Skip to main content
Skip to main content

Braintree Vendor Risk Assessment — Full Report

Before you share customer data with Braintree, your compliance team needs documented proof they can be trusted. ThirdProof investigated Braintree across 27 intelligence sources — here's what we found.

⚠ FedRAMP Status: Not found in the FedRAMP Marketplace. Vendors handling government data or CUI must be FedRAMP authorized.

Risk Tier
Tier 3Moderate Risk
SOC 2
— Not Found
FedRAMP
— Not Authorized
Last Assessed
Mar 4, 2026
🟢IP Reputation: Abuse score: 0%, 0 reports🟡SSL/TLS: TLSv1.3🟢Domain Age: 15 years🟢Infrastructure: 2 open ports, 0 CVEs
FedRAMP Status
Braintree is not listed on the FedRAMP Marketplace as of March 2026.
SOC 2 Status
Braintree has not had a SOC 2 claim detected on their trust page.
Sanctions Screening
Braintree returned no matches in OFAC SDN, EU Consolidated, and UN sanctions screening.
Risk Tier
ThirdProof assigned Braintree a Low Risk tier with 92% confidence across 27 intelligence sources.

22 sources queried. 90% confidence. Every Braintree investigation produces both a risk report and an auto-filled security questionnaire — no vendor follow-up required.

Get Braintree's Full Report Free →
5 free investigations|Risk report + auto-filled questionnaire|Avg. 7 minutes

Certification & Compliance Status

Need a complete vendor security questionnaire?

Run a full ThirdProof investigation to get 133 security questions auto-filled with source evidence — ready for your next audit or vendor onboarding review.

Get Braintree's Full Report Free →
Not Listed on FedRAMP Marketplace

Verified against FedRAMP Marketplace API as of March 2026

Organizations with federal compliance requirements should verify this directly at marketplace.fedramp.gov.

Braintree (PayPal) is not listed on the FedRAMP Marketplace independently.

Source: FedRAMP Marketplace

FedRAMP authorized vendors →
27 data sources queried per assessment
Reports generated in an average of 7 minutes
SHA-256 verified for audit integrity
Deterministic risk scoring — no AI guesswork
3Tier

Moderate Risk

Braintree

Vendor Risk Assessment

Confidence Score90%

Based on data availability and source coverage

22

Sources Queried

19

Sources With Data

March 4, 2026

Last Assessed

Executive Summary

AI-generated analysis for Braintree

Braintree (braintreepayments.com) is a PayPal-owned payment processing platform with a 14-year established domain presence, clean threat intelligence across 94 security engines, and an excellent HTTP security scanner security grade of A+.

Area Requiring Attention

The vendor's overall technical security posture is strong, with no malware flags, clean IP reputation, and no adverse media of operational relevance. However, the domain registration is set to expire in approximately 45 days — an anomaly for an enterprise-grade platform that warrants immediate clarification — and PCI DSS compliance, while claimed on the vendor's security page, could not be independently verified through a public registry. For a payment processor handling cardholder data in a retail context, unverified PCI compliance status and the near-term domain expiry are the primary risk drivers elevating this assessment to Tier 3.

Independence Statement

All evidence presented in this report was gathered exclusively from external, independently queried data sources without any participation, notification, or input from the vendor under investigation.

Investigation Findings

4 findings identified for Braintree

3 medium1 low
medium

LEI Registration Lapsed

The LEI registration for CAMBIUM INVESTMENTS LIMITED has status "LAPSED". This may indicate the entity no longer maintains its regulatory filings.

Source:Business Registrationsearch.gleif.org
medium

Missing Security Headers

braintreepayments.com is missing 2 recommended security headers: Content-Security-Policy, X-Frame-Options.

Source:Domain Analysisdns.google
medium

Multiple Certificate Issuers (17)

braintreepayments.com has certificates from 17 different Certificate Authorities. This may indicate inconsistent certificate management practices.

