GDPR7 min readUpdated Jan 2026

GDPR for SaaS Companies: Industry-Specific Guidance

SaaS companies face particular GDPR considerations due to their role as data processors, their cloud-based architecture, and their typically international customer base. Understanding how GDPR applies specifically to SaaS operations helps companies build compliance into their products and business practices from the start.

Alban Veauté

•

Security Engineer

Alban is a security engineer at Bastion with deep expertise in information security, SOC 2, and ISO 27001. He also specializes in data protection and privacy compliance, including GDPR requirements, and helps companies build robust security programs.

SOC 2ISO 27001GDPRCyber Essentials

Key Takeaways

Point	Summary
Processor role	SaaS companies often act as processors for customer data
Dual obligations	Processor duties for customer data, controller duties for own operations
DPA requirements	Enterprise customers require robust Data Processing Agreements
Product considerations	GDPR compliance should be built into product features
Sales enablement	GDPR compliance increasingly required for enterprise sales

Quick Answer: SaaS companies typically act as data processors for their customers' data and must meet processor obligations under GDPR. This means having DPAs with customers, appropriate security, sub-processor management, and product features that help customers meet their own compliance obligations.

Understanding Your Role

Controller vs. Processor in SaaS

Most SaaS companies have dual roles:

Role	Data Type	Obligations
Processor	Customer data in the platform	DPA, follow instructions, security, assist with rights
Controller	Prospect data, own marketing, employee data	Full GDPR compliance

When You're a Processor

For data that customers put into your platform:

Element	Your Responsibility
Processing purpose	Determined by customer (controller)
Legal basis	Customer's responsibility
Data subject rights	Assist customer in fulfilling
Security	Implement appropriate measures
Breach notification	Notify customer promptly
Sub-processors	Manage with customer authorization

When You're a Controller

For your own business data:

Data Type	Controller Obligations
Marketing leads	Consent or legitimate interests, privacy policy
Website visitors	Cookie consent, analytics compliance
Trial users	Privacy policy, appropriate legal basis
Employee data	Full employment compliance
Customer contacts	Business relationship legal basis

Data Processing Agreements

Enterprise customers require DPAs. Having a robust DPA ready is essential for SaaS sales.

DPA Essentials

Element	Requirement
Subject matter	Description of processing activities
Duration	Term of processing
Nature and purpose	What processing occurs and why
Data categories	Types of personal data processed
Data subjects	Categories of individuals affected
Obligations	Security, confidentiality, assistance
Sub-processors	Authorization mechanism, list
Audits	Customer audit rights
Return/deletion	Data handling at termination

DPA Strategies

Approach	Pros	Cons
Standard DPA	Efficient, scalable	Customers may negotiate
Customer DPA	Customer preferred	Legal review needed
Negotiated terms	Satisfies both parties	Time-consuming

Best practice: Have a robust standard DPA that satisfies most requirements, with flexibility to negotiate for enterprise deals.

Common DPA Negotiation Points

Point	Customer Want	SaaS Provider Consideration
Audit rights	Broad on-site audit rights	Limit frequency, offer SOC 2/ISO alternative
Sub-processor changes	Prior approval required	Notification with objection right
Data deletion	Immediate deletion on termination	Reasonable period for technical deletion
Liability	Unlimited for data protection	Cap aligned with contract value
Breach notification	Immediate notification	"Without undue delay" (reasonable timeframe)

Sub-Processor Management

SaaS companies rely on other services that process customer data:

Common Sub-Processors

Category	Examples
Infrastructure	AWS, GCP, Azure
Analytics	Segment, Mixpanel
Support	Zendesk, Intercom
Email	SendGrid, Mailchimp
Payments	Stripe, Braintree
Monitoring	Datadog, New Relic

Sub-Processor Obligations

Requirement	Implementation
Written contract	DPAs with all sub-processors
Same protections	Sub-processor contracts mirror customer DPA
Customer authorization	General or specific authorization
Notification	Inform customers of changes
Due diligence	Verify sub-processor compliance
Liability	Remain responsible for sub-processor compliance

Sub-Processor List

Maintain and publish a sub-processor list:

Information	Content
Name	Sub-processor identity
Purpose	What processing they perform
Location	Where data is processed
Safeguards	Transfer mechanisms if non-EEA

Product Features for GDPR

Building GDPR-supportive features into your product:

Data Subject Rights Support

Feature	Customer Benefit
Data export	Helps customers respond to access/portability requests
Data deletion	Enables customers to fulfill erasure requests
Data discovery	Helps customers locate individual's data
Consent management	Supports customers' consent obligations

Security Features

Feature	GDPR Relevance
Role-based access	Data minimization, access controls
Audit logging	Accountability, breach investigation
Encryption	Security requirement
MFA	Security best practice
SSO	Access management

Data Residency

Feature	Customer Benefit
EU data centers	Simplifies transfer obligations
Data localization	Meets specific customer requirements
Configurable storage	Flexibility for different requirements

Retention and Deletion

Feature	GDPR Relevance
Configurable retention	Storage limitation compliance
Automated deletion	Enforce retention policies
Account deletion	Right to erasure support
Data purge tools	Clean deletion capabilities

