Contract check · Vendor / SaaS contract

Does my SaaS vendor have to tell me if they have a data breach affecting my company?

The short answer

Whether and how quickly your SaaS vendor must notify you of a data breach depends on a combination of applicable state law and your contract. State breach-notification laws exist in a number of states and generally require businesses to notify individuals whose personal information was affected by a breach — for example, California law (Civil Code §1798.82) requires notification when unencrypted personal information is acquired by an unauthorized person. These statutes primarily govern notification from businesses to individuals; they do not necessarily require the SaaS vendor to notify you as its business customer on any specific timeline. Your contract is the more direct source of the vendor's obligation to notify you. Vendor-to-customer notification windows are a negotiated contract term; many agreements set a specific short deadline, but the number is created by the agreement, not a universal statutory rule. Scan your agreement to see what breach notification the vendor has committed to and on what timeline.

Scan your agreement — free preview Free preview · Full report $6.99 · One-time, no subscription required

No account requiredFile deleted after analysisNot legal advice

What state breach-notification laws generally require

Many states have enacted data breach notification laws requiring businesses to notify individuals whose unencrypted personal information was or is reasonably believed to have been acquired by an unauthorized person. California's law — codified at Civil Code §1798.82 — is one reported example: it requires a business or person to notify affected California residents when unencrypted personal information is acquired, or reasonably believed to have been acquired, by an unauthorized person. The California Attorney General's breach reporting page confirms this obligation and describes the reporting process. State breach-notification requirements vary by jurisdiction in their definitions, timelines, and covered data categories — and the B2B layer of who notifies whom is governed by the relationship between a data controller (often the buyer) and a vendor (the processor).

The statutory obligation typically runs from the business that collected the data to the individuals affected — not automatically from vendor to business customer on a defined timeline. Your SaaS vendor, as a processor of your data, may be required under your data processing addendum or under applicable privacy law to notify you promptly so that you can fulfill your own notification obligations to affected individuals. How quickly that vendor-to-customer notification must occur is primarily a contractual question, not a universal statutory requirement.

Why the contract notification window matters

State notification timelines for consumer notification vary but many are 30 days from discovery. Meeting that window requires the vendor to notify you with enough time to investigate, assess scope, and prepare the consumer-facing communication. A vendor who takes 25 days to notify you of a breach leaves you one business week to meet a 30-day consumer notification obligation. Negotiating a short, specific vendor-to-customer notification window in the agreement gives you the time needed; the window is created by the agreement, not a universal statutory rule.

What to look for in your agreement

Questions to ask before signing

Why scan instead of guess

The general rule tells you the baseline. Your agreement tells you what you’re actually being asked to sign — and the wording is what binds. Dang reads the document and flags the clauses worth reviewing, in plain English.

The deterministic engine scores and decides what’s risky. The AI only enriches the plain-English wording — AI extracts, code decides, never the other way around.

Your original file is deleted promptly after processing — we keep only the report you can read. No account needed for a one-time scan. Free preview first; full report $6.99, one-time.

Common questions

Does California's breach notification law apply to my SaaS vendor?

California Civil Code §1798.82 generally applies to any person or business that owns or licenses unencrypted personal information about California residents. Whether your SaaS vendor's obligation under that statute runs directly to you (as a business customer) or to the individuals whose data was affected depends on the data relationship and the applicable facts. Your contract's breach notification clause is the more direct source of the vendor's obligation to notify your company specifically, and on what timeline.

What data breach laws apply in states other than California?

Many states have enacted data breach notification laws, and they vary in their definitions of covered personal information, notification timelines, and affected-party scope. The specific laws applicable to your situation depend on where your customers and employees are located, your own compliance obligations, and your agreement's governing law clause. State rules vary — the contract's breach notification provisions and a current-status legal review are the reliable way to understand your obligations.

Sources