Source:Certificate Transparencycrt.sh
low

Historical Media: banned

1 older article(s) mention "Braintree" with risk keywords. Age significantly reduces relevance: "Teenager caught carrying knife in Braintree banned from Essex"

Source:Historical Media Searchnews.google.com

Security Strengths

24 positive signals verified

Web Archive History Unavailable

Web Archive History

Legal Entity Actively Registered

Business Registration

Entity Found in Regulatory Database — BRAINTREE TOWN TAXI, INC

Sanctions & Watchlist Screening

Entity Found in Regulatory Database — City of Braintree (Massachusetts)

Sanctions & Watchlist Screening

Entity Found in Regulatory Database — GLOBAL ENGINEERING (BRAINTREE) LTD

Sanctions & Watchlist Screening

No Adverse Media Signals

Adverse Media Scan (Fallback)

Firmographic Data Available

Company Intelligence

Valid SSL Certificate

Domain Analysis

2 Open Ports Detected

Infrastructure Exposure

Established Domain (14+ years)

Domain Registration

Clean Domain Reputation

Threat Intelligence

Well-Known Domain

Threat Intelligence

Minimal Tech Community Discussion

Tech Community Sentiment

HTTP Security Grade: A+

HTTP Security Scan

SSL/TLS Analysis Unavailable

SSL/TLS Analysis

Large Certificate Footprint (548 subdomains)

Certificate Transparency

No Threat Intelligence Pulses

Threat Intelligence (OTX)

Clean IP Reputation

IP Reputation

Clean Safe Browsing Status

Malware & Phishing Check

Clean Website Scan

Website Security Scan

Certification Claimed: PCI DSS

Trust & Compliance Page Scan

Subprocessor Page Found, No Entries Parsed

Supply Chain & Subprocessor Discovery

Not Found as FDIC-Insured Institution

FDIC Institution Check

No SEC Enforcement Filings Found

SEC Filing Search

Recommended Actions

Steps to address findings for Braintree

  1. 1

    URGENT (within 5 business days): Contact Braintree's merchant support or account management team and request written confirmation that the braintreepayments.com domain renewal is scheduled prior to April 18, 2026. Ask for the renewal receipt or registrar confirmation number. If unresolved in 10 business days, escalate internally and evaluate whether backup payment routing should be pre-staged.

  2. 2

    HIGH PRIORITY (within 30 days): Request Braintree's current Attestation of Compliance (AOC) from a Qualified Security Assessor. Contact your Braintree account manager directly or check https://braintreepayments.com/security. The AOC must specify service provider level, assessment date, and system scope. File this with your TPSP list as required evidence for PCI-DSS 4.0 Requirement 12.8.4.

    PCI DSS Standards
  3. 3

    HIGH PRIORITY (within 30 days): Obtain and execute a written Data Processing Agreement (DPA) with Braintree if EU consumer data is processed, and confirm Braintree is designated as a 'service provider' (not a 'third party') under CCPA/CPRA with a written agreement prohibiting sale or cross-context behavioral advertising use of cardholder data.

    CCPA Overview (CA AG)DPA Template (GDPR Art. 28)
  4. 4

    MEDIUM PRIORITY (within 60 days): Map shared responsibility for PCI DSS controls per Requirement 12.8.5. Request Braintree's responsibility matrix or 'shared responsibility guide' — many enterprise payment processors publish this. Document which PCI controls Braintree owns versus which remain your organization's responsibility (e.g., network segmentation, access controls, logging).

    PCI DSS Standards
  5. 5

    MEDIUM PRIORITY (within 60 days): Manually review the Braintree subprocessor page at https://braintreepayments.com/subprocessors. If the list is not machine-readable, capture a PDF or screenshot for your records and identify any subprocessors that handle cardholder data on Braintree's behalf. Cross-reference with your own vendor risk program requirements. This is required for GDPR Article 28 compliance and PCI-DSS 12.8 supply chain oversight.

    PCI DSS StandardsGDPR Full TextGDPR Subprocessor RulesNIST Supply Chain Risk (SP 800-161)
  6. 6

    ROUTINE (at next annual review): Reassess Braintree's SOC 2 Type II status. No SOC 2 evidence was found in this assessment — either the certification does not exist, has not been published, or is available under NDA. Ask your account manager: 'Do you have a current SOC 2 Type II report available under NDA for enterprise customers?' Retain any report received with your vendor risk file.

    SOC 2 Overview (AICPA)NIST Supply Chain Risk (SP 800-161)

Intelligence Sources Queried

22 sources in this assessment

19of 22 sources returned data
IP Reputation
Threat Intelligence (OTX)
Certificate Transparency
Domain Analysis
FDIC Institution Check
Business Registration
Historical Media Search
Tech Community Sentiment
Company Intelligence
Adverse Media Scan (Fallback)
HTTP Security Scan
Sanctions & Watchlist Screening
Malware & Phishing Check
SEC Filing Search
Infrastructure Exposure
Trust & Compliance Page Scan
Website Security Scan
Threat Intelligence
Domain Registration
SSL/TLS Analysis
Supply Chain & Subprocessor Discovery
Web Archive History

Data Coverage Notes

Some data sources may have had limited availability during this assessment. This does not reflect negatively on the vendor.

