When your business is contemplating a software-as-a-service (“SaaS”) agreement, there are a large number of considerations. An SaaS agreement is, of course, a subscription service where a software package is centrally hosted and accessed by a SaaS company’s customers. Issues to be aware of include:

• The monthly subscription price — flat fee or based on the number of users
• How much access to the software — the limited or unlimited number of users?
• Methods of access — desktop vs. apps vs. dedicated machines, etc.
• Availability — limited or 24/7/365?
• Maintenance — how often are the updates, and when are they scheduled?
• Support — do you get live persons to help; will they be available on the phone and in person?

As important as the foregoing issues are, one often overlooked aspect of SaaS contracts is the collection of personal data and the potential that the data will be sent across national borders. This might happen based on where the SaaS programming is hosted and where data is “parked” for various processing purposes. Cross-border data transfers of personal information are now a highly regulated legal issue, particularly under the rules and regulations of the European Union (“EU”). The EU is a vast geographical space, and numerous firms host software and offer data storage services. Thus, data transfer restrictions are potentially implicated with any use of European firms. If you or your business is thinking of entering into an SaaS subscription agreement, data collection, storage, and transfers should be a major focus of negotiations and contractual provisions.

If you need legal assistance, the Internet Lawyers here at Revision Legal can help. Our lawyers have years of experience with internet laws, data protection statutes, and SaaS agreements. Here are some thoughts on possible steps to take to avoid running afoul of cross-border data transfer regulations, both with respect to employees and third-party personal data.

Is personal data collected?

The first step is to ask whether personal data will be collected as part of the SaaS offering. If the answer is “no,” then somewhere in the negotiated SaaS agreement, the provider should “rep and warrant” that no personal data is collected.

However, in many cases, the answer is “yes” — if only because employee data may be collected. There is often a great deal of personal information collected as part of setting up usernames, passwords, and the like. This is routinely done by SaaS providers.

But, on the other hand, there ARE alternatives where an SaaS provider agrees to a different set of procedures to identify the relevant employees allowed to have access. As an example, the business using the SaaS could provide unique and anonymous identifiers for their employees that are then used to create usernames and passwords. That is, the SaaS provider is not provided with the personal data of the individual employees.

Is third-party consumer data collected for processing or other purposes?

A more difficult problem exists where the SaaS relates, in some manner, to the data that is being processed, collected, or stored by the SaaS programming. Here, the solution is various contractual provisions where the SaaS provider is responsible for compliance with the cross-border data transfer regulations. For example, there should be “reps and warranties” that the SaaS provider is in compliance with the data transfer regulations and that the SaaS will indemnify the customer from any damages related to alleged non-compliance.

Contact the SaaS Attorneys at Revision Legal

For more information, contact the experienced SaaS Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.

GDPR: The Most Comprehensive Cross-Border Data Transfer Framework

The EU’s General Data Protection Regulation (GDPR), which took effect in May 2018, imposes strict rules on the transfer of personal data from the EU to countries outside the European Economic Area (EEA). For any SaaS provider that processes the personal data of EU residents — regardless of where the provider is located — GDPR compliance is mandatory.

Following the European Court of Justice’s 2020 Schrems II decision (Case C-311/18), which invalidated the EU-US Privacy Shield framework, transfers of personal data from the EU to the US are permissible only through specific legal mechanisms, including:

• Standard Contractual Clauses (SCCs) — the European Commission issued new SCCs in 2021; these are the most commonly used mechanism for EU-US data transfers and must be incorporated into the SaaS agreement
• EU-US Data Privacy Framework (DPF) — adopted in 2023, the DPF allows US companies that certify compliance with its principles to receive EU personal data; companies must self-certify through the Department of Commerce
• Binding Corporate Rules (BCRs) — primarily used by multinational corporations for intra-group transfers
• Adequacy decisions — the European Commission has determined that certain countries (including the UK, Canada, and Japan) provide adequate data protection; transfers to those countries do not require additional safeguards

Data Processing Agreements: What Must Be Included

Under GDPR Article 28, any SaaS provider that processes personal data on behalf of its customers is a “data processor” and must enter into a written Data Processing Agreement (DPA) with each “data controller” customer. The DPA must address:

• The subject matter, duration, nature, and purpose of the processing
• The type of personal data processed and the categories of data subjects
• The obligations and rights of the controller
• Restrictions on sub-processor engagement — the processor must obtain controller authorization before engaging sub-processors and must flow down GDPR obligations
• Technical and organizational security measures appropriate to the risk
• Assistance obligations — the processor must help the controller respond to data subject rights requests and data breach notifications

US-based SaaS providers negotiating with EU enterprise customers should expect the DPA negotiation to be a significant part of the contracting process. EU data protection officers are often directly involved in these negotiations and may request modifications to standard DPA templates.

US State Data Protection Laws and SaaS Contracts

Even for SaaS providers focused exclusively on the US market, the proliferation of state privacy laws creates cross-border data transfer obligations. The California Consumer Privacy Act (CCPA), as amended by the CPRA, requires written contracts with “service providers” (the CCPA’s equivalent of GDPR data processors) that include specific provisions limiting the use of personal data to the purposes specified in the contract.

Virginia, Colorado, Connecticut, Texas, and approximately 20 other states have enacted similar requirements. While these state laws do not impose the same extraterritorial reach as GDPR, any SaaS provider processing personal data of residents of those states — even from a server located entirely in the US — must comply with the applicable state law requirements.

Practical Checklist for SaaS Cross-Border Data Compliance

Before signing a SaaS agreement, your legal counsel should verify:

• Whether personal data will be collected and, if so, what categories of data
• Where the SaaS provider’s servers and sub-processors are located
• Which legal mechanism governs any transfer of EU personal data outside the EEA
• Whether the SaaS agreement includes an adequate DPA that meets GDPR Article 28 requirements
• Whether the SaaS provider is certified under the EU-US Data Privacy Framework
• Whether the agreement complies with applicable US state data protection law requirements

Contact the Attorneys at Revision Legal

If you have questions or need legal advice, contact the experienced attorneys at Revision Legal. Our team handles internet law and data privacy matters for businesses and individuals nationwide. Call us at (855) 473-8474 or use the contact form on our website.