Data Processing and Privacy
What This Clause Does
If you're sharing personal data with a SaaS vendor — names, emails, usage data, or anything else — this clause governs what they can do with it. Under GDPR (EU) and CCPA (California), you may have specific legal obligations about who you share data with and under what terms.
Look for a Data Processing Agreement (DPA) as a separate exhibit or incorporated by reference. The DPA should specify the categories of data processed, the purpose, retention periods, your rights to request deletion, and the vendor's security obligations. The absence of a DPA from a vendor who processes personal data is itself a red flag.
What This Looks Like in a Contract
"To the extent Vendor processes Personal Data on behalf of Customer, the parties shall be subject to the Data Processing Agreement ('DPA') attached hereto as Exhibit A, which is incorporated into and forms part of this Agreement."
Red Flags to Watch For
- No DPA referenced or attached despite vendor processing personal data
- Vendor can use your data to improve their product without your consent
- No obligation to notify you of a data breach within a defined timeframe
- Vendor can transfer your data to countries with weaker privacy protections without safeguards
Negotiation Strategies
Always request and sign the vendor's DPA if you're sharing any personal data
Negotiate a maximum 48-hour breach notification window
Have a contract with this clause?
Upload it for a full analysis — plain-English explanations, risk scores, and actionable negotiation tips for every clause.
Upload your contract for a full analysis