Blog / Automation

Automation6 March 202620 min read

Data Ownership SaaS Platforms: What AI Does With Your Data

The average organisation ran on approximately 130 SaaS applications in 2023 — and most business owners have never read a single one of their terms of service…

The average organisation ran on approximately 130 SaaS applications in 2023 — and most business owners have never read a single one of their terms of service (BetterCloud SaaS Trends Report, 2023). That is not a moral failing. It is a time problem. But as AI features become standard inside the tools you use every day, that unread fine print is quietly expanding in ways that directly affect your business.

SaaS — Software as a Service — refers to software delivered over the internet on a subscription basis, rather than installed locally. Think your CRM (Customer Relationship Management) platform, email marketing tool, project management software, or accounting system. Data ownership in SaaS platforms has always been complicated. The arrival of AI has made it significantly more consequential — and for Australian businesses operating in an increasingly regulated environment, the stakes have never been higher.

The global SaaS market is projected to reach USD $819 billion by 2030 (Grand View Research, 2023). As that market grows, so does the volume of your customer records, financial data, marketing analytics, and internal communications sitting inside third-party systems — often on servers in the United States or Europe, processed under terms you agreed to without fully understanding.

This article breaks down what you actually agreed to, how AI features have changed what is at stake, what happens to your data when you leave a platform, and — most importantly — what you can do about it today.


Data Ownership in SaaS Platforms: Who Really Controls Your Data?

Here is the part most content glosses over: you almost certainly do own your data, technically speaking. The problem is that ownership and control are not the same thing — and in most SaaS arrangements, the gap between the two is where vendors operate.

Most SaaS contracts include a clause that reads something like: “You retain all rights, title, and interest in and to your data.” That sounds reassuring. But three paragraphs later, there is typically a separate clause that grants the vendor a broad licence to use, process, aggregate, and analyse that data in connection with operating and improving their services. Legal analysis of major SaaS contracts has consistently found that the majority contain licence grants broad enough to encompass AI model training, regardless of how the ownership clause is worded.

As privacy attorney Cobun Zweifel-Keegan of the International Association of Privacy Professionals (IAPP) has noted: “The gap between data ownership and data control is where most of the legal risk lives for businesses using SaaS platforms — especially now that AI has expanded what vendors can do with that data.”

In legal terms, you own the asset — but the vendor holds a licence to exploit it.

The distinction matters enormously. Think of it like owning a house that you have rented out: you hold the title deed, but the tenant can technically redecorate, host events, and invite guests in while they are living there. Your ownership does not prevent their use.

What ‘Aggregated and Anonymised’ Really Means

Aggregated and anonymised data refers to information that has been stripped of direct identifiers — such as names, email addresses, or account numbers — and combined with data from many other users or organisations so that no individual or business can, in theory, be identified.

Vendors commonly reserve the right to use your data in this form even after you leave. The argument is that once data is stripped of identifying information, it is no longer your data — it is an industry data set.

The catch? Anonymisation is not always as permanent as it sounds. A landmark 2019 study published in Nature Communications by researchers Luc Rocher, Julien Hendrickx, and Yves-Alexandre de Montjoye from Imperial College London found that 99.98% of Americans could be correctly re-identified in an anonymised dataset using just 15 demographic attributes. “Even heavily sampled anonymised datasets are unlikely to satisfy the anonymisation standard,” the researchers concluded (Rocher et al., Nature Communications, 2019). When your CRM data, email open rates, and sales pipeline metrics are pooled with thousands of other businesses’ data, the vendor builds a proprietary understanding of market behaviour that you helped create — and that they exclusively benefit from.


How AI Has Shifted Data Ownership Across SaaS Platforms

When Salesforce, HubSpot, Notion, and Microsoft rolled out AI-powered features inside their platforms in 2023 and 2024, most businesses simply clicked “enable” and moved on. What many did not notice was that enabling those features sometimes came with updated terms of service — the legal agreement governing how a vendor can use your data — that created new data usage rights for the vendor, fundamentally shifting the balance of data ownership for millions of businesses. Research consistently shows that a significant proportion of employees enter sensitive business information into generative AI tools, often without understanding what that means for data ownership or privacy.

Salesforce updated its AI terms of service in 2024 to clarify that it does not train its AI models on customer data without consent — but this clarification only came after public pressure from enterprise customers who noticed concerning ambiguity in earlier updates. As TechCrunch reported in March 2024: “Salesforce’s initial AI terms were vague enough that enterprise customers had legitimate reason to worry about how their data would be used to improve Einstein AI features.”

