Risk indicator, not a GDPR compliance verdict. Point-in-time assessment based on public web stack signals.Methodology & LimitationsCorrect listing / submit response
Category
Payments: GDPR Assessment & EU Alternatives
Evaluate payment providers like Stripe and PayPal for jurisdiction, PCI-DSS implications and EU alternatives.
20 curated vendors5 EU/EEA1 UK / CH13 USA1 Provider review
Last updated:
Providers in this category
Sorted by jurisdiction: EU first
Each entry links to a dedicated profile with GDPR verdict, ownership chain, data categories, migration plan and FAQ.
EU- & EWR-Anbieter
Recommended5 providers · DSGVO-Baseline · kein Drittlandtransfer
UK & Schweiz
1 providers · Angemessenheitsbeschluss · niedriges Risiko
US-Anbieter
13 providers · Jurisdiktion USA · CLOUD Act betroffen
- 🇺🇸AffirmAffirm, Inc.
- 🇺🇸Afterpay (Clearpay)Block, Inc. (Afterpay)
- 🇺🇸Amazon PayAmazon.com, Inc.
- 🇺🇸Authorize.NetVisa Inc. (Authorize.Net)
- 🇺🇸BraintreePayPal Holdings, Inc. (Braintree)
- 🇺🇸ChargebeeChargebee Inc.
- 🇺🇸Google PayGoogle LLC
- 🇺🇸Google WalletGoogle LLC
- 🇺🇸PayPalPayPal Holdings Inc.
- 🇺🇸RecurlyRecurly, Inc.
- 🇺🇸SquareBlock, Inc.
- DPF🇺🇸StripeStripe Inc.
- 🇺🇸ZuoraZuora, Inc.
Anbieterprüfung
1 providers · Jurisdiktion noch nicht eindeutig bestimmt
Frequently asked questions about Payments
payments
Which GDPR-compliant Payments providers are there?
Which GDPR-compliant Payments providers are there?
In the Sovereignty Scan we currently list 5 EU/EEA providers and 1 providers from the UK/Switzerland in the payments area. EU providers are directly subject to GDPR with no third-country transfer; the UK and Switzerland have adequacy decisions from the EU Commission. Each recommendation includes the hosting region, ownership chain, and a brief migration plan.
Are US providers in the payments space automatically non-GDPR-compliant?
Are US providers in the payments space automatically non-GDPR-compliant?
Not automatically. However, US providers are subject to the CLOUD Act and FISA 702. Government access remains legally possible, even with EU hosting. For each of the 13 US providers in this category, Schrems II requires standard contractual clauses plus a Transfer Impact Assessment. The EU-US Data Privacy Framework (DPF) simplifies the transfer but does not eliminate the CLOUD Act.
How do I choose the right Payments alternative?
How do I choose the right Payments alternative?
Three criteria matter: (1) the registered seat and parent company of the provider, (2) the hosting region (ideally EU/EEA), and (3) the subprocessor list. Many EU providers use US subprocessors for email delivery or hosting and are therefore still exposed to the CLOUD Act. On each vendor profile in this category you will find these three points plus a migration estimate in business days.
What distinguishes a real EU alternative from an ‘EU region’ of a US provider?
What distinguishes a real EU alternative from an ‘EU region’ of a US provider?
An ‘EU region’ of a US provider (e.g., AWS Frankfurt, Salesforce EU) is physically located in the EU but belongs to a US corporation and thus falls under US law. A genuine EU alternative has its legal seat and parent company in the EU, EU hosting, and no US subprocessors in the contract chain. Only the second option rules out the CLOUD Act.
Next Step
Which Payments providers are running on your website?
60 seconds, no login. The Sovereignty Scan lists all detected tools with jurisdiction, ownership chain and matching EU alternative.