Worrying About SaaS Agreements and Cross-Border Data Transfers featured image

Worrying About SaaS Agreements and Cross-Border Data Transfers

by John DiGiacomo

Partner

Internet Law

When your business is contemplating a software-as-a-service (“SaaS”) agreement, there are a large number of considerations. An SaaS agreement is, of course, a subscription service where a software package is centrally hosted and accessed by a SaaS company’s customers. Issues to be aware of include:

  • The monthly subscription price — flat fee or based on the number of users
  • How much access to the software — the limited or unlimited number of users?
  • Methods of access — desktop vs. apps vs. dedicated machines, etc.
  • Availability — limited or 24/7/365?
  • Maintenance — how often are the updates, and when are they scheduled?
  • Support — do you get live persons to help; will they be available on the phone and in person?

As important as the foregoing issues are, one often overlooked aspect of SaaS contracts is the collection of personal data and the potential that the data will be sent across national borders. This might happen based on where the SaaS programming is hosted and where data is “parked” for various processing purposes. Cross-border data transfers of personal information are now a highly regulated legal issue, particularly under the rules and regulations of the European Union (“EU”). The EU is a vast geographical space, and numerous firms host software and offer data storage services. Thus, data transfer restrictions are potentially implicated with any use of European firms. If you or your business is thinking of entering into an SaaS subscription agreement, data collection, storage, and transfers should be a major focus of negotiations and contractual provisions.

If you need legal assistance, the Internet Lawyers here at Revision Legal can help. Our lawyers have years of experience with internet laws, data protection statutes, and SaaS agreements. Here are some thoughts on possible steps to take to avoid running afoul of cross-border data transfer regulations, both with respect to employees and third-party personal data.

Is personal data collected?

The first step is to ask whether personal data will be collected as part of the SaaS offering. If the answer is “no,” then somewhere in the negotiated SaaS agreement, the provider should “rep and warrant” that no personal data is collected.

However, in many cases, the answer is “yes” — if only because employee data may be collected. There is often a great deal of personal information collected as part of setting up usernames, passwords, and the like. This is routinely done by SaaS providers.

But, on the other hand, there ARE alternatives where an SaaS provider agrees to a different set of procedures to identify the relevant employees allowed to have access. As an example, the business using the SaaS could provide unique and anonymous identifiers for their employees that are then used to create usernames and passwords. That is, the SaaS provider is not provided with the personal data of the individual employees.

Is third-party consumer data collected for processing or other purposes?

A more difficult problem exists where the SaaS relates, in some manner, to the data that is being processed, collected, or stored by the SaaS programming. Here, the solution is various contractual provisions where the SaaS provider is responsible for compliance with the cross-border data transfer regulations. For example, there should be “reps and warranties” that the SaaS provider is in compliance with the data transfer regulations and that the SaaS will indemnify the customer from any damages related to alleged non-compliance.

Contact the SaaS Attorneys at Revision Legal

For more information, contact the experienced SaaS Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.

Extra, Extra!
Recent Posts

Worrying About SaaS Agreements and Cross-Border Data Transfers

Worrying About SaaS Agreements and Cross-Border Data Transfers

Internet Law

When your business is contemplating a software-as-a-service (“SaaS”) agreement, there are a large number of considerations. An SaaS agreement is, of course, a subscription service where a software package is centrally hosted and accessed by a SaaS company’s customers. Issues to be aware of include: As important as the foregoing issues are, one often overlooked […]

Read more about Worrying About SaaS Agreements and Cross-Border Data Transfers

FAQs About Legal Services for Social Media Influencers, Bloggers, and Online Content Creators

FAQs About Legal Services for Social Media Influencers, Bloggers, and Online Content Creators

Internet Law

If you are serious about your career as a social media influencer, blogger, and/or online content creator, you ARE going to need legal services at some point. Online creation is big business now, and big business means the need for legal services. The Internet and Social Media Attorneys at Revision Legal are here to help. […]

Read more about FAQs About Legal Services for Social Media Influencers, Bloggers, and Online Content Creators

Take it Down Act: Ban on “Revenge Porn” Goes National

Take it Down Act: Ban on “Revenge Porn” Goes National

Internet Law

Congress recently passed the Take It Down Act (“TIDA”), and the law was signed by the President in mid-May 2025. See AP media report here. Interestingly enough, “Take It Down” is an acronym for “Tools to Address Known Exploitation by Immobilizing Technological Deepfakes on Websites and Networks Act.” TIDA prohibits what is commonly called “revenge […]

Read more about Take it Down Act: Ban on “Revenge Porn” Goes National

Put Revision Legal on your side

Let's Discuss Your Case