← Glossary

SaaS

In brief

Finished software, used directly over the internet — nothing to install or manage. Like a hotel room: you walk in, everything is done, and you own nothing.

Precise definition

Software as a Service: a complete application operated by a third party and consumed through the browser. The customer manages neither the infrastructure nor the software, only their data and settings. Maximum delegation, and maximum exposure: the data lives with the provider, under their law.

Our analysis

It is in SaaS that virtually all of French companies’ exposure lies, because it is part of everyday use: email, collaboration, CRM, ERP. What we use without giving it a second thought is precisely what we never question.

That is the trap. SaaS is technically invisible: there are no servers to manage, no hardware to choose, so issues of jurisdiction, data portability and reversibility almost never arise at the outset. They crop up at the worst possible moment – when the service provider shuts down a service, changes its terms and conditions or is taken over – and by then it is already too late to exit cleanly.

The GDPR requires that personal data processed within a SaaS solution complies with its provisions, which includes the regulation of transfers outside the European Union: standard contractual clauses, adequacy decisions, equivalent safeguards. A US-based SaaS solution without an adequate legal basis for data transfers constitutes a direct exposure – legal rather than technical. The ease of use of SaaS masks the fact that this is the area where we delegate the most, and therefore the one where we have the least control.