SaaS Agreements – Hosting – Encryption of Stored Data

Under the Data Protection Act (DPA), SaaS customers are required to take “appropriate technical and organisational measures” to prevent the unauthorised or unlawful processing of personal data and accidental loss or destruction of, or damage to, personal data. SaaS providers who process personal data on behalf of SaaS customers are required to include such obligations in their SaaS agreement (or SLA).

Written Obligation

The specific obligations specify that SaaS customers must have a written contract with SaaS providers which states that:

  • the SaaS provider may only process data in accordance with the SaaS customer’s instructions; and
  • the SaaS provider undertakes to comply with the “technical and organisational measures” requirements of the DPA.

Encryption Requirement

Last year the Information Commissioner’s Office (ICO) issued some guidance on cloud computing. Amongst other issues, this advised SaaS customers to ensure that personal data in transit is secure and protected from interception by:

  • encrypting data in transit;
  • using encryption that meets recognised industry standards; and
  • obtaining assurances from SaaS providers that data in transit is appropriately secure.

The ICO also advised that data “at rest” i.e. personal data which is stored, should also be encrypted, depending upon the nature of the personal data held i.e. is it sensitive personal data and the type of processing taking place.

SaaS customers were advised to ensure that encryption keys are:

  • kept up to date, in order to maintain the level of protection; and
  • not lost, as this could render the data useless.


SaaS customers are increasingly asking SaaS providers to include data encryption obligations in SaaS agreements. Google cloud services now:

  • automatically encrypts all data before it is stored;
  • regularly updates keys;
  • implements access controls; and
  • permits auditing procedures.

In time this could become standard for all SaaS providers. In any event you may want to check with your data centre, where you are outsourcing hosting and storage to check whether they also offer this service, which is provided to Google cloud service customers at no additional cost.


Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

To learn more about SaaS and cloud computing join me at the Berlin CloudConf 2013 on the 5th December.

To register for my newsletter click here


Other related articles: