ClausePatrol
BlogSign InGet Started
Back to Blog
Compliance Guide
9 min read

Your SaaS Vendor Just Changed Their ToS. Are You Still Compliant?

CP
ClausePatrol Team
Legal & Compliance Experts

Here's the problem

Your CRM vendor updated their Terms of Service last Tuesday. Buried in section 8.3, they added: "we may use customer data to train and improve our AI features."

You didn't notice. Why would you? You signed that contract 18 months ago.

But here's what changed: if you have customers in California, you just violated CCPA. If you serve EU customers, you broke GDPR. And if you operate in Virginia, Colorado, or any of the other 11 states with privacy laws, you're now non-compliant.

A privacy lawyer I spoke with recently called this "the blind spot." Companies obsess over their own privacy policies but completely ignore what their vendors are doing with customer data. And under every major privacy law—CCPA, GDPR, you name it—you're liable when your vendors screw up.

The "service provider" trap

Let's talk CCPA first, since it covers 40 million Californians and pretty much every business that sells to US consumers.

When you hire a SaaS vendor to handle customer data, they're your "service provider" under CCPA. That means two things:

  1. They can only use customer data for the "business purpose" you specify in your contract
  2. If they use it for anything else (like training AI), you're the one who violated CCPA—not them

Real scenario:

  1. You sign up for a customer support tool
  2. Your contract says they'll "process support tickets"
  3. Months later, they update their ToS to add "we use tickets to train our AI chatbot"
  4. Your California customers' support conversations are now AI training data
  5. Under CCPA, you just "sold" personal information without consent

The penalty? $2,500 per violation. $7,500 if it's intentional. And yes, class actions are a thing.

13 different state laws (and counting)

CCPA isn't alone. As of 2025, thirteen US states have comprehensive privacy laws:

  • • California (CCPA/CPRA)
  • • Virginia (VCDPA)
  • • Colorado (CPA)
  • • Connecticut (CTDPA)
  • • Utah (UCPA)
  • • Iowa (ICDPA)
  • • Indiana (ICDPA)
  • • Tennessee (TIPA)
  • • Montana (MCDPA)
  • • Oregon (OCPA)
  • • Texas (TDPSA)
  • • Delaware (DPDPA)
  • • New Jersey (pending)

Every single one makes you responsible for your "processors" or "service providers." The language varies, but the principle is the same: you're liable when your vendors misuse customer data.

Translation: If you do business nationwide, you're juggling 13 different compliance frameworks. And if any one of your 50+ SaaS vendors adds an AI training clause, you could be violating multiple state laws simultaneously.

GDPR makes it worse

Serve customers in Europe? GDPR's Article 28 is even stricter than CCPA.

Under GDPR, your vendors are "data processors," and you need a written contract (Data Processing Agreement) that explicitly lists what they can do with customer data. If they process data outside that scope—say, for AI training—you're in violation.

"The controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation."

— GDPR Article 28(1)

The penalty? Up to €20 million or 4% of global annual revenue, whichever is higher.

And unlike state laws, GDPR doesn't care where your company is based. If you process data of EU residents, you're covered. Period.

What vendors are actually changing

This isn't theoretical. Vendors update their legal docs constantly—and most don't notify customers.

Documents that change (without you knowing):

  • Terms of Service

    Where "improve our services" suddenly means "train AI models"

  • Privacy Policies

    Where "analytics" expands to include machine learning R&D

  • Data Processing Agreements

    Where processing purposes quietly expand beyond what you agreed to

  • Sub-processor lists

    Where your vendor starts using third-party AI services you never approved

The reality:

You signed 47 SaaS contracts. Half of them have updated their ToS in the past year. You read zero of those updates. Your compliance officer doesn't even know they exist.

Real examples from actual vendor ToS

Project management tool (added March 2024)

"You grant us a worldwide, non-exclusive license to use, modify, and create derivative works from your content to provide, improve, and develop our services and AI features."

Risk: If you told customers their project data would only be used for "task management," this new AI clause violates that promise under pretty much every privacy law.

Customer support platform (updated July 2024)

"We analyze customer interactions, including support tickets and chat logs, to train machine learning models and improve our AI assistant."

Risk: Support tickets often contain sensitive customer info. Using them for AI training without explicit consent is a CCPA violation in California.

