Redact personal dataPublic preview
Remove system access to personal data on objects.
You can use redaction jobs to remove your users’ data from your Dashboard and API for consumer data deletion requests. Use it to redact objects containing personal data, such as their customer’s name and address. Redacting an object also redacts its related objects such as events and request logs. This feature allows you to create processes to facilitate customer deletion requests
Redaction Jobs is in public preview.
Overview
Follow these steps to redact data from your Dashboard and API.
- Create a redaction job using the object identifiers containing the personal data you want to redact.
- Validate and resolve any validation errors before continuing.
- After the job passes validation, run (or cancel) the job to redact the objects.
You can redact sandbox and live mode objects. Verify your integration in a testing environment before using live mode.
We recommend following the guide to complete your first redaction job.
Redaction is irreversible
You can’t update or reuse redacted objects. Treat redacted objects as inoperable. When accessing them using the Dashboard or API, you’ll see [redacted]
or similar placeholders in place of the values that previously contained personal data.
This also means redacting objects removes the optionality for future actions. Redacted transactions are automatically lost in a dispute, and you can’t refund them.
Create a redaction job
First, identify which Stripe objects to redact. The most common use case is to redact a Customer object.
Redacting an object also redacts all of its related objects. For example if you redact using a Customer
object, that customer’s related data is also redacted. If you want to redact a smaller set of objects, you can choose a different object as the root. The following are all of the supported objects:
- Customers
- Payment Intents
- Invoices
- Checkout Sessions
- Setup Intents
- Issuing Cards
- Fraud Value List Items
- Identity Verification Sessions
- Charges
Use Create a redaction job to configure and create a new job. Creating a job doesn’t immediately redact data. First, a validation check evaluates all the related objects to see whether the job can redact the objects.
Validate and resolve any validation errors
After creating a job, it starts validating. The validation_
determines how the job validates the objects. It also changes how the job redacts objects if you run the job later:
error
is the default. The job generates a validation error for every object that you can’t redact. If you have any errors, you need to resolve all of them before the job can run.fix
attempts to fix validation errors whenever possible. The fixes on the objects apply when you run the job. Some objects can’t be fixed automatically and you need to resolve them before the job can run.
You can configure a job’s validation behavior when creating a new one or updating an existing one.
We might need you to finalize an object’s usage or wait for risk periods to end. For example, you can redact PaymentIntent
objects when they’re in a succeeded
or canceled
state.
A job with error validation behavior fails and returns the error. A job with fix validation behavior applies a fix when the job runs. You can view the list of fix validation behavior for all objects. In the PaymentIntent example, running a redaction job with fix validation behavior cancels the object.
You can use List all validation errors to view the validation errors of a job, like the following:
{ "object": "list", "data": [ { "id": "prjve_123", "object": "privacy.redaction_job_validation_error", "code": "invalid_state", "erroring_object": { "id": "pi_123", "object_type": "payment_intent" }, "message": "PaymentIntent isn't finalized. Confirm or cancel the payment intent." } ], "has_more": false, "url": "/v1/privacy/redaction_jobs/:job/validation_errors" }
Run or cancel a redaction job
After validation is complete, the job moves to a status of ready
or failed
. You can now run a redaction job or cancel a redaction job.
After you take either action, it’s irreversible and continues until it’s completed.
- You can’t unredact an object after you redact it.
- Canceling a job leaves the objects in their current state and no objects are redacted. To redact the same objects again, you can create a new redaction job using the same configuration.
Fix validation behaviors
The following is a list of fixes that Stripe applies when validation behavior is set to fix
. The documentation link provides more details on the product behavior.
Object type | Error | Fix validation behavior action |
---|---|---|
Customer | Not deleted | Delete the Customer |
PaymentIntent | Not finalized | Cancel the PaymentIntent |
PaymentMethod | Payment method is still attached to a Customer | Detach the Customer from the card |
Card | Attempted to redact a card attached to an active customer | Detach the Customer from the card |
Invoice | Not finalized | Void the invoice |
Dispute | Dispute isn’t submitted | Close the dispute. You can’t submit evidence for a dispute after it expires |
Issuing card | Not finalized | Close the Issuing card |
VerificationSession | VerificationSession is awaiting action | Cancel the VerificationSession |
Radar value list item | Not deleted | Delete the Radar value list item |
Redacting transactions
For fraud and risk prevention, transactions are only redactable 90 days after their creation. After the risk period, the following applies to all redacted transactions. Review the following and assess your data minimization strategy:
- You can’t challenge disputes on a redacted transaction. The dispute automatically results as a loss because your account can’t access the relevant data to submit supporting evidence.
- You can’t refund redacted transactions. If your customer requests to redact their data and refund a transaction, first refund the payment, then redact the API object.
Redacting Setup Intents
Under most circumstances, by following our recommendation for integrating with Setup Intents, you can redact these objects without changing them. Avoid long-lived, unconfirmed Setup Intents because the collected payment credentials might not be valid.
RedactionJob response times and object support
While almost all objects for your Stripe integration path are supported and most jobs process within minutes, some edge cases for complex object configurations might take longer to process.
It can take up to 30 days to asynchronously identify and redact all associated data. During this time, the job’s status
field is validating
or redacting
.