You can read exactly how we're dealing with this at https://stripe.com/privacy-center/legal#international-data-transfers.) In the meantime, could you add me to your email thread with Stripe support? Sorry you've been kept waiting for that long. [email protected]
Thanks for link and the offer to chime in on the support thread. I just got an answer (yesterday, actually) from the support, see my updated post for their answer and my comment about it.
I’ve used Adyen long long time ago when they were still a small company. Back then their service was great and friendly; though when I wanted to use their services recently it was a very bad and unfriendly experience.
I wanted to use Adyen for a small business and they basically told me to look for another provider. Of course this is just one experience.
I’ve used Mollie in the past as well and they are great! Good documentation, good default tenplates, etc. I would go for Mollie unless there are reasons not to.
I hope this helps a bit, but keep in mind that it was just a one time thing.
Interesting. My experience with adyen has been pretty much positive so far, we have a customer in my day job using it and they are satisfied with it (though they have an e-commerce business, not a SaaS).
It seems like adyen puts a focus on bigger businesses than Stripe has, maybe that explains your experience?
Yes that could have been the reason indeed.