A vendor saying "we're GDPR compliant" isn't the same as telling you where your data lives, which sub-processors touch it, and under what legal mechanism it crosses borders.
Why data residency is not optional anymore
A SaaS vendor telling you "we're GDPR compliant" is not the same as telling you where your data physically lives, which sub-processors touch it, and under what legal mechanism it crosses borders. For any enterprise buyer serving EU customers or employing EU staff, residency and transfer mechanics are now due-diligence items, not marketing checkboxes — regulators and enterprise customers alike are asking the specific question, not the general one.
The sub-processor question
Every SaaS platform relies on sub-processors — cloud hosting, email delivery, analytics, payment processing. Under GDPR, the controller (your company) remains accountable for how those sub-processors handle personal data, even though you didn't choose them directly. Before signing, request the vendor's current sub-processor list, confirm it's kept up to date with advance notice of changes, and check that each entry has its own adequate transfer mechanism in place.
Standard Contractual Clauses after Schrems II
Since the Schrems II ruling invalidated the EU-US Privacy Shield, Standard Contractual Clauses (SCCs) combined with a documented Transfer Impact Assessment are the practical mechanism for most cross-border transfers. A vendor that can't produce a current SCC package and impact assessment on request is not ready for enterprise EU business, regardless of what their marketing page claims.
What to ask before you sign
- —Request the sub-processor list and update-notification process in writing
- —Ask which regions data is stored and backed up in, not just "processed" in
- —Ask for data retention and deletion timelines in the DPA, not the privacy policy — the DPA is the binding document
- —Ask what happens to your data on contract termination — a specified deletion window, in writing, is the standard to hold every vendor to