Operating without Data Processing Agreements in place for your processors is a standalone GDPR violation — independent of whether any data breach has occurred. GDPR Article 28 mandates a DPA for every processor relationship involving EU personal data. Most SaaS companies have dozens of processor relationships and DPAs in place for almost none of them.
A 2024 audit of early-stage SaaS companies found that fewer than 30% had DPAs in place with all their material processors. The most commonly missing DPAs were for: analytics platforms (76% of companies), email marketing tools (68%), and AI API providers (91%). Each missing DPA is an independent GDPR violation.
If your B2B SaaS platform processes personal data of your clients' end users — as most do — your enterprise clients cannot legally use your platform for EU personal data processing without a DPA signed between you and them. This DPA positions you as the processor, your client as the controller, and documents your processing instructions, subprocessors, security measures, and deletion procedures.
This document is frequently the document that either accelerates or stalls enterprise sales cycles. Having a well-drafted, enterprise-ready DPA ready to send in response to a client's legal review is a meaningful competitive advantage.
Related: SaaS Agreement & MSA Drafting
Any third-party service that processes EU personal data on your behalf requires a DPA. This includes: cloud infrastructure (AWS, GCP, Azure), analytics (Google Analytics, Mixpanel, Amplitude), CRM (HubSpot, Salesforce), email (Mailchimp, SendGrid, Klaviyo), payments (Stripe, Paddle), customer support (Intercom, Zendesk), monitoring (Sentry, Datadog), and AI API providers (OpenAI, Anthropic) if you pass personal data through their APIs.
A compliant DPA must include: processing only on your documented instructions; confidentiality obligations for personnel with data access; appropriate technical and organisational security measures (TOMs); assistance with data subject rights requests; assistance with security, breach notification, and DPIA obligations; deletion or return of all personal data at the end of the relationship; and provision of all compliance demonstration information. Subprocessors must be subject to equivalent obligations.
A data controller determines the purposes and means of processing personal data. A data processor processes data on behalf of and under the instructions of a controller. A SaaS company is typically a controller for its own employee and marketing data, and a processor for its enterprise clients' user data. Many SaaS companies are controllers and processors simultaneously across different data sets.
Yes. If your platform processes personal data of your enterprise clients' end users, you are acting as a data processor for those clients (who are data controllers). Your enterprise clients need a DPA with you before they can lawfully process EU personal data through your platform. The absence of a DPA is a common deal-breaker in enterprise sales cycles and a routine audit finding by EU regulators.
Some major providers (AWS, Google, Microsoft, Stripe) publish their own standard DPAs that you can accept as part of their service terms. For your own clients, TECHLAWG drafts a DPA tailored to your specific platform — the data you process, your subprocessors, your security measures, and your deletion procedures. A generic DPA that does not reflect your actual processing creates compliance gaps that regulators identify.
Book a free consultation. We assess your situation, confirm scope, and provide a fixed-fee quote — with no commitment required.
Send an Enquiry