Data Processing Agreements

Yes, in two situations. First, if a vendor processes personal data on your behalf (analytics, hosting, AI, CRM), the California Consumer Privacy Act requires service-provider terms in your contract or the vendor counts as a third party with broader obligations. Second, if an enterprise customer hands you their DPA, signing a compliant version is usually a precondition to closing the contract.

They serve three different audiences. The Privacy Policy is your public-facing notice to users; that lives on our Terms of Service and Privacy Policy page. The DPA is the contract between you and a counterparty (vendor or customer) governing how personal data is handled in the engagement. The SaaS subscription agreement is the master commercial deal that licenses the service; that lives on our SaaS and Enterprise Agreements page under Contracts and Deals. This page focuses on DPAs and the cross-border transfer layer.

Probably yes, if you process the personal data of California residents and meet one of three thresholds: $26.6 million in annual revenue (the 2026 inflation-adjusted figure), personal information of 100,000 or more California residents or households per year, or 50 percent or more of revenue from selling or sharing personal information. The full thresholds and definitions are published by the California Privacy Protection Agency. Physical California presence is not required.

CPRA expanded the original CCPA in three meaningful ways: it added a new category of sensitive personal information, it added a right to correct inaccurate data, and it broadened sharing to cover cross-context behavioral advertising even without a sale. The January 2026 CCPA regulations added detailed disclosure, contracting, and risk-assessment obligations on top.

GDPR applies to your business if you offer goods or services to people in the European Union, or if you monitor their behavior, regardless of where your company is based. The territorial scope is set out at Article 3 of the GDPR. Many U.S. SaaS companies are within scope without realizing it because their analytics, marketing pixels, or self-serve signup pages reach EU users.

Quebec Law 25 imposes consent, transparency, and cross-border-transfer assessment requirements on any business handling the personal data of Quebec residents. The full text is published on LégisQuébec and enforcement guidance comes from the Commission d'accès à l'information. It is enforced separately from the federal Canadian privacy regime under PIPEDA. SGL handles Quebec compliance directly given the firm's Quebec admission.

The DPA must (1) limit the vendor's use of personal data to the specific business purpose in the contract, (2) prohibit the vendor from selling or sharing the data, (3) prohibit retention or use of the data beyond the engagement, and (4) require the vendor to comply if you direct it to delete or correct data on a consumer's request. Generic GDPR-only DPAs almost never include all four.

Standard Contractual Clauses are pre-approved data-transfer terms that allow personal data to move from the European Union to the United States legally. The current SCC text is published by the European Commission. You need them when an EU user's data is transmitted to your U.S. infrastructure or to a U.S.-located vendor. The U.S.-EU Data Privacy Framework can substitute for SCCs in some cases, but not all.

With every vendor processing personal data on your behalf, yes. That includes analytics, customer support tools, AI providers, CRM systems, email platforms, and hosting. The vendor inventory is usually the gap most SaaS companies discover during their first audit, breach incident, or acquirer diligence.

Each tier is flat fee, billed at engagement. After the strategy call we send the engagement letter, you pay upfront, and the work begins. Delivery timing is set on the strategy call based on scope, urgency, and current capacity. Rush handling is available; we will tell you the cost before adding it.