SaaS
In brief
You use the app as it is, hosted and maintained by the service provider, just like a business email service or a CRM. You don’t have to deal with the servers: you simply log in via your browser.
▶ Precise definition
Software as a Service, as defined by NIST (SP 800-145). The service provider manages the entire stack: infrastructure, platform and application. The customer simply configures and uses the service, without access to the code or the system. Examples: Microsoft 365, Google Workspace, Salesforce, Notion, Slack.
Our analysis
It is in SaaS that virtually all of French companies’ exposure lies, because it is part of everyday use: email, collaboration, CRM, ERP. What we use without giving it a second thought is precisely what we never question.
That is the trap. SaaS is technically invisible: there are no servers to manage, no hardware to choose, so issues of jurisdiction, data portability and reversibility almost never arise at the outset. They crop up at the worst possible moment – when the service provider shuts down a service, changes its terms and conditions or is taken over – and by then it is already too late to exit cleanly.
The GDPR requires that personal data processed within a SaaS solution complies with its provisions, which includes the regulation of transfers outside the European Union: standard contractual clauses, adequacy decisions, equivalent safeguards. A US-based SaaS solution without an adequate legal basis for data transfers constitutes a direct exposure – legal rather than technical. The ease of use of SaaS masks the fact that this is the area where we delegate the most, and therefore the one where we have the least control.