When you use a SaaS platform, you upload your data to a vendor's infrastructure. The data ownership and data processing clauses in your SaaS agreement determine who owns that data, how it can be used, whether it can be shared, and what happens to it when you leave. In the UK, the UK GDPR and the Data Protection Act 2018 impose strict obligations on how personal data is processed — and the SaaS contract must reflect those obligations.
What is a Data Ownership?
Data ownership in a SaaS context has two distinct dimensions: (1) who owns the business data (customer records, files, outputs) you upload or generate on the platform — almost always you, as the customer, but the contract must confirm this; and (2) how the vendor may process personal data on your behalf, which is governed by a Data Processing Agreement (DPA) required under UK GDPR. The DPA defines the vendor's role (data processor), the categories of personal data processed, the security measures in place, and your rights to audit and receive assistance with data subject requests.
Red flags to watch for
UK GDPR Article 28 requires a written contract between a controller (you) and processor (the SaaS vendor). Absence of a DPA or Article 28 terms means the vendor is non-compliant — and so are you for using them.
A licence allowing the vendor to use your data (including personal data) to train models or improve their product raises serious UK GDPR concerns — this typically requires a legitimate basis that the vendor should be able to articulate.
If the vendor stores or processes data outside the UK/EEA, adequate safeguards (UK adequacy regulations, International Data Transfer Agreements) must be in place. A contract silent on data location is a red flag post-Brexit.
If you can only export your data in a vendor-specific format that's hard to import elsewhere, you're effectively locked in. The contract should guarantee export in standard, open formats.
A 7-14 day post-termination data retention window creates real risk of data loss. 30-90 days is more reasonable, giving you time to migrate data to a new platform.
Your legal rights
The UK GDPR (retained from EU GDPR, now amended by the Data Protection Act 2018) requires a written DPA for any processing of personal data by a third party on your behalf. Article 28 sets mandatory content requirements for that DPA. The ICO has published guidance on controller-processor relationships. If a vendor fails to comply with UK GDPR in processing your customers' personal data, you as the controller remain responsible. Data subjects can exercise their rights (access, erasure, portability) and the ICO can investigate complaints and impose fines.
Questions to ask before you sign
- 1Is there a Data Processing Agreement that complies with UK GDPR Article 28?
- 2Does the vendor have the right to use my data for any purpose beyond providing the service?
- 3Where is my data stored and processed — is it in the UK, EEA, or third countries?
- 4What format can I export my data in, and for how long after termination is it retained?
- 5What happens to my data if the vendor is acquired or goes into administration?
Disclaimer: This guide is for educational purposes only and does not constitute legal advice. Contract law varies by jurisdiction and individual circumstances. Always consult a qualified legal professional before making decisions based on this information.