Is your SaaS data processing contract worth signing?

A data processing agreement is the contract that governs what your SaaS may do with personal data that belongs to your customer's business. The label you wear under the law decides which rules bind you, so the first job is to get the roles right. Tap a card for the key clauses and the watch-point for each side.

If your SaaS stores, hosts, or otherwise handles data that your customer's end users generate, and you do it for the customer rather than for your own independent purposes, you are almost certainly a processor and a service provider at the same time. That means one DPA usually has to satisfy both regimes. Your enterprise customers will not sign until it does.

California reaches the same goal as GDPR Article 28 through different words. When a business discloses personal information to a service provider or contractor, Civil Code section 1798.100(d) requires a written contract that:

• specifies that the personal information is sold or disclosed only for limited and specified purposes;
• obligates the recipient to comply with the applicable obligations under the CCPA and to provide the same level of privacy protection the business must provide;
• grants the business the right to take reasonable and appropriate steps to help ensure the recipient uses the information consistently with the business's obligations;
• requires the recipient to notify the business if it determines it can no longer meet its obligations; and
• grants the business the right, on notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of the information.

Cal. Civ. Code 1798.100(d)(1)-(5). Source

The definitions add the teeth. A service provider under section 1798.140(ag) must be barred by the written contract from selling or sharing the information, from retaining, using, or disclosing it for any purpose other than the specified business purposes, from retaining, using, or disclosing it outside the direct business relationship, and from combining it with personal information from another source, subject to enumerated exceptions in the regulations.

Cal. Civ. Code 1798.140(ag). Source

A contractor under section 1798.140(j) is held to the same prohibitions and must also certify in the contract that it understands the restrictions and will comply with them. That certification is a specific, easy-to-miss requirement that I confirm is actually in the document.

Cal. Civ. Code 1798.140(j). Source

In practice a SaaS DPA that needs to work for California data will usually carry both the GDPR Article 28 duties and these CCPA terms in one document, with a short section that maps each requirement so a reviewer can see nothing is missing.

Almost every SaaS relies on sub-processors: a hosting provider, an email service, an analytics tool. GDPR Article 28(2) says the processor cannot engage another processor without the controller's prior specific or general written authorisation, and under a general authorisation the processor must inform the controller of intended additions or replacements so the controller can object. GDPR Art. 28(2). Source

Article 28(3)(d) then requires the processor to flow the same data-protection obligations down to each sub-processor by contract. A workable sub-processor clause therefore needs four parts:

• Authorization model. State whether you are using specific authorization (the controller approves each sub-processor) or general authorization (a published list with a right to object).
• Published list. Maintain a current sub-processor list the controller can see, ideally with a subscribe-for-updates mechanism.
• Change notice. Give a defined notice window before a new sub-processor goes live so the controller has a genuine chance to object.
• Flow-down terms. Bind each sub-processor to back-to-back data-protection obligations, and keep the processor liable for the sub-processor's performance.

Audit rights are where DPA negotiations stall most often. They come straight from GDPR Article 28(3)(h): the processor must make available all information necessary to demonstrate compliance, and allow for and contribute to audits, including inspections, conducted by the controller or another auditor it mandates. GDPR Art. 28(3)(h). Source

The customer wants a real ability to verify. The vendor cannot let every customer wander through its production environment. A balanced clause keeps the statutory right intact while setting guardrails both sides can accept:

• Scope. Limit the audit to systems and records relevant to the processing of that customer's data, not the vendor's whole business.
• Frequency. Once a year as a baseline, with an exception for a breach, a regulator demand, or reasonable cause.
• Notice and timing. Reasonable advance written notice, during normal business hours, without disrupting other customers.
• Confidentiality. The auditor is bound to confidentiality, and findings about the vendor's environment stay protected.
• Third-party-auditor and certification option. Let the vendor satisfy routine audits with a recognized report or certification, reserving an on-site inspection for cause. This is the compromise that usually closes the deal.

GDPR Article 28(3)(c) requires the processor to take all measures required under Article 32 on security of processing, and Article 28(3)(f) requires the processor to assist the controller with the breach-notification obligations in Articles 33 and 34. GDPR Art. 28(3)(c), 28(3)(f). Source

A practical security and breach section in a DPA usually covers:

• A measures schedule. A concrete annex of technical and organisational measures, such as encryption in transit and at rest, access controls, logging, and tested backups, rather than a single vague sentence.
• Breach notice timing and content. A duty on the processor to notify the controller without undue delay, with enough detail for the controller to meet its own Article 33 and 34 deadlines.
• Assistance scoped to what is available. Article 28(3)(f) ties the processor's assistance to the nature of processing and the information available to it, which is a fair limit to state expressly.
• Personnel and confidentiality. The confidentiality commitment from Article 28(3)(b) for everyone who touches the data.

A DPA only matters if it is enforced. If a counterparty refuses a contractual audit, onboards an unauthorized sub-processor, will not delete or return data at the end of the engagement, or ignores a breach-notice duty, here is the real path I work.

• Attorney demand letter first. A letter on firm letterhead that quotes the exact DPA clause and the governing standard, sets a cure deadline, and builds a clean record. That is the $575 attorney demand letter, and it includes review of the first substantive response.
• Negotiation if it keeps moving. If the back-and-forth continues past that first reply, extended written negotiation is the $1,500 Pre-Litigation Negotiation Phase, scoped separately.
• Filing or arbitration when the matter calls for it. I file complaints, initiate arbitration, and appear as counsel of record in California when a matter warrants it. That is a separate engagement, with its own engagement letter, conflict check, and quoted scope. California only.

The demand letter and the negotiation phase are the pre-litigation steps. Filing a complaint, initiating arbitration, and appearing as counsel of record are a separate, separately quoted engagement, California only. That keeps the path honest: a genuine willingness and capability to litigate, not an automatic promise to sue in every case.