Marketing automation tool (DPA amended May 2024)

"Processing purposes: (a) providing the service, (b) analytics and reporting, (c) research and product development."

Risk: "Research and product development" is vague enough to cover AI training. GDPR requires specific, explicit purposes—this doesn't cut it.

What companies should be doing vs. what they actually do

What privacy laws require

  • • Ongoing monitoring of service providers
  • • Documented business purposes for each vendor
  • • Immediate action when vendors change terms
  • • Consumer rights enforcement (deletion, access, opt-out)
  • • Annual vendor audits
  • • Updated DPAs reflecting current practices

What most companies actually do

  • • Sign contract once, forget it exists
  • • Never check for ToS updates
  • • Generic "we use third parties" in privacy policy
  • • No vendor monitoring process
  • • Cross fingers
  • • Find out about violations from lawyers

How to actually stay compliant

Look, I get it. You have 50+ vendors. Reading legal docs is miserable. But here's a practical system that won't consume your life:

Step 1: Inventory critical vendors

Not all vendors matter equally. Focus on tools that process actual customer data:

  • CRM systems (customer names, emails, purchase history)
  • Support platforms (tickets, chat logs, complaints)
  • Marketing tools (email lists, behavioral data)
  • Analytics platforms (usage data, IP addresses)
  • Payment processors (transaction data, billing info)

Internal collaboration tools like Slack? Lower priority unless you're sharing customer data there.

Step 2: Document what you told customers

For each vendor, write down the "business purpose" or "processing purpose" you disclosed:

Example:

Vendor: HubSpot

Data processed: Name, email, company, website activity

Disclosed purpose: "To send product updates and respond to inquiries"

Off-limits: AI training, third-party sharing, advertising

This becomes your baseline. If the vendor's ToS contradicts this, you've got a problem.

Step 3: Spot-check vendor ToS quarterly

You don't need to read 50-page legal docs. Use Ctrl+F to search for red flags:

  • train
  • machine learning
  • improve
  • AI features
  • derivative works
  • product development

If you find any of these, dig deeper. Compare the current ToS to your archived version.

Step 4: Have a response plan

When a vendor adds concerning language:

  1. Day 1: Document the change. Screenshot the old vs new ToS.
  2. Day 2: Email vendor legal/sales asking for clarification or opt-out
  3. Week 1: If they won't budge, research alternatives
  4. Week 2: If staying, update your privacy policy and re-consent customers (if required by law)
  5. Ongoing: Keep records showing you acted in good faith

Step 5: Automate where possible

Quarterly manual checks are better than nothing, but vendor ToS changes happen constantly. Tools that monitor vendor policies automatically (like ClausePatrol) can catch changes the day they happen, not three months later.

Bottom line

Privacy compliance isn't a one-time thing. It's definitely not a "sign the contract and forget it" thing.

Under CCPA, GDPR, and every US state privacy law, you're responsible for what your vendors do with customer data. When they add AI training clauses six months after you sign, that's your problem—not theirs.

The companies that avoid fines and lawsuits aren't the ones with the fanciest privacy policies. They're the ones who actually track what their vendors are doing.

CP
Written by ClausePatrol Team

Our legal and compliance experts monitor 1000+ SaaS vendors daily to help companies stay compliant with CCPA, GDPR, and state privacy laws.

Verified Compliance Experts

Track vendor policy changes automatically

ClausePatrol monitors 1000+ SaaS vendors and alerts you when they update their ToS, Privacy Policy, or DPA—especially when they add AI training clauses that could put you out of compliance.

Start monitoring for free →
No credit card required
Setup in 2 minutes

Related Articles

Dec 10, 2025

What to Audit Before Your SaaS Contracts Auto-Renew in January 2026

Most SaaS contracts auto-renew 30 days before expiration. If your vendor added AI training clauses in 2025, you have ~2 weeks to catch it before you're locked in for another year.

Read more
10
SaaS Tools
Dec 4, 2025

The Top 10 SaaS Tools Using Your Data for AI Training (2025 List)

Comprehensive list of popular SaaS tools training AI on your data. See which tools like Slack, Adobe, Zoom, and others claim AI training rights in their terms.

Read more
Dec 4, 2025

How to Audit Your Agency's Tech Stack for IP Leaks

Step-by-step guide for agencies to identify and fix intellectual property exposure in their SaaS tools.

Read more