Articles

What risks do SaaS companies face for not having a DPA?

By Joanne Hue, Date published: 2023-01-16

Data Processing Agreement
Image by johnstocker on Freepik

You can understand Software as a Service or SaaS as a distribution model in which a cloud provider makes applications available to internet users. The providers do so by hosting the application. The software vendor may function independently through the creation of a contract with a third-party provider. The provider may also be the vendor itself in examples of larger companies like Microsoft. Simply put, SaaS allows users to remotely access software that is centrally hosted.

Saas is dependent on cloud delivery models and its advantages entail convenience in customization, high accessibility and elevated vertical scalability. It also allows automatic updates that allow the customers to conveniently provide updates automatically. Due to its amenity, the software market is adopting SaaS as its most prevalent development. ClickUp, Google’s Workspace, Donorbox, Salesforce, Netflix and Dropbox are some examples of successful Saas. Aside from these examples, myriad useful SaaS is used across a range of industries. A SaaS company is required to oblige with data protection regulations and should have Data Processing Addendum prior to supplying users’ data to a third party for processing.  

A Data Processing Addendum or DPA is a contract between data controllers and data processors that seeks to secure users’ data through compliance with privacy laws like GDPR. The General Data Protection Regulation or GDPR sets a clear basis for the insurance of data safety. As a data controller, you should seek processors that provide adequate assurance for data protection. A company needs DPA  because it obliges the processor to act on the documented instructions and ensures compliance with GDPR. If your business functions through a webpage and gathers visitor’s information and requires a third party to administer that data at some point, the Data Processing Addendum will provide you with legal protection. This is for instances when a third party might exploit your user’s information.

The primary legal risk of not having a DPA is the possibility of processors and other third parties misusing your user’s information. As a Software as Service company, you will be amalgamating large quantities of users’ data. While permitting a third party to conduct processing for your website, you will need to provide temporary or indeterminate access to the processor to that data. Provided, there is a breach of such data, you may have to bear the liability of mishandling personal information. For the charge of mishandling personal information, the court could levy a fine worth the loss perpetuated via the mishandling. This is especially true when you are subject to GDPR but have not formed a DPA when permitting a third party to handle a user’s data. The GDPR regulates privacy protection and data security in the European Union and is applicable in the European economic area. 

A software company operates as a processor and a controller- depending on the form of data. It may hire sub-processors for data processing that cannot be conducted by the company. DPA is, therefore, a requirement to conduct business with a larger company. You will need to personalize a DPA fitting for any sub-processor your business is engaged with. Your prospective clients will be seeking DPA. It helps them understand the responsibility that is contractually levied upon them. If your prospective client does not seek a DPA you should be worried about their dedication and intentions to maintaining the security of your user’s information. 

Even if your Saas company operates outside of the European Economic Area, forming a DPA with a third-party processor is crucial. Firstly, it provides your company legal protection in case of a circumstance of information mishandling. Secondly, there are legislations aside from GDPR that regulate third-party processing and require a DPA. For instance, Utah, Virginia, California and Colorado have comprehensive data protection laws. Additionally, many states have protection laws that are currently in committee. Outside of the USA, nations like Brazil and Canada have formulated the Brazilian Data Protection Law (LGPD) and The Personal Information Protection and Electronic Documents Act(PIPEDA) respectively for individual data security.

Reputational risks of not having a Data Processing Agreement

The penalty from a data breach can massively impact a company’s reputation and affect its future trade prospects. When a business is found to be guilty of non-compliance with user’s data protection or has faced a fine for a breach reputational damage occurs. Reputational damage brings along extra associated costs. This may come in form of loss in customers, stagnation of growth or inability to secure investors. Therefore, focusing on compliance with Data protection laws by forming a DPA is beneficial for a company’s reputation.

Reputational damage due to the absence of DPA can be especially detrimental to a company in terms of consumer loss. A consumer would ideally read reviews to decide before selecting a data controller. The reputational damage might lead to your prospective consumers opting for the services of your competitors.

Loss of customer trust

Data is immensely valuable to Saas companies. This data may concern the user’s IP address, online behaviour, consumption habit, and information about their devices or browsing activity. Access to consumer information helps personalize products and increase the probability of marketing success. Since customer data can act as a resource that will prove beneficial for companies, customers are becoming increasingly cautious regarding the exchange of their personal information. It is, therefore, intrinsic to gathering customers’ trust. Adherence to Data Protection policies is advantageous to businesses and the lack of DPA can cause a loss of customer trust.

In a survey conducted by ATB venture, reports showed that users wish that tech companies were more transparent in their usage of their data. Likewise, it showed that users overwhelmingly preferred services that respect their privacy. Customers actively seek services that provide them with better security insurance. The absence of DPA in third-party data transactions shows a lack of priority toward data protection. This is a direct competitive disadvantage.

Conclusion

Saas companies bear legal and financial repercussions when they do not have DPA. In the circumstance of a third-party breach, a DPA provides legal protection to the data controller or the Saas company. In many regions, the exchange of users’ personal data without DPA is a violation of data protection regulations. 

Saas companies are increasingly adopting DPA in their business contract with other tech companies. This helps secure customer loyalty and users seek websites that ensure the protection of their data. Hence, penalties or fines for data breaches can lead to massive reputational damage, discouraging customers and prospective investors. The legal and financial impacts that a lack of a Data Processing Addendum may instigate are massively detrimental in juxtaposition to the cost of including them.

Data protection should be prioritized by Saas companies. You can find templates and services for DPA online that can be personalized to the requirements of your business. Zegal provides you with easy-to-use DPA templates with affordable plans and data protection policy templates that are suitable for employees. You will also find more information on Saas agreements and browse options for Saas agreement templates

You may also like:

Tags:

Like what you just read?


Subscribe to our newsletter and be the first to hear of the latest Zegal happenings, tips and insights!