Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
ProcessOut is a smart payment routing and orchestration platform founded in Paris in 2015 and acquired by Checkout.com in 2020. It provides a vendor neutral API that lets merchants connect to multiple Payment Service Providers (Stripe, Adyen, Worldpay, PayPal, Braintree and more), route transactions dynamically to maximise authorisation rates, run A/B tests on PSPs, manage cards in a unified vault and benchmark payment performance through detailed analytics. ProcessOut targets mid market and enterprise merchants who want PSP independence and a single integration for the global payments stack.
ProcessOut is a payment orchestration platform founded in Paris in 2015 by Cyril Chemla, Gregoire Lemercier and Jeremy Lejoux. The company joined the Checkout.com group in 2020 and continues to provide a vendor neutral layer above traditional Payment Service Providers. Through a single API, ProcessOut enables merchants to vault cards once, connect dozens of PSPs (Stripe, Adyen, Worldpay, Braintree, PayPal, Klarna, GoCardless and others), apply smart routing rules in real time, run controlled experiments on PSP performance and consolidate reporting in a unified analytics dashboard.
In the checkout flow, ProcessOut sets technical cookies and tokens used by its hosted iFrame for tokenisation, anti CSRF protection and 3D Secure session continuity. It processes card primary account numbers (PAN), expiry, CVV, cardholder name, billing address, IP address, device fingerprint and transaction metadata. Card data is tokenised and stored in a PCI DSS Level 1 vault. On the merchant dashboard, additional cookies are used for authentication, preferences and product analytics.
ProcessOut acts as a processor or joint controller depending on the use case. Payment execution is grounded in contractual necessity, while fraud prevention relies on legal obligation. Smart routing decisions are profiling activities that must be documented, and customers retain rights to information, access, rectification, restriction and objection. Cookies set by the checkout iFrame are strictly necessary and exempt from consent, while cookies on the merchant dashboard are subject to standard consent rules.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
No consent is required to process the payment itself, since this is necessary to execute the contract. Consent is required for non essential analytics or marketing cookies that ProcessOut or your dashboard tooling sets. For storing card credentials for future purchases (card on file), you must rely on contract or explicit opt in from the customer at the checkout step.
ProcessOut hosts its core vault and routing engine in the European Union. As part of the Checkout.com group, some operational data flows through UK and US infrastructure. Most importantly, routing transactions to PSPs such as Stripe US, Braintree or PayPal involves transfers of cardholder data outside the EEA. Standard Contractual Clauses, the EU US Data Privacy Framework and an active transfer impact assessment are necessary, along with PSP specific contractual safeguards.
Sign the ProcessOut and Checkout.com DPA, list the connected PSPs in your transparency notice with their respective transfer mechanisms, document the routing logic and profiling in the record of processing activities, perform a DPIA covering card vaulting and smart routing, limit cardholder data retention to the strict PCI DSS minimum, restrict dashboard access through SSO and MFA, and verify that the checkout iFrame loads no marketing cookies before consent.
Websites using ProcessOut must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is required because ProcessOut processes large volumes of cardholder data, performs profiling for fraud and routing, and triggers cross border transfers to downstream PSPs including in the United States. Key risks include scope of card vaulting, retention of failed transactions, exposure of identifying metadata to multiple PSPs, behavioural profiling for routing optimisation, sub processing by Checkout.com group entities and incident response across multiple acquirers.
Sample consent text
Payment on our website is processed by ProcessOut, a payment orchestration platform of the Checkout.com group. ProcessOut tokenises your card data and routes the transaction to the optimal acquirer, which may be located outside the European Union. Strictly necessary cookies set by the payment iFrame are exempt from consent. Analytics or marketing cookies will only be loaded after you accept in our consent banner.
Third-party domains contacted
processout.comapi.processout.comjs.processout.comdashboard.processout.comcheckout.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| po_session | session | session | Strictly necessary session cookie used by the ProcessOut checkout iFrame to maintain state between tokenisation, 3D Secure challenge and final authorisation. |
| __Host-po-csrf | session | session | Anti CSRF token issued by the ProcessOut checkout iFrame to protect against cross site request forgery during card data submission. |
| po_device_id | first_party | 13 months | Device fingerprint identifier used by ProcessOut for fraud scoring and dispute analytics. Considered strictly necessary for fraud prevention. |
| po_dashboard_session | session | session | Session cookie for the ProcessOut merchant dashboard used to authenticate merchants between page loads. |
| _pendo / amplitude | analytics | up to 13 months | Optional product analytics cookies (Pendo, Amplitude) on the merchant dashboard. Loaded only after the merchant has accepted analytics in the dashboard preferences. |
ProcessOut uses cookies for user preferences — inform visitors with a consent banner.
The ProcessOut checkout iFrame sets strictly necessary cookies and tokens for tokenisation, CSRF protection and 3D Secure session management. The merchant dashboard at dashboard.processout.com sets authentication, preference and optional product analytics cookies. No marketing cookies are set on the public checkout flow.
Consent is not required for the payment processing itself or for the strictly necessary cookies on the iFrame, since both are needed to execute the contract. Consent is required for optional analytics or marketing cookies on your site or on the merchant dashboard, and you must obtain explicit opt in to store a card for future purchases (card on file).
Contract for executing the payment, legal obligation for fraud prevention and anti money laundering controls, legitimate interest for transactional analytics and routing optimisation, and consent for non essential cookies and saving card credentials.
Yes. While ProcessOut hosts its vault and routing engine in the EU, the Checkout.com group operates UK and US infrastructure, and routing to PSPs such as Stripe US, Braintree or PayPal involves transfers of cardholder data outside the EEA, covered by Standard Contractual Clauses and the EU US Data Privacy Framework.
Yes. The large volume of payment card data, the systematic profiling for smart routing and fraud, the cross border data flows and the use of a chain of sub processors trigger a mandatory DPIA under Article 35 GDPR.
Use the hosted iFrame so the PAN never touches your servers, sign the DPA with ProcessOut and Checkout.com, list all connected PSPs in the privacy notice, document the routing logic, complete a DPIA, restrict dashboard access through SSO and MFA, and align retention with PCI DSS requirements.
Alternatives include Primer, Spreedly, Gr4vy, IXOPAY and the orchestration offerings of large PSPs themselves (Stripe Connect, Adyen, Worldline). Each differs in PSP coverage, pricing model, vaulting capabilities and EU sovereignty.
Add an entry for ProcessOut as the payment orchestrator, listing the strictly necessary iFrame cookies, the optional dashboard analytics cookies and a clear note that the chosen acquirer may be outside the EU. Provide links to the privacy notices of Checkout.com and each connected PSP, and refresh the list whenever the routing configuration changes.