Does my SaaS vendor have to tell me if they have a data breach affecting my company?
The short answer
Whether and how quickly your SaaS vendor must notify you of a data breach depends on a combination of applicable state law and your contract. State breach-notification laws exist in a number of states and generally require businesses to notify individuals whose personal information was affected by a breach — for example, California law (Civil Code §1798.82) requires notification when unencrypted personal information is acquired by an unauthorized person. These statutes primarily govern notification from businesses to individuals; they do not necessarily require the SaaS vendor to notify you as its business customer on any specific timeline. Your contract is the more direct source of the vendor's obligation to notify you. Vendor-to-customer notification windows are a negotiated contract term; many agreements set a specific short deadline, but the number is created by the agreement, not a universal statutory rule. Scan your agreement to see what breach notification the vendor has committed to and on what timeline.
No account requiredFile deleted after analysisNot legal advice
What state breach-notification laws generally require
Many states have enacted data breach notification laws requiring businesses to notify individuals whose unencrypted personal information was or is reasonably believed to have been acquired by an unauthorized person. California's law — codified at Civil Code §1798.82 — is one reported example: it requires a business or person to notify affected California residents when unencrypted personal information is acquired, or reasonably believed to have been acquired, by an unauthorized person. The California Attorney General's breach reporting page confirms this obligation and describes the reporting process. State breach-notification requirements vary by jurisdiction in their definitions, timelines, and covered data categories — and the B2B layer of who notifies whom is governed by the relationship between a data controller (often the buyer) and a vendor (the processor).
The statutory obligation typically runs from the business that collected the data to the individuals affected — not automatically from vendor to business customer on a defined timeline. Your SaaS vendor, as a processor of your data, may be required under your data processing addendum or under applicable privacy law to notify you promptly so that you can fulfill your own notification obligations to affected individuals. How quickly that vendor-to-customer notification must occur is primarily a contractual question, not a universal statutory requirement.
Why the contract notification window matters
State notification timelines for consumer notification vary but many are 30 days from discovery. Meeting that window requires the vendor to notify you with enough time to investigate, assess scope, and prepare the consumer-facing communication. A vendor who takes 25 days to notify you of a breach leaves you one business week to meet a 30-day consumer notification obligation. Negotiating a short, specific vendor-to-customer notification window in the agreement gives you the time needed; the window is created by the agreement, not a universal statutory rule.
What to look for in your agreement
- A breach notification clause: does the vendor have a contractual obligation to notify you of a security incident affecting your data — and within what timeframe?
- The definition of 'breach' or 'security incident' in the agreement: does it cover suspected incidents, or only confirmed ones?
- What information the vendor must include in the notification: scope, affected data types, vendor's investigation status.
- Whether the agreement includes any cooperation obligation for your own incident response and consumer notification process.
- Whether the governing law and any data processing addendum address breach notification separately from the main agreement.
Questions to ask before signing
- Ask the vendor to confirm the contractual breach notification timeline — and whether a short, specific vendor-to-customer window can be added.
- Ask the other party to clarify what constitutes a notifiable 'security incident' under the agreement — specifically whether suspected incidents trigger the obligation.
- Confirm whether the data processing addendum addresses breach notification, and whether it governs in the event of any conflict with the main MSA.
- Consider having the breach notification provisions reviewed if the platform handles personal data about your customers or employees.
Why scan instead of guess
The general rule tells you the baseline. Your agreement tells you what you’re actually being asked to sign — and the wording is what binds. Dang reads the document and flags the clauses worth reviewing, in plain English.
The deterministic engine scores and decides what’s risky. The AI only enriches the plain-English wording — AI extracts, code decides, never the other way around.
Your original file is deleted promptly after processing — we keep only the report you can read. No account needed for a one-time scan. Free preview first; full report $6.99, one-time.
Common questions
Does California's breach notification law apply to my SaaS vendor?
California Civil Code §1798.82 generally applies to any person or business that owns or licenses unencrypted personal information about California residents. Whether your SaaS vendor's obligation under that statute runs directly to you (as a business customer) or to the individuals whose data was affected depends on the data relationship and the applicable facts. Your contract's breach notification clause is the more direct source of the vendor's obligation to notify your company specifically, and on what timeline.
What data breach laws apply in states other than California?
Many states have enacted data breach notification laws, and they vary in their definitions of covered personal information, notification timelines, and affected-party scope. The specific laws applicable to your situation depend on where your customers and employees are located, your own compliance obligations, and your agreement's governing law clause. State rules vary — the contract's breach notification provisions and a current-status legal review are the reliable way to understand your obligations.
Sources
- California Attorney General — Data Security Breach Reporting (official state agency page; cites California Civil Code §§1798.29 and 1798.82) · official source
- Sources last checked 2026-06-11. Laws and market practices change — confirm current rules before relying on them.
No account required · File deleted after analysis · Not legal advice. Dang reports contract findings in plain English — general information, not legal advice about your situation. For consequential decisions, consult a licensed attorney in your state.