Google and Microsoft followed a similar pattern. Both Google Workspace and Microsoft 365 updated their terms in 2023 to address AI training data usage following scrutiny from enterprise customers and regulators. Google explicitly stated in its Workspace Admin Blog (2023): “We do not use your Google Workspace data to train our AI models without your permission” — an important assurance that not every vendor has been as clear about.

Opt-In vs Opt-Out: Why the Default Setting Is Everything

The critical question when any SaaS platform rolls out an AI feature is: what is the default?

Many vendors choose opt-out defaults because it maximises adoption. According to behavioural economics research published by the National Bureau of Economic Research (NBER), default settings influence uptake rates by 20–50 percentage points — which is precisely why they matter so much in data privacy contexts (Madrian & Shea, NBER, 2001; widely replicated in technology contexts). Privacy regulators, including the UK’s Information Commissioner’s Office (ICO), have issued guidance emphasising that where organisations use personal data for AI training, the burden should be on businesses to ensure appropriate consent mechanisms are in place — not assumed by default.

For your business, this means the responsibility to protect your data rights shifts entirely to you. If you have not checked the AI settings inside your SaaS tools recently, now is a good time to start.


The ‘Free AI’ Trade-Off: When SaaS Platforms Turn Your Data Into Their Asset

When a SaaS platform offers you AI features at no additional cost, it is reasonable to ask: what is the actual price?

Building and fine-tuning AI models is extraordinarily expensive. OpenAI’s GPT-4 was estimated to cost over USD $100 million to train (Wired, 2023). It requires vast quantities of labelled, high-quality, domain-specific data. General internet data produces a general model. But to build an AI that gives useful sales forecasting, customer behaviour predictions, or marketing copy suggestions for a specific industry, vendors need real business data — yours.

When your company’s data is pooled with thousands of others in the same sector, it becomes something the vendor did not have before: a proprietary training corpus that makes their AI substantially more effective than a competitor’s. That improved AI is then sold — sometimes back to you at a premium tier, sometimes to businesses in your own industry. You contributed the raw material; they own the finished product.

Research consistently shows that customers expect companies to understand their unique needs and provide personalised experiences — yet many report feeling treated as a number rather than a person. The irony is sharp: businesses share data with AI tools to deliver more personalised experiences to their own customers, but in doing so, they may be funding a competitor’s ability to do the same thing more effectively.

This does not mean AI features are not worth using. It means you should go in with clear eyes about what you are exchanging. Understanding how AI tools can work in your favour — rather than against you — is exactly where a clear digital strategy makes the difference.

Key Takeaway: When a SaaS platform offers AI features for free, the business data you generate inside that platform is frequently part of the exchange — used to train or improve models that the vendor then monetises independently.


Data Portability and Vendor Lock-In: What Happens When You Leave

Most businesses discover their data portability problem at the worst possible moment — when they are trying to switch platforms under time pressure, or when a vendor announces a price increase that forces a decision. Vendor lock-in — where switching costs are high enough to keep you with a provider even when you would prefer to leave — is a widely documented risk, with migration expenses frequently exceeding initial estimates by a significant margin.

Data portability is the ability to extract your data from a platform in a usable, machine-readable format and transfer it to another system without significant loss of fidelity or functionality. It is a foundational data right — and one that is inconsistently honoured across the SaaS industry.

The practical questions you should be able to answer right now for each of your critical SaaS tools:

Internationally, GDPR Article 20 — part of Europe’s General Data Protection Regulation — establishes a legal right to data portability for individuals in the EU. Australia’s Consumer Data Right (CDR) is the local equivalent, currently extending across banking, energy, and telecommunications. Neither regulation gives businesses the same sweeping rights that individuals have — an important limitation to understand. As the Australian Competition and Consumer Commission (ACCC) has noted, extending the CDR to additional sectors — including digital platforms — remains an active policy priority for 2024–2025 (ACCC, CDR Strategic Assessment, 2023).

The practical safeguard? Regularly export your own data on a scheduled basis, regardless of any contractual rights you believe you hold.


Privacy Act Compliance When SaaS Vendors Handle Your Business Data

If you are an Australian business with an annual turnover above AUD $3 million, the Privacy Act 1988 and the Australian Privacy Principles (APPs) apply to how you handle personal information — including how it is handled by third-party SaaS vendors acting on your behalf (OAIC).

The Australian Privacy Principles (APPs) are 13 legally binding principles under the Privacy Act 1988 that govern how Australian businesses collect, store, use, and disclose personal information — including information held or processed by third-party service providers on a business’s behalf.

