GDPR for US SaaS Companies: An Engineer's Guide

Most US founders assume GDPR is a European problem. Then a German prospect sends a security and privacy questionnaire asking for a signed DPA and a subprocessor list, and the project stalls. At QUANT LAB USA we treat GDPR as an architecture concern: the rights are easy to promise and hard to engineer, so we build the plumbing early.

Related background: our HIPAA-compliant SaaS architecture guide covers many of the same data-handling patterns from the healthcare angle.

GDPR has extraterritorial scope. A US company is generally caught when it does either of the following with the personal data of people located in the EU or EEA:

• Offers goods or services to them — even free ones. Pricing in euros, an EU-language site, or EU-targeted ads are strong signals, but EU users simply signing up can be enough.
• Monitors their behavior — analytics, tracking pixels, behavioral profiling, and similar.

What does not get you off the hook: having no EU entity, hosting only in US regions, or never invoicing an EU customer. The hook is the data, not the corporate structure. If EU residents can meaningfully use your SaaS, assume you are in scope until counsel tells you otherwise.

Your obligations depend on your role for a given dataset, and most SaaS companies wear both hats at once:

• Processor for your customers' end-user data. You process it on their instructions; they are the controller. This is the typical B2B SaaS posture.
• Controller for your own data — your marketing leads, your account holders' admin profiles, your employees. You decide why and how it is processed.

Getting this mapping right drives your contracts: as a processor you sign your customers' DPAs; as a controller you owe your own privacy notice and lawful basis. Many disputes start because a company never decided which role applied to which data.

Article 28 requires a Data Processing Agreement between controller and processor. In practice that means a chain of contracts:

• Upstream: you sign your customers' DPAs as their processor.
• Downstream: you sign DPAs with every subprocessor that touches personal data — cloud host, database provider, email, analytics, error tracking, support tooling, AI vendors.
• Transparency: you maintain a current, public list of subprocessors and a way to notify customers of changes.
• Transfers: cross-border data movement (EU to US) needs a valid mechanism — the EU-US Data Privacy Framework or Standard Contractual Clauses with a transfer impact assessment — referenced in the DPA.

Missing downstream DPAs is one of the most common gaps we find in audits. Every vendor in the personal-data path needs one, the same way every PHI vendor needs a BAA under HIPAA.

GDPR's Article 25 calls for “data protection by design and by default.” Translated into a SaaS build, that is concrete engineering work:

1. Data inventory and mapping. Know every place personal data lives, including logs, backups, and third parties. You cannot honor erasure for data you have not catalogued.
2. Deletion and export pipelines. One job that fans out a per-subject delete or export across all stores and subprocessors, with an audit trail.
3. Consent and preference management. A real cookie consent and marketing preference system, captured with timestamps, honored in code.
4. Data minimization and retention. Collect only what you use; enforce retention windows with scheduled purges, not manual cleanup.
5. Pseudonymization and encryption. Separate identifiers from sensitive attributes where practical; encrypt at rest and in transit.
6. Logging that does not leak. Redact personal data at the application boundary so it does not end up in third-party logs without a DPA — the same discipline we describe for PHI.

Build these on tenant-isolated foundations. Our multi-tenant SaaS with Postgres RLS guide shows how row-level security keeps one customer's personal data away from another's.

When a personal data breach poses a risk to individuals, a controller must notify the supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware. A processor must tell its controller without undue delay. You cannot meet that clock with paperwork alone — you need to detect the breach.

• Centralized, retained audit logs with anomaly alerting.
• A written incident response plan with defined severities and an incident commander.
• Notification templates prepared in advance.
• An annual tabletop exercise so the team has run the drill before it is real.

This is the same detection-and-response backbone that supports SOC 2 and ISO 27001. See cybersecurity services for SaaS startups.