Quick answer: SaaS companies must comply with GDPR if they process personal data of EU residents — regardless of where the company is based. Key requirements include a Data Processing Agreement (DPA) with every customer, a sub-processor list, data retention policies, and the ability to fulfil data subject access requests (DSARs) within 30 days.
Why GDPR Hits SaaS Companies Harder
SaaS products are, by nature, data processors. Your customers (the data controllers) trust you with their users' personal data. This creates a chain of responsibility that GDPR strictly regulates. A single compliance failure in your SaaS can expose every customer to regulatory risk.
- You process data on behalf of thousands of controllers
- You likely use sub-processors (AWS, Stripe, Mailgun) that also handle personal data
- You store data across regions, triggering cross-border transfer rules
- Enterprise customers require GDPR compliance before signing contracts
The SaaS GDPR Compliance Checklist
1. Data Processing Agreement (DPA)
Every SaaS company must provide a DPA to customers. This is legally required under GDPR Article 28. Your DPA must include:
- Subject matter and duration of processing
- Nature and purpose of processing
- Types of personal data processed
- Obligations and rights of the controller
- Sub-processor engagement terms
- Data deletion or return upon contract termination
- Audit rights for the controller
Tip: Publish your DPA publicly on your website (like Notion, Slack, and Stripe do). This removes friction from the sales process.
2. Sub-Processor List
You must maintain and publish a list of all third-party services that process personal data on your behalf. Under GDPR, you must notify customers before adding a new sub-processor and give them the right to object.
| Sub-Processor | Purpose | Data Location | DPA Available? |
|---|---|---|---|
| AWS | Infrastructure / hosting | EU (Frankfurt) | Yes |
| Stripe | Payment processing | US (DPF certified) | Yes |
| Mailgun / SendGrid | Email delivery | US (DPF certified) | Yes |
| Sentry | Error tracking | US (DPF certified) | Yes |
| Intercom / Crisp | Customer support | US / EU | Yes |
3. Data Retention Policy
GDPR requires that personal data is not kept longer than necessary. As a SaaS company, you need clear retention schedules:
- Active accounts: Data retained while the account is active
- Deleted accounts: Personal data purged within 30 days of deletion request
- Backups: Personal data in backups must be purged within 90 days
- Logs: Server logs containing IP addresses should be rotated every 30-90 days
- Analytics: Aggregate only — delete individual-level tracking data after 14 days
4. Data Subject Access Requests (DSARs)
You must respond to DSARs within 30 days. As a data processor, your customer (the controller) is typically the one who receives the request, but you must have the technical capability to:
- Export all personal data for a given user (JSON/CSV format)
- Delete all personal data for a given user (right to erasure)
- Rectify incorrect data upon request
- Restrict processing of specific data points
5. Security Measures
GDPR Article 32 requires "appropriate technical and organizational measures." For SaaS, this typically means:
- Encryption at rest (AES-256) and in transit (TLS 1.2+)
- Access controls with role-based permissions
- Regular security audits and penetration testing
- Incident response plan with 72-hour breach notification
- Proper security headers on your web application
- SOC 2 or ISO 27001 certification (highly recommended for enterprise sales)
6. Privacy by Design
New features must be built with Privacy by Design principles. This means data minimization (only collect what you need), purpose limitation, and privacy-friendly defaults.
7. Cookie and Tracking Compliance
Your SaaS website and dashboard must comply with cookie rules. Use PrivacyChecker to scan your site and verify that no tracking scripts fire before consent. Check yourcookie consent banner implementation.
GDPR Compliance as a Sales Advantage
Enterprise customers in the EU will not buy SaaS products without verifiable GDPR compliance. Having a public DPA, sub-processor list, and security certifications removes sales friction and builds trust. Companies like Notion, Linear, and Vercel prominently display their compliance status.
Frequently Asked Questions
Does GDPR apply to my SaaS if I'm based outside the EU?
Yes. GDPR applies to any company that processes personal data of EU residents, regardless of where the company is incorporated. If you have EU customers, you must comply.
What's the difference between a data controller and a data processor?
The controller decides why and how data is processed (your customer). The processor processes data on behalf of the controller (your SaaS). Both have separate obligations under GDPR.
What are the penalties for SaaS GDPR non-compliance?
Up to €20 million or 4% of global annual revenue, whichever is higher. Beyond fines, non-compliance can result in enforcement orders, public reprimands, and — most critically for SaaS — loss of enterprise customers. See ourGDPR fines analysis for real examples.