Redact personal dataPublic preview

Follow these steps to redact data from your Dashboard and API.

1. Create a redaction job using the object identifiers containing the personal data you want to redact.
2. Validate and resolve any validation errors before continuing.
3. After the job passes validation, run (or cancel) the job to redact the objects.

You can redact sandbox and live mode objects. Verify your integration in a testing environment before using live mode.

We recommend following the guide to complete your first redaction job.

First, identify which Stripe objects to redact. The most common use case is to redact a Customer object.

Redacting an object also redacts all of its related objects. For example if you redact using a Customer object, that customer’s related data is also redacted. If you want to redact a smaller set of objects, you can choose a different object as the root. The following are all of the supported objects:

• Customers
• Payment Intents
• Invoices
• Checkout Sessions
• Setup Intents
• Issuing Cards
• Fraud Value List Items
• Identity Verification Sessions
• Charges

Use Create a redaction job to configure and create a new job. Creating a job doesn’t immediately redact data. First, a validation check evaluates all the related objects to see whether the job can redact the objects.

After creating a job, it starts validating. The validation_behavior determines how the job validates the objects. It also changes how the job redacts objects if you run the job later:

• error is the default. The job generates a validation error for every object that you can’t redact. If you have any errors, you need to resolve all of them before the job can run.
• fix attempts to fix validation errors whenever possible. The fixes on the objects apply when you run the job. Some objects can’t be fixed automatically and you need to resolve them before the job can run.

You can configure a job’s validation behavior when creating a new one or updating an existing one.

We might need you to finalize an object’s usage or wait for risk periods to end. For example, you can redact PaymentIntent objects when they’re in a succeeded or canceled state.

A job with error validation behavior fails and returns the error. A job with fix validation behavior applies a fix when the job runs. You can view the list of fix validation behavior for all objects. In the PaymentIntent example, running a redaction job with fix validation behavior cancels the object.

You can use List all validation errors to view the validation errors of a job, like the following:

curl https://api.stripe.com/v1/privacy/redaction_jobs/prj_xxx/validation_errors \
  -u "
sk_test_BQokikJOvBiI2HlWgH4olfQ2
:"

{
  "object": "list",
  "data": [
    {
      "id": "prjve_123",
      "object": "privacy.redaction_job_validation_error",
      "code": "invalid_state",
      "erroring_object": {
        "id": "pi_123",
        "object_type": "payment_intent"
      },
      "message": "PaymentIntent isn't finalized. Confirm or cancel the payment intent."
    }
  ],
  "has_more": false,
  "url": "/v1/privacy/redaction_jobs/:job/validation_errors"
}

After validation is complete, the job moves to a status of ready or failed. You can now run a redaction job or cancel a redaction job.

After you take either action, it’s irreversible and continues until it’s completed.

• You can’t unredact an object after you redact it.
• Canceling a job leaves the objects in their current state and no objects are redacted. To redact the same objects again, you can create a new redaction job using the same configuration.

The following is a list of fixes that Stripe applies when validation behavior is set to fix. The documentation link provides more details on the product behavior.

For fraud and risk prevention, transactions are only redactable 90 days after their creation. After the risk period, the following applies to all redacted transactions. Review the following and assess your data minimization strategy:

• You can’t challenge disputes on a redacted transaction. The dispute automatically results as a loss because your account can’t access the relevant data to submit supporting evidence.
• You can’t refund redacted transactions. If your customer requests to redact their data and refund a transaction, first refund the payment, then redact the API object.

Under most circumstances, by following our recommendation for integrating with Setup Intents, you can redact these objects without changing them. Avoid long-lived, unconfirmed Setup Intents because the collected payment credentials might not be valid.

While almost all objects for your Stripe integration path are supported and most jobs process within minutes, some edge cases for complex object configurations might take longer to process.

It can take up to 30 days to asynchronously identify and redact all associated data. During this time, the job’s status field is validating or redacting.