Stream CRM

Legal

PCI Compliance

How Stream CRM handles payment card data securely through Stripe and our PCI DSS compliance approach.

Last updated: June 19, 2026

1. Overview

Stream CRM (https://streamcrm.app) takes payment security seriously. This page describes how we handle payment card information and our approach to Payment Card Industry Data Security Standard (PCI DSS) compliance.

Summary: We do not store, process, or transmit full payment card numbers on our servers. All card payments are handled by Stripe, Inc., a certified PCI Level 1 Service Provider.

2. Stripe as Payment Processor

Paid subscriptions (Silver, Gold, Agency) are billed through Stripe Checkout and the Stripe Customer Portal. When you subscribe or update payment methods:

  • Card details are entered directly on Stripe-hosted or Stripe.js secured fields
  • Stripe tokenizes and stores payment methods in its PCI-compliant environment
  • Stream CRM receives only limited billing metadata (e.g., last four digits, brand, expiry, customer and subscription IDs)
  • We never receive or store your full card number, CVV, or magnetic stripe data

Learn more at Stripe Security and Stripe PCI guide.

3. Our PCI Scope (SAQ A)

Because all cardholder data is collected and processed by Stripe and we do not handle card data on our systems, Stream CRM typically falls under PCI DSS SAQ A (Self-Assessment Questionnaire A) — the scope for merchants that fully outsource card processing to validated third parties.

This means:

  • Our application and servers do not store cardholder data
  • Payment pages use Stripe's secure, PCI-validated infrastructure
  • We maintain secure development and access practices for our own systems

4. Security Practices

In addition to outsourcing payments to Stripe, we implement safeguards including:

  • HTTPS/TLS encryption for all web traffic
  • Firebase Authentication for user sign-in
  • Firestore security rules restricting data access to account owners
  • Server-side API authentication for sensitive operations (billing, live connect, account deletion)
  • Webhook signature verification for Stripe events
  • Rate limiting on sensitive API routes

5. What Billing Data We Store

We may store non-sensitive billing metadata in Firestore, such as:

  • Stripe customer ID and subscription ID
  • Subscription tier, status, and current period end date
  • Account email associated with billing

This information is used to enforce plan limits and display billing status. It does not include full payment card numbers or CVV codes.

6. Your Responsibilities

When managing your subscription, please:

  • Use the official Billing portal within Stream CRM or links from Stripe emails
  • Never share your password or payment details via email or unofficial channels
  • Report suspected unauthorized charges to us and your card issuer promptly

7. Security Incidents

If you believe your payment information has been compromised, contact your card issuer immediately and notify us at support@streamcrm.app. For Stripe-specific payment issues, you may also contact Stripe support through your receipt or the Stripe dashboard.

8. Disclaimer

This page describes our payment security practices and is provided for informational purposes. It is not a formal PCI DSS Attestation of Compliance (AOC). Stripe maintains its own PCI certifications as an independent payment processor.

See also our Disclaimer, Privacy Policy, and Terms of Service.

9. Contact

Payment security questions? Email support@streamcrm.app.