This is the shared responsibility model, and it catches many businesses off guard. You cannot outsource your privacy obligations by signing a SaaS contract. If your CRM provider mishandles your customers’ personal information, your business can face regulatory action, not just the vendor. The OAIC has made this position explicit: “An APP entity remains accountable for the personal information it discloses to a third party service provider, including a cloud service provider, even if the entity no longer has direct control over that information” (OAIC, Cloud Computing and the Australian Privacy Principles, updated 2023).

Key obligations that apply directly to SaaS relationships:

Australian Privacy Principle What It Requires
APP 8 — Cross-border disclosure You must take reasonable steps to ensure overseas recipients protect information to a standard comparable to the APPs
APP 11 — Security of personal information You must take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access — including by third-party processors
APP 5 — Notification Your privacy policy must reflect how data is shared with third-party processors, including overseas vendors

Australia’s Notifiable Data Breaches (NDB) scheme — which requires organisations covered by the Privacy Act to notify affected individuals and the OAIC when a data breach is likely to cause serious harm — recorded 483 breach notifications in the second half of 2023 alone (OAIC, Notifiable Data Breaches Report, H2 2023). IBM’s Cost of a Data Breach Report 2024 found the global average cost of a data breach reached USD $4.88 million — the highest on record — with breaches involving third-party vendors among the costliest categories.

The proposed Privacy Act reforms (progressing through 2024–2025) will raise the bar further, expanding the definition of personal information, introducing a direct right of action for individuals, and tightening requirements around automated decision-making — all of which directly affect businesses using AI-enabled SaaS tools. Australia’s Attorney-General’s Department Privacy Act Review Report (2023) flagged SaaS and cloud services explicitly as a priority area for updated regulatory guidance, noting that “current APP obligations do not always reflect the practical realities of how personal information flows through modern software supply chains.”

Staying across these changes is not optional. If you are using AI-powered marketing tools or AI-enabled SaaS platforms that touch customer data, now is the time to ensure your contracts and internal policies reflect your legal obligations.


How to Audit Your SaaS Stack for Data Ownership Risk: A Practical Checklist

The majority of businesses lack a formal data governance policy that extends to third-party SaaS vendors — meaning most organisations have no clear picture of who controls what. Here is a practical starting point to change that.

Step 1: Map Your SaaS Stack

List every SaaS tool your business uses that handles personal information. Include your CRM, email marketing platform, project management tools, analytics software, customer support systems, and accounting platforms. BetterCloud’s 2023 research found the average organisation used around 130 SaaS applications, yet IT and leadership teams were often unaware of a substantial proportion of them — so cast your net wide (BetterCloud SaaS Trends Report, 2023).

Step 2: Review Each Vendor’s Terms of Service for These Clauses

Step 3: Check AI Feature Settings

Log into each platform and locate the AI settings or data privacy settings. Specifically look for:

Step 4: Request or Review the Data Processing Addendum

A Data Processing Addendum (DPA) is a legally binding contract between a data controller (your business) and a data processor (the SaaS vendor) that specifies the conditions under which personal data is processed, including purpose limitations, security obligations, breach notification requirements, and deletion procedures.

Reputable enterprise-grade vendors (Salesforce, HubSpot, Google, Microsoft) have standard DPAs available. Smaller vendors may require you to request one. The International Association of Privacy Professionals (IAPP) recommends that businesses require DPAs from any vendor that processes personal data on their behalf, regardless of vendor size: “A DPA is not a bureaucratic formality — it is the primary mechanism by which a business retains enforceable rights over data held by a third party” (IAPP, Third-Party Risk Management Guidance, 2023).

Key provisions a DPA should include:

  1. Purpose limitation — data is only processed for the services you have contracted
  2. Sub-processor controls — notification when new sub-processors are added
  3. Data breach notification timelines — typically 72 hours under GDPR; best practice for Australian businesses
  4. Data deletion procedures — confirmed timelines upon termination
  5. Audit rights — your ability to verify compliance

Step 5: Export Your Data Regularly

Set a calendar reminder to export critical data sets from each platform on a quarterly basis. Store these exports in a secure location you control. This protects you against vendor failure, price coercion, and unannounced policy changes.


What Good Looks Like: SaaS Vendors That Handle Data Ownership Transparently

Not all SaaS vendors approach data ownership and data rights the same way. Leading cloud security frameworks and enterprise procurement guidance consistently identify data transparency — including clear sub-processor disclosure and explicit AI data use policies — as a key vendor trust indicator. As Cloud Security Alliance (CSA) CEO Jim Reavis has emphasised: “Transparency about how customer data is used in AI systems is rapidly becoming a baseline expectation, not a differentiator.”

Some markers of a vendor you can trust:

When evaluating new tools, asking vendors these questions before signing is entirely reasonable — and a vendor that cannot answer clearly is telling you something important.

