What is a DPA (Data Processing Agreement)?

A Data Processing Agreement (DPA) is the contract required by Article 28 GDPR whenever a vendor processes personal data on your behalf — which covers virtually every SaaS tool that touches user emails, IP addresses, or identifiers. The DPA defines what the vendor may do with the data, which subprocessors they use, how breaches are reported, and what happens to the data when the contract ends. Without a signed DPA in place, using the vendor for personal data is a GDPR violation on the buyer's side — which is why procurement teams ask for it early, and why a vendor that can't produce one quickly stalls the entire deal.

Is a DPA legally required under GDPR?

Yes. Article 28(3) GDPR requires a written contract between the data controller (you) and any data processor (your SaaS vendor) before personal data is processed. This is not optional and not a formality: supervisory authorities have fined companies for using processors without a DPA in place. The practical consequence for buyers is that a missing or unobtainable DPA is a hard blocker, not a nice-to-have. The practical consequence for vendors is that every hour a buyer spends hunting for your DPA is an hour added to your own sales cycle.

How do I tell if a SaaS vendor is exposed to the US CLOUD Act?

Check where the operating legal entity is incorporated, not where the servers are. The CLOUD Act (18 U.S.C. §2713) lets US authorities compel US-incorporated companies to hand over data regardless of storage location — so a US vendor with an EU region remains fully exposed. Look at the imprint, terms of service, or privacy policy for the contracting entity: a Delaware Inc. with a Frankfurt data center is CLOUD-Act-exposed; a German GmbH or French SAS is not. In our database of 57 developer tools, 29 are US-incorporated and 25 are directly CLOUD-Act-exposed despite many of them advertising EU hosting.

What is a subprocessor list and why does it matter?

A subprocessor list names every third party your vendor passes data to — hosting providers, email services, analytics, support tooling. Article 28 GDPR requires processors to disclose subprocessors and let you object to changes. The list matters because it's where hidden transfers surface: an 'EU-hosted' tool that uses a US email provider or US support desk is still transferring personal data to a CLOUD-Act-exposed company. A public, dated subprocessor page is one of the fastest trust signals a vendor can ship; a missing one means the buyer has to ask, wait, and escalate — more friction, slower deal.

Why do so few SaaS vendors offer a self-serve DPA?

In our June 2026 review of 57 developer tools, only 7 offered a self-serve DPA that you can download or countersign without talking to sales. For 49 of the 57, public pages don't even let you verify whether a DPA exists. The usual reasons are inertia (the DPA lives in a legal folder, not on the website), deal-gating (legal documents are used to force a sales conversation), and underestimating the cost — vendors rarely see the buyers who silently walk away. None of these reasons survive contact with the data: a self-serve DPA removes days from procurement and is one of the cheapest conversion fixes a B2B SaaS can ship.

How to Check if a SaaS Vendor Is GDPR-Compliant — in 5 Minutes

A procurement-side comment in a recent Reddit discussion of our EU Jurisdiction Database summed up a pattern we keep seeing:

“This is the kind of detail buyers notice late, but it can kill trust fast. If a SaaS sells into Europe, the company location, data processor list, and DPA should be easy to find. Hiding that behind vague legal pages just makes procurement slower.”

That’s exactly what our data shows. We maintain a database of 57 developer tools across 7 categories — uptime monitoring, error tracking, log management, feature flags, LLM observability, product analytics, and status pages — and track where each company is incorporated, where data lives, and whether you can actually get a DPA without a sales call.

This article turns that dataset into the check EU buyers actually run. It takes five minutes per vendor. And at the end, we flip it around: if you’re the vendor, here’s how to pass it.

What the Data Says

Five findings from the database, last verified June 9, 2026:

Only 7 of 57 tools (12%) offer a self-serve DPA — a Data Processing Agreement you can download or countersign without contacting sales. (Full disclosure: one of the seven is FoundersDeck, our own product.)
For 49 of 57 tools (86%), you cannot verify from public pages whether a DPA exists at all. The information is simply not findable without entering a sales process.
Exactly one tool (LangSmith) publicly documents that its DPA is available on request via support — which at least tells you it exists. Everyone else in the 49 leaves you guessing.
29 of 57 tools (51%) are US-incorporated, and 25 are directly exposed to the US CLOUD Act — meaning US authorities can compel data disclosure regardless of where the servers are.
Only 16 of 57 tools (28%) guarantee EU data residency. Another 19 offer it merely as a region option — which doesn’t change the legal jurisdiction of the operator.

The takeaway for buyers: the absence of information is itself information. The takeaway for vendors: you are probably in the 49, and it’s costing you deals you never see.

Methodology — What “Not Verifiable” Means

One distinction matters, and we want to be precise about it: a tool in the “not verifiable” group does not necessarily lack a DPA. Most of these companies presumably have one in a drawer — Article 28 GDPR requires it the moment they process personal data for customers. What we checked is whether a prospective buyer can verify and obtain the DPA from public pages without contacting sales. Self-serve: yes means we found a downloadable or countersignable DPA. Not verifiable means we couldn’t confirm one exists without starting a sales conversation — which, for procurement purposes, amounts to the same delay. All entries were last verified on June 9, 2026; if we got one wrong, the database page explains how to tell us, and we’ll fix it.

