GDPR for US-Based SaaS Selling to EU: The Short Version
Your first European customer is about to sign. Their security review mentions GDPR five times. Here's the short version — enough to close the deal and know what to ask a lawyer later.
GDPR is vast. You don't need to understand all of it to sell your first EU customer. You need to understand the parts that show up in security reviews and contracts. Here's the version that matters for US-based B2B SaaS.
Are you processing EU personal data?
Under GDPR, "personal data" is very broadly defined — any data that can identify a natural person. If your EU customer's end users (their employees, their customers) have email addresses, names, IPs in your system, you're processing EU personal data. Yes.
Your role: Data Processor
Your customer is the Data Controller (they determine the purpose of data use). You're the Data Processor (you process it on their behalf). This is the typical B2B SaaS arrangement. GDPR places direct obligations on both roles.
The DPA is your starting point
A Data Processing Agreement is the contract between Controller and Processor that GDPR explicitly requires. Almost every EU customer will either send you their DPA or ask for yours. Have a reasonable default template. Key clauses: purpose of processing, types of data, sub-processor handling, data transfer mechanisms, breach notification obligations, deletion on termination.
International data transfers
Moving EU personal data to the US is the most common GDPR speed bump. You have three legitimate mechanisms:
- EU-US Data Privacy Framework (successor to Privacy Shield). Requires self-certification with the US DoC, annual renewal. Free, relatively simple, broadly accepted.
- Standard Contractual Clauses (SCCs). EU-approved contract templates between you and the Controller. Baseline mechanism; most customers will accept.
- Binding Corporate Rules. Large-enterprise-only; not relevant at your stage.
In practice: DPF self-certification + SCCs in your DPA covers 95% of deals.
Data subject rights
Under GDPR, individuals (data subjects) have rights: access, correction, deletion, portability, objection. As a Processor, you need to be able to help your Controller respond to these within 30 days. In practice: have a documented way for the customer to request data export and deletion for individual users.
Breach notification
If there's a personal data breach, you must notify your Controller "without undue delay" (practically: 24–48 hours). The Controller then has 72 hours to notify their data protection authority. Make sure your incident response plan respects this timing — it's often faster than SOC 2 requirements.
What enterprise buyers look for
Specific asks that come up in EU enterprise security reviews:
- Signed DPA with SCCs
- List of sub-processors with their locations
- EU data residency option (even if they choose not to use it)
- Proof of DPF certification or equivalent transfer mechanism
- Documented data retention and deletion policies
- Data Protection Officer (DPO) contact — even if you don't formally have one, have a named privacy contact
When to get a real lawyer involved
For your first EU deal, a $2K–$5K engagement with a GDPR-competent attorney is the right investment. They review your DPA template, confirm your transfer mechanisms, and check your privacy policy. After that, you mostly just sign DPAs customers send you and occasionally adapt.
GDPR rewards companies who take it seriously and punishes those who pretend it doesn't apply. The middle ground — take it seriously enough to have defensible answers, not seriously enough to let it block every deal — is where most healthy B2B SaaS lives.
Stop managing compliance in spreadsheets.
Simpra is the AI-native platform that turns policies, controls, evidence, and risk into one live system of record.