Software as a Service (SaaS) is a delivery model for software. Whereas previously software was sold in a physical format with a one-off, up-front cost (think Windows 95 on CD-ROM), SaaS usually involves centrally-hosted software accessed via the web with an ongoing licence paid for via subscription. These are often available both via a browser and/or an app.
Examples include Office 365, Google Apps, and Dropbox.
There are significant advantages to delivering your product via SaaS. But it's a decision not to be taken lightly.
- 2.1. Who You Are
- 2.2. What Data Your SaaS App Collects
- 2.2.1. Personal Data Your Users Provide
- 2.2.2. Personal Data Your SaaS App Collects Automatically
- 2.2.3. Personal Data You Receive From Third Parties
- 2.3. Why You Need To Process This Data
- 2.4. Your Lawful Basis
- 2.5. Who You'll Be Sharing Your Users' Data With
- 2.6. Whether You'll Be Transferring User Data Overseas
- 2.7. How Long Your SaaS App Stores Users' Data
- 2.8. How Your Users Can Exercise Their Data Rights
- 2.9. How You're Keeping Your Users' Data Safe
- 4.1. On Sign-up or Installation
- 4.2. A Menu Within Your App
- 5. Ensuring Your SaaS App Complies With Privacy Law
- "Personal data" means any data that could conceivably be used to identify an individual, for example. their:
- Full name
- Email address
- Credit card details
- Browser information and cookies
- "Processing" means doing, well, pretty much anything with that data. This includes:
- Storing it
- Sending an email
- Sending credit card details to an eCommerce service
- Collecting cookie data
Who You Are
What Data Your SaaS App Collects
Your SaaS app might collect a variety of personal data including:
- Data provided by users on registration
- Data collected automatically by the app
- Data received from third parties
Personal Data Your Users Provide
Much of the information your SaaS app collects about your users will be provided by them when they sign up for an account. This is likely to include their name, email address, and billing information.
Personal Data Your SaaS App Collects Automatically
SaaS apps often collect personal data via information such as log files as part of the app's functioning. Be aware that according to EU law cases such as Case C-582/14 Patrick Breyer v Bundesrepublik Deutschland, an IP address (and therefore a log file) can constitute personal data.
Here's how collaborative SaaS company Slack explains its use of log files:
Some SaaS apps choose to group information about log files along with information about other types of technical data such as cookies.
SaaS provider Salesforce informs its users about how it responds to Do Not Track (DNT) signals. This is a requirement under CalOPPA.
Personal Data You Receive From Third Parties
Your company may receive data about its users from third parties.
Be careful when processing third-party data about your users. The European Commission warns that to ensure GDPR compliance, if you're receiving data from another organization, that organization:
"must be able to demonstrate that the data was obtained in compliance with the General Data Protection Regulation and that it may use it for advertising purposes."
"your company/organisation must also ensure that the list or database is up-to-date and that you don't send advertising to individuals who objected to the processing of their personal data for direct marketing purposes."
Why You Need To Process This Data
Keep in mind that one of the core principles of data protection under Article 5(1)(b) of the GDPR is "purpose limitation." You should only collect the personal data that you need in order to effectively operate your SaaS app (together with any broader purposes for which your company needs to process personal data, if there are any).
Your Lawful Basis
Under Article 6 of the GDPR, your company may only process personal data under one of six "lawful bases."
Who You'll Be Sharing Your Users' Data With
Your users need to know about who you'll be sharing their personal data with.
For example, you'll probably be taking payment information via your SaaS app. If you do this through an eCommerce platform, you'll need to make your users aware of this.
Under Article 13(1)(e) of the GDPR, you're required to provide information about "the recipients or categories of recipients of the personal data." You don't need to name each company you'll be sharing data with - only list each type of company you'll be sharing data with.
Whether You'll Be Transferring User Data Overseas
SaaS apps typically rely on cloud storage. If you have users in the EU or Switzerland and you're hosting their personal data outside of this region (e.g. in the US), Article 13(1)(f) of the GDPR requires you to provide information about your intention "to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission."
The second part of that rule requires some explanation. The European Commission is one of the institutions of the EU. One of the Commission's jobs is to assess the adequacy of other countries' data protection regulations. So far, the Commission has endorsed the data protection regime of twelve countries including Canada and New Zealand. The US is included, but only where companies are signed up to the EU-US Privacy Shield framework.
How Long Your SaaS App Stores Users' Data
Storage limitation is one of the six privacy principles listed under Article 5(1)(e) of the GDPR, which states that personal data can be stored: "for no longer than is necessary for the purposes for which the personal data are processed."
This means that your company must consider how long it needs to keep each type of personal data it stores. It can do this by drawing up a "retention schedule."
How Your Users Can Exercise Their Data Rights
Under Chapter 3 of the GDPR, individuals have certain rights over their personal data. If your company processes the personal data of EU citizens, it's up to you to help them exercise those rights.
Cloud storage service Dropbox helpfully provides links to various areas of its site where users can exercise some of their data rights:
Here's how Office 365 informes its users about how to exercise their right to data portability under Article 20 of the GDPR:
How You're Keeping Your Users' Data Safe
Because SaaS apps generally store user data in the cloud, you are responsible for keeping it secure. You should be completely transparent about the steps you've taken to ensure data security, and the systems that you have in place in case of a data breach.
Here's how Google puts it in relation to its G Suite series of SaaS apps:
- Answer a few questions about your business:
- Add your website or app information:
- Answer a few questions about what information you collect from your users:
- Select options for how your users can contact you:
There are a couple of ways you can do this.
On Sign-up or Installation
Here's the account setup screen from the Spotify Windows app:
A Menu Within Your App
Here's what the Evernote Windows app displays when the user chooses the "About" option from the "Help" menu:
Here's a picture of the Settings menu on the Evernote Android app:
Here's what users see when they select the "Legal" option:
Ensuring Your SaaS App Complies With Privacy Law
- Who you are, and how you can be contacted.
- Include the name and contact details of your Data Protection Officer if your company is required to appoint one.
- The types of personal data that your SaaS app collects:
- Data volunteered by your users when they sign up for or install your SaaS app
- Data your SaaS app collects from your users such as log files
- Data your company receives from third parties
- Why it's necessary for you to process this data in order to offer your SaaS app.
- If you're serving EU users, your company's lawful basis for processing data under Article 6 of the GDPR.
- What types of organizations you'll be sharing data with.
- If you're serving EU users, whether you'll be transferring their personal data overseas (i.e. to a non-EU country):
- If so, whether the you'll be transferring to a country approved by the European Commission.
- If transferring to the US, whether your company is signed up to the EU-US Privacy Shield.
- How long your SaaS app will store your users' personal data.
- If you're serving EU users, how your users can exercise their rights under Chapter 3 of the GDPR:
- How your users can withdraw their consent
- How your users can request a copy of their personal data
- At sign-up or installation
- Via a menu within your SaaS app