  • Deep SSL/TLS cipher-level analysis was unavailable for this assessment. The domain carries a valid DigiCert-issued certificate with expiry August 2026, and the HTTP security scanner grade of A+ provides partial assurance, but protocol-level cipher suite validation could not be completed.
  • Web archive history data was unavailable during this assessment, limiting the ability to assess historical changes to the vendor's public web presence and trust page content over time.
  • External cyber risk scoring from an independent scoring provider was not available for this assessment, which would have provided an additional quantitative signal on Braintree's enterprise security posture.
  • The subprocessor page at braintreepayments.com was found but no structured subprocessor entries could be extracted due to non-standard page formatting. Third-party supply chain exposure therefore could not be assessed, which is a material gap for GDPR Article 28 and PCI-DSS 12.8.5 shared responsibility mapping.
  • The Legal Entity Registry LEI match returned results for 'CAMBIUM INVESTMENTS LIMITED' — a UK-registered entity with a lapsed LEI registration located on Braintree Road — which is a geographic name match, not the payment technology company. This match is not relevant to the vendor under assessment and does not constitute a regulatory concern for Braintree the payments platform.
  • All sanctions screening service matches (Braintree Town Taxi, City of Braintree MA, Global Engineering Braintree Ltd) are name-only matches to unrelated entities with scores of 0. None represent sanctions, export control listings, or enforcement actions against Braintree the payment processor. These matches carry no risk signal for this assessment.
183+
Vendors assessed
98%
Average confidence
<2 min
Time to report
What a ThirdProof assessment covers

Sanctions Screening

Is Braintree on any OFAC, EU, or UN sanctions list? Are any officers or affiliates flagged?

Cyber Risk Assessment

What is Braintree's security posture? Threat intelligence scanning, known vulnerabilities, and security header analysis.

Business Registration

Is Braintree a legitimately registered business entity? Corporate status, jurisdiction, and officer verification.

Adverse Media Analysis

Has Braintree appeared in negative news coverage? Data breaches, lawsuits, regulatory actions, and complaints.

Domain & Infrastructure

Is Braintree's website secure? TLS configuration, DNS hygiene, security headers, and domain age analysis.

Company Intelligence

What are Braintree's firmographics? Employee count, industry classification, technology stack, and corporate structure.

Trust & Compliance Verification

Does Braintree claim SOC 2, ISO 27001, HITRUST, or FedRAMP? ThirdProof scans trust pages for certification claims and cross-references the FedRAMP public registry for independent verification.

Supply Chain & Subprocessor Discovery

Who does Braintree depend on? ThirdProof discovers subprocessors from vendor-published pages and runs sanctions screening and safe browsing checks against each one.

Regulatory & Financial Filings

Has Braintree appeared in SEC enforcement filings? Is it associated with any FDIC bank failures? ThirdProof searches regulatory databases with entity verification to confirm attribution.

Full methodology, rule engine, and AI disclosure: /methodology

Compliance Resources

→ PCI-DSS 4.0 Requirement 12.8 Vendor Due Diligence→ Sanctions Screening for Vendor Due Diligence→ Vendor Due Diligence Checklist→ All 27 Intelligence Sources

Seeing this in an audit? ThirdProof lets you investigate Braintree and every other vendor in your stack — average report time: 7 minutes. Get Braintree's Full Report Free →

