Data Processing Agreement in SaaS Contracts: GDPR and CCPA Requirements

High Importance
SaaS

What This Clause Does

If you're sharing personal data with a SaaS vendor (names, emails, usage data, or anything else), this clause governs what they can do with it. Under GDPR (EU) and CCPA (California), you may have specific legal obligations about who you share data with and under what terms.

Look for a Data Processing Agreement (DPA) as a separate exhibit or incorporated by reference. The DPA should specify the categories of data processed, the purpose, retention periods, your rights to request deletion, and the vendor's security obligations. The absence of a DPA from a vendor who processes personal data is itself a red flag.

Example Clause Pattern

"To the extent Vendor processes Personal Data on behalf of Customer, the parties shall be subject to the Data Processing Agreement ('DPA') attached hereto as Exhibit A, which is incorporated into and forms part of this Agreement."

What to Watch

  • No DPA referenced or attached despite vendor processing personal data
  • Vendor can use your data to improve their product without your consent
  • No obligation to notify you of a data breach within a defined timeframe
  • Vendor can transfer your data to countries with weaker privacy protections without safeguards

How This Clause Works by Jurisdiction

California

The CPRA treats SaaS vendors processing consumer personal data as 'service providers' or 'contractors,' requiring a compliant written agreement specifying permitted processing purposes. Customers who fail to require a compliant DPA may face enforcement action by the California Privacy Protection Agency for enabling unlawful processing.

Reviewed May 2026

New York

New York's SHIELD Act requires businesses to implement reasonable data security safeguards for private information of New York residents. A SaaS DPA should capture the vendor's SHIELD Act security obligations, including specific technical safeguards. The New York SHIELD Act imposes these requirements on any business that owns or licenses data about New York residents.

Reviewed May 2026

United Kingdom

UK GDPR Article 28 requires a controller-processor agreement whenever a SaaS vendor processes personal data of UK data subjects. The agreement must specify processing purposes, data types, security measures, subject rights handling, and sub-processor approval requirements. The ICO publishes a template international data transfer addendum for cross-border transfers.

Reviewed May 2026

Jurisdiction-specific information is general in nature and not legal advice. See disclaimer.

Found in These Contracts

This clause commonly appears in the following contract types:

Negotiation Strategies

Always request and sign the vendor's DPA if you're sharing any personal data

Negotiate a maximum 48-hour breach notification window

Have a contract with this clause?

Upload it and get plain-English explanations and risk scores for every clause.

Upload your contract for a full analysis