SaaS (Software as a Service)

A cloud-based software delivery model where applications are hosted by vendors and made available to customers over the internet, typically through subscription pricing. In privacy contexts, SaaS arrangements raise important considerations about data responsibility and control. When businesses use SaaS products, they typically remain data controllers for customer/user data while the SaaS provider acts as a data processor. This requires Data Processing Agreements outlining each party's obligations, security measures, subprocessor relationships, and data handling practices. SaaS providers often process personal data across multiple jurisdictions, requiring appropriate transfer mechanisms. Organizations should evaluate SaaS vendors' privacy practices, security certifications, data location, breach notification procedures, and subprocessor policies. Common SaaS examples include CRM systems, email marketing platforms, HR software, and collaboration tools. GDPR Article 28 requires written contracts with processors, making DPAs essential for SaaS relationships. Organizations remain liable for their processors' compliance, making vendor selection and oversight critical compliance activities.