Skip to main content
Compliance Allgemein

SaaS (Software as a Service)

A cloud-based delivery model in which software is accessed and used over the internet as a service.

Software as a Service (SaaS) is a software distribution model in which applications are hosted by a provider in the cloud and made available to users over the internet, typically on a subscription basis. Unlike traditional on-premises software, users do not install the application on their own hardware or manage the underlying infrastructure. Instead, the provider is responsible for hosting, maintenance, security patches, scalability, and availability. Users access the software through a web browser or lightweight client from any device with an internet connection.

SaaS has become the dominant delivery model for business software — including compliance management, CRM, ERP, collaboration, and HR tools. Key advantages include lower upfront investment (no licence fees or hardware costs), predictable subscription-based pricing, automatic updates, and rapid deployment. SaaS solutions are particularly attractive for SMEs that lack the IT resources to operate and maintain complex on-premises systems.

From a compliance perspective, SaaS introduces specific considerations. Under GDPR, the SaaS provider processes personal data on behalf of the customer and therefore acts as a data processor; a Data Processing Agreement (DPA) is legally required. Data localisation — ensuring that data is stored within the EU or EEA — is an important criterion for many organisations, particularly in regulated industries. ISO 27001 certification, SOC 2 reports, and transparency about sub-processors are key indicators of a trustworthy SaaS compliance platform.

Legal Basis

GDPR Art. 28 (Data Processor obligations, DPA requirement); GDPR Art. 44–49 (International data transfers); ISO 27001; BSI C5 (Cloud Computing Compliance Criteria Catalogue); NIS2 Directive

Practical Example

A medium-sized healthcare company evaluates a SaaS compliance platform for managing its GDPR and information security compliance. Before signing the contract, its data protection officer reviews the provider's DPA, sub-processor list, data centre locations (confirming EU hosting), and ISO 27001 certificate. The company also checks whether the provider supports data export in a machine-readable format (data portability) and has a clear data deletion process for contract termination. After the legal review, the platform is deployed within three days — with no IT infrastructure required on the customer's side.

FAQ

When using a SaaS solution that processes personal data, the customer (data controller) must conclude a Data Processing Agreement (DPA) with the SaaS provider (data processor) under GDPR Art. 28. The DPA must specify the nature and purpose of processing, categories of data, data subjects, and the technical and organisational measures in place. The customer must also verify that any sub-processors used by the provider are also subject to adequate data protection obligations.
These are the three main cloud service models. IaaS (Infrastructure as a Service) provides virtualised computing infrastructure — servers, storage, networking. PaaS (Platform as a Service) provides a development and deployment environment on top of infrastructure. SaaS delivers complete, ready-to-use applications over the internet. For most business users, SaaS is the most relevant model as it requires no technical expertise to deploy or operate.
Key measures include: selecting providers with ISO 27001 certification or equivalent (e.g. SOC 2 Type II); verifying EU data residency; reviewing the provider's sub-processor list and data transfer safeguards; concluding a comprehensive DPA; enabling available security features such as MFA and audit logging; and establishing an exit strategy with data portability and deletion guarantees. Regular reviews of the provider's security posture should be part of ongoing vendor management.

How preeco supports you

Learn how our software supports you with this topic.

Learn more

Related Terms

Multi-Tenancy Compliance Management System (CMS) Data Processing Agreement (DPA) Technical and Organisational Measures (TOMs) Third Country Transfer
Back to Glossary