Frequently asked about Braintree

Is Braintree FedRAMP authorized?+
Braintree is not currently listed on the FedRAMP Marketplace as of April 2026.
Does Braintree have SOC 2 Type II?+
No SOC 2 found. Braintree rated Low Risk — subprocessor list unavailable. See all 4 findings →
Is Braintree on the OFAC sanctions list?+
Braintree returned no matches in ThirdProof's OFAC SDN, EU Consolidated, and UN sanctions screening as of April 2026.
What is Braintree's vendor risk tier?+
ThirdProof assigned Braintree a risk tier of Low Risk with 92% confidence based on assessment across 27 intelligence sources as of April 2026.
Can I get an auto-filled security questionnaire for Braintree?+
Yes. Every ThirdProof investigation of Braintree produces two deliverables: an audit-ready risk report and a 133-question security questionnaire pre-filled with evidence from 27 independent sources. The questionnaire is mapped to SIG, SOC 2, HIPAA, PCI DSS and 9 other frameworks — answered without sending Braintree a single email or waiting for a vendor response.
Is Braintree safe to use as a vendor?+
Braintree is a payments vendor that handles payment card and transaction data. Safety depends on their current security posture, certification status, and how they handle your specific data. ThirdProof automates this evaluation across 27 intelligence sources — sanctions databases (OFAC, EU, UN), business registration verification, adverse media scanning, and cyber risk assessment — producing a deterministic risk tier with confidence score plus an auto-filled security questionnaire. Run a free investigation to see Braintree's full risk profile.
Does Braintree have SOC 2 certification?+
No SOC 2 found. Braintree rated Low Risk — subprocessor list unavailable. See all 4 findings →
Has Braintree had any data breaches?+
Data breach history is an important signal for any vendor, particularly payments platforms like Braintree that handle payment card and transaction data. ThirdProof's adverse media analysis searches multiple news APIs and public records for data breaches, security incidents, lawsuits, regulatory enforcement actions, and financial distress signals. Each finding is linked to its original source with severity classification.
Is Braintree on any sanctions lists?+
Sanctions screening is particularly critical for payments vendors. ThirdProof screens Braintree against OFAC SDN, consolidated international sanctions lists, and PEP databases. The screening uses entity name verification to reduce false positives. If Braintree or any associated officers appear on a sanctions list, this triggers automatic escalation to the highest risk tier.
How do I assess Braintree for vendor risk?+
Assessing Braintree as a payments vendor involves verifying PCI-DSS and SOC 2 Type II compliance, reviewing their subprocessor chain, and checking sanctions exposure. ThirdProof automates this across 27 intelligence sources in an average of 7 minutes — no questionnaires or vendor participation required. Your first 5 investigations are free.
How long does a ThirdProof assessment take?+
A ThirdProof assessment completes in an average of 7 minutes. 27 intelligence sources are queried in parallel — sanctions databases, business registries, threat intelligence feeds, certificate transparency logs, and more. The result is a deterministic risk tier with confidence score and audit-ready PDF report.
Is ThirdProof free?+
ThirdProof offers 5 free vendor assessments with no credit card required. Each assessment includes the full report — risk tier, confidence score, individual findings, executive summary, and PDF export. Paid plans start at $399/month for teams that need ongoing vendor monitoring.
Can I use a ThirdProof report as SOC 2 audit evidence?+
Yes. ThirdProof reports are designed to satisfy SOC 2 CC9.2 (vendor risk management) requirements. Each report includes SHA-256 integrity verification, methodology disclosure, source attribution for every finding, and AI content labeling. Auditors can independently verify the report's authenticity and trace each finding to its original source.
How is ThirdProof different from a security questionnaire?+
Security questionnaires require vendor participation, take weeks, and produce self-reported answers. ThirdProof queries 27 independent intelligence sources — no vendor involvement needed. Risk tiers are assigned by a deterministic rules engine (not AI opinion), and every finding links to its original source. You get an audit-ready report in an average of 7 minutes instead of waiting weeks for a questionnaire response.

Also investigate these vendors

Stripe
payments
Adyen
payments
Wise
payments
PayPal
payments
Square
payments
View all vendorsPricingLearn

Braintree is in your vendor stack. Can you prove you assessed them?

SOC 2 CC9.2, HIPAA, PCI-DSS, and CMMC all require documented vendor due diligence — not just knowing the answer, but having audit-ready evidence you verified it. Most compliance teams can't produce that documentation on demand.

ThirdProof investigates Braintree across 27 intelligence sources in an average of 7 minutes — sanctions screening, cyber posture, SOC 2 verification, FedRAMP status, and more. Every investigation produces two deliverables: an audit-ready risk report and an auto-filled security questionnaire your prospects and auditors expect to see.

Get Braintree's Full Report Free →See PricingBook a Demo
✓ 5 free investigations✓ Risk report + auto-filled questionnaire✓ No credit card required✓ Average report time: 7 minutes

Replaces $600–$900 in manual compliance consulting time per vendor assessed.