Security Requirements

As a processor, you must implement "appropriate" security:

Technical Measures

Measure	Implementation
Encryption at rest	Database, file storage encryption
Encryption in transit	TLS for all connections
Access controls	Role-based, need-to-know
Authentication	Strong passwords, MFA support
Network security	Firewalls, network segmentation
Vulnerability management	Regular scanning, patching
Penetration testing	Annual third-party testing

Organizational Measures

Measure	Implementation
Security policies	Documented, reviewed policies
Staff training	Security awareness program
Background checks	Where legally permitted
Incident response	Documented procedures
Business continuity	Backup, disaster recovery

Demonstrating Security

Evidence	Purpose
SOC 2 report	Third-party validation
ISO 27001 certification	Security management system
Penetration test reports	Technical security evidence
Security questionnaire responses	Customer-specific assurance

Breach Notification

To Customers (Controllers)

Requirement	Implementation
Timing	"Without undue delay" after awareness
Content	Nature of breach, data affected, measures taken
Channel	Per DPA (typically email to designated contact)
Assistance	Support customer in their notification obligations

Of Your Own Breaches

Requirement	Implementation
To authority	Within 72 hours if risk to individuals
To individuals	If high risk to individuals
Documentation	Record all breaches, including minor ones

International Considerations

International Transfers

SaaS companies often involve international transfers:

Scenario	Transfer Mechanism
US infrastructure	SCCs, TIA, supplementary measures
US support team accessing data	SCCs, TIA
Global CDN	Consider data localization if needed
Non-EEA sub-processors	SCCs or adequacy

Multi-Region Operations

Consideration	Approach
EU data center option	Reduces transfer complexity
Data localization	May be required for some customers
Regional compliance	Consider local variations

Sales and Go-to-Market

Enterprise Sales Requirements

Enterprise customers typically require:

Requirement	Preparation
DPA	Standard DPA ready for signature
Security questionnaire	Pre-prepared responses
SOC 2 report	Annual Type 2 report
Sub-processor list	Current, published list
Privacy policy	Comprehensive, current
Data residency options	EU hosting if possible

Sales Enablement

Resource	Purpose
Security page	Public security documentation
Trust center	Self-service security information
Compliance FAQ	Common questions answered
GDPR documentation	Specific GDPR compliance information
DPA signing process	Streamlined DPA execution

Compliance with Complementary Frameworks

GDPR compliance often accompanies other frameworks:

SOC 2

Overlap	Consideration
Security controls	Significant overlap with GDPR security
Availability	Supports business continuity
Confidentiality	Aligns with GDPR confidentiality
Processing integrity	Supports data accuracy
Privacy criteria	Direct GDPR alignment

ISO 27001

Overlap	Consideration
ISMS	Framework for security management
Risk assessment	Supports GDPR risk approach
Controls	Many align with GDPR requirements
Continuous improvement	Supports ongoing compliance

Combined Approach

Many SaaS companies pursue:

SOC 2 Type 2 for customer assurance
GDPR compliance for EU market access
ISO 27001 (optionally) for comprehensive security management

Implementation Roadmap

Phase 1: Foundation

Activity	Focus
Role assessment	Understand controller/processor roles
Legal basis	Establish bases for own processing
Privacy policy	Comprehensive policy for own operations
DPA preparation	Standard DPA for customers

Phase 2: Product

Activity	Focus
Data mapping	Understand data in platform
Feature assessment	GDPR-supportive features needed
Security review	Verify appropriate security
Sub-processor review	DPAs with all sub-processors

Phase 3: Operations

Activity	Focus
Process implementation	DSAR support, breach response
Documentation	Policies, procedures, records
Training	Staff awareness
Customer support	DPA process, questionnaire responses

Phase 4: Ongoing

Activity	Focus
Monitoring	Compliance maintenance
Updates	Policy and feature updates
Customer support	Ongoing DPA and compliance support
Improvement	Feature enhancements for compliance

How Bastion Helps

SaaS companies face particular compliance challenges that benefit from specialized experience. Working with partners who understand both GDPR and SaaS business models helps ensure efficient, effective compliance.

Challenge	How We Help
DPA Development	Creating robust standard DPAs for enterprise sales
Customer Due Diligence	Support responding to security questionnaires
Product Compliance	Guidance on GDPR-supportive product features
Sub-Processor Management	Establishing compliant vendor relationships
Security Documentation	SOC 2/ISO 27001 alongside GDPR
International Transfers	Navigating transfer requirements for cloud services

Getting compliance right supports SaaS sales by removing friction from enterprise deals. Expert support helps ensure your compliance program meets customer expectations while remaining efficient to operate.

Questions about GDPR compliance for your SaaS product? Talk to our team →

← PreviousEmployee Data Protection: GDPR Requirements for HR

Back to GDPR guides

Bastion Platform

AI Compliance

All-in-One Security

Security Engineers

Tackle more frameworks without more effort.

Wall of Trust

Case Studies

By Company Size

By Industry

Blog

Learn Compliance

Developer

Company