The 5-Minute Vendor Check

Five steps, one minute each. Everything here is checkable from public pages — no sales call, no NDA, no demo.

Minute 1: Who Is the Legal Entity?

Open the imprint, terms of service, or the bottom of the privacy policy. You’re looking for the contracting entity and its country of incorporation — “Acme Inc., Delaware” or “Acme GmbH, Berlin”.

This single fact determines which government can compel access to your data. A US-incorporated company is subject to the CLOUD Act wherever its servers are; a German GmbH or French SAS is not.

Red flag: no imprint, no named entity, or a privacy policy that only says “we” without ever stating who “we” legally is.

Minute 2: Where Does the Data Actually Live?

Find the hosting section of the privacy policy or a dedicated trust/security page. The distinction that matters:

Guaranteed EU residency — all customer data stays in the EU, stated plainly.
“EU region available” — a deployment option, often paid, that changes the data center but not the operator’s legal jurisdiction.

In our dataset, only 16 of 57 tools guarantee EU residency; 19 more offer it as an option. If the entity check in minute 1 returned a US company, an EU region does not close the CLOUD Act gap — jurisdiction follows the company, not the data center.

Red flag: marketing says “GDPR-compliant” but the privacy policy names US infrastructure providers without explaining the transfer mechanism.

Minute 3: Can You Get the DPA Right Now?

Search the site footer and help center for “DPA” or “Data Processing Agreement”. The gold standard is self-serve: a PDF you can download, or a countersigning flow you can complete in the dashboard.

This is the rarest checkmark in our entire database — 7 of 57. If the DPA is there, you’ve just saved your procurement team days. If it isn’t, note it: every legal document that requires a sales conversation adds a round-trip to your timeline.

Red flag: “Contact us for our DPA” with no indication of what’s in it, or legal pages that mention GDPR in marketing copy but link to nothing.

Minute 4: Is the Subprocessor List Public?

A subprocessor page names every third party the vendor passes data to — hosting, email delivery, analytics, support tooling. Article 28 GDPR requires this disclosure, and it’s where hidden transfers surface: an “EU-hosted” tool using a US email provider is still moving personal data into CLOUD Act reach.

Red flag: no subprocessor page at all, or one without dates and entity countries.

Minute 5: The Meta-Test

If you’ve reached minute 5 and still can’t answer “who processes my data, where, and under which contract” — that is the result. The vendor may be perfectly compliant on paper, but they’ve externalized the verification cost onto you. Multiply that by every buyer they ever pitch, and you understand why the Reddit commenter said hidden legal pages “just make procurement slower.”

Vendors that pass all four checks in under five minutes are signaling something real: they’ve done this work before you asked.

The 7 of 57 That Pass the DPA Check

These are the only tools in our database with a verified self-serve DPA as of June 9, 2026:

Tool	Category	Legal entity	EU residency
FoundersDeck	Uptime monitoring & status pages	Germany	Guaranteed
LogCentral	Log management	France	Guaranteed
Pirsch	Product analytics	Germany	Guaranteed
Plausible	Product analytics	Estonia	Guaranteed
Langfuse	LLM observability	Germany	EU option
Unleash	Feature flags	Norway	EU option
Rollbar	Error tracking	USA	None

Two honest notes on this table. First, FoundersDeck is our product — we built our own DPA as a self-serve page precisely because of everything in this article, so judge the criteria, not our entry. Second, look at Rollbar: a self-serve DPA does not imply EU jurisdiction. Rollbar publishes its DPA openly (good!) but remains a US-incorporated, CLOUD-Act-exposed company. The DPA check and the jurisdiction check are two different questions — run both.

The full table with all 57 tools, including jurisdiction, hosting, CLOUD Act exposure, and self-hosting options, lives in the EU Jurisdiction Database.

For Vendors: Your Hidden DPA Is Slowing Down Your Sales Cycle

Now the flip side. If you sell SaaS into Europe, every check above is one your buyers are already running — silently. Here’s what failing it costs you:

Procurement round-trips. Every document that requires a sales conversation adds days. Buyer asks sales, sales asks legal, legal sends a PDF, buyer’s DPO has questions — that’s a week, for a document you could have published.
Silent disqualification. Smaller buyers and indie founders don’t email you for the DPA. They close the tab and pick the vendor where minute 3 took thirty seconds. You never see these lost deals in your CRM.
Trust decay at the worst moment. As the procurement commenter put it: buyers notice late, and it kills trust fast. Late-stage friction is the most expensive kind.

Passing the check is mostly an afternoon of work:

Name your legal entity — imprint or terms, entity name and country, no ambiguity.
State your hosting plainly — which providers, which countries, guaranteed or optional.
Publish a self-serve DPA — a signed PDF or countersigning flow. This is the rarest green checkmark in our data and the cheapest differentiation available to you.
Publish your subprocessor list — dated, with entity countries.
Put it all on one trust page — like ours — so the five-minute check takes one.

If your tool belongs in one of our seven categories and passes these checks, we want it in the database — the criteria are the same for everyone, including us.

The data in this article comes from the EU Jurisdiction Database, 57 developer tools across 7 categories, last verified June 9, 2026. Corrections welcome.