SaaS Vendor Data Transparency: What to Expect vs What to Watch For

Transparency Indicator Green Flag Red Flag
AI training data use Explicitly opt-in; customer data excluded by default Opt-out or silent (assumed consent)
Sub-processor disclosure Public list, change notifications No list available or requires NDA to access
Data Processing Addendum Standard DPA offered proactively No DPA available or refused on request
Post-termination data handling Defined deletion timeline in contract Vague or unspecified retention
Data export capability Machine-readable formats (CSV, JSON) Proprietary formats or export on request only
Data hosting location Disclosed country and data centre “Globally distributed” with no specifics

FAQs About Data Ownership in SaaS Platforms

Do I actually own the data I put into a SaaS platform, or does the vendor have rights over it?

You almost always retain legal ownership of your data — most SaaS contracts explicitly state this. However, ownership and control are different things. The vendor typically holds a broad licence to use, aggregate, and analyse your data to operate and improve their services. That licence can persist even after you leave the platform. Always read the licence grant clauses, not just the ownership statement.

It depends entirely on the vendor’s terms of service and your settings. Some vendors exclude customer data from AI training by default; others include it unless you opt out. Several major vendors (including Salesforce and Google) clarified their AI data policies in 2023–2024 following customer and regulatory pressure (TechCrunch, 2024; Google Workspace Admin Blog, 2023). You should check the AI data settings inside any platform you use and review the current terms — they can change.

What happens to my data if I cancel my SaaS subscription or the vendor shuts down?

Each vendor handles this differently. Some delete your data within 30 days of termination; others retain it for significantly longer. The safest approach is to export your data before cancelling, confirm the vendor’s deletion policy in writing (ideally in a DPA), and keep your own backups regardless. If a vendor cannot tell you clearly what happens to your data post-termination, treat that as a significant red flag.

Under the Privacy Act 1988 and APP 8, you must take reasonable steps to ensure that any overseas recipient of personal information protects it to a standard comparable to the Australian Privacy Principles. The OAIC has confirmed this obligation applies to SaaS and cloud arrangements: “Entering into a contract with an overseas cloud provider does not remove an Australian organisation’s obligations under the Privacy Act” (OAIC, Privacy and Cloud Computing, 2023). A DPA and due diligence review before signing are your primary protections.

How do I find out if a SaaS vendor’s AI features are using my data — and how do I opt out?

Start by checking the platform’s privacy settings and AI-related toggles within your account dashboard. Then review the vendor’s current terms of service and privacy policy, specifically looking for clauses related to “model training,” “improving services,” or “machine learning.” For business-critical tools, request a copy of their DPA before using AI features.

What is a Data Processing Addendum (DPA) and does my business need one with every SaaS vendor?

A DPA is a legally binding contract governing how a vendor processes personal data on your behalf. It specifies the purpose of processing, data security obligations, sub-processor controls, breach notification requirements, and deletion procedures. The IAPP recommends requiring a DPA from any vendor that processes personal data, regardless of the vendor’s size or the volume of data involved (IAPP, 2023). If your SaaS vendor processes any personal information about your customers, staff, or prospects — which most do — you should have a DPA in place. Ask for one before you sign up, not after.


Take Control of Your Business Data Before Someone Else Does

The core message is straightforward: data ownership in SaaS platforms means very little if you are not in control of how that data is actually used. The tools you rely on every day — your CRM, your marketing automation platform, your project management software — all operate under terms that grant vendors significant latitude over how your data is processed, especially now that AI features are embedded throughout.

The good news is that you do not need a legal team to protect your rights. You need a systematic approach: map your SaaS stack, review the key clauses, check AI feature defaults, request DPAs, and export your data regularly. None of those steps require legal expertise — they require attention and follow-through.

The businesses that get this right are the ones that will maintain real, competitive control over their own data assets as AI becomes increasingly central to how every SaaS platform operates.


Are you confident you know what your SaaS vendors are doing with your business data — or are you relying on terms you have never fully read? Book a free strategy call with our team and we will help you identify where the risks sit and what steps to take next.

Already thinking about how AI-powered marketing tools can work for your business without creating unnecessary exposure? We can help you find an approach that delivers real results without putting your data at risk.

See the maths for your practice

A free 30-minute assessment. You leave with an Automation Map: the three highest-value automations for your firm, what they’d save, and what they’d cost.

Book your free assessment

30 minutes · no obligation · yours to keep

Quantum Digital+

We’re an AI operations partner for professional services firms — and we’ve run practices ourselves. Melbourne-based, working with firms worldwide. More about us ›