- The average SMB uses 40–80 SaaS tools. Under GDPR, each one that processes personal data is a data processor requiring a signed DPA.
- Most firms have signed DPAs for fewer than 20% of their active SaaS tools — and actively monitor access for even fewer.
- A four-step afternoon audit (inventory → classify → risk-score → consolidate) closes the most critical gaps without requiring a full security team.
- Platform consolidation reduces your attack surface, simplifies your DPA obligations, and cuts the ongoing access review burden significantly.
Technology adoption in professional services firms has a predictable pattern. An individual discovers a useful tool — a project management app, a document sharing service, a scheduling tool — and starts using it. It spreads to the team. Within six months it is embedded in workflows, processing client data, and generating costs that appear on a dozen different credit card statements from a dozen different employees. Nobody in IT or compliance approved it. Nobody knows it exists. And nobody has a DPA with the vendor.
Repeat this pattern forty or fifty times and you have the typical SMB SaaS stack in 2026: a sprawling collection of tools that individually seem harmless, collectively represent a significant data exposure, and nobody has a complete picture of. The 2025 Zylo SaaS Management Index found the average 500-person company manages 269 SaaS applications — but employees self-report using significantly more tools than IT knows about, because a substantial portion of SaaS adoption happens outside any procurement or approval process.
For law firms, accounting practices, financial advisers, and consultancies — firms that handle client confidential data, personal financial data, or regulated information — this is not an operational inconvenience. It is a compliance and security liability that is growing every month that the inventory is left unmade.
This article gives you a practical, one-afternoon process for auditing your SaaS stack, scoring the risk of each tool, and making rational decisions about consolidation and remediation. You don’t need a security team. You need a spreadsheet, a few hours, and the willingness to ask uncomfortable questions.
Step 1: Build the inventory (60 minutes)
The first step is the most important and the most frequently skipped: getting a complete list of every SaaS tool your firm actually uses, not just the ones IT knows about. These are different lists. Getting to the real list requires checking in more places than most people expect.
Finance and credit card statements
Pull the last 90 days of transactions from every business credit card and bank account used for software purchases. Search for recurring charges. SaaS subscriptions are typically monthly or annual — the recurring nature makes them identifiable. This catches a large fraction of shadow IT purchases.
Browser extension and OAuth grants
Check the OAuth applications authorised against your Google Workspace or Microsoft 365 tenant (admin console → Security → API permissions / Connected apps). Every tool your staff has signed into with “Sign in with Google” or “Sign in with Microsoft” appears here, and many will have been granted access to email, calendar, or documents. This list is often longer and more surprising than the finance list.
Ask your staff directly
Send a short survey: “What tools do you use to do your work that aren’t listed on this [known-tools list]?” Offer a no-blame framing — you are conducting an audit, not looking for violations. You will discover tools that appear nowhere in financial records because staff are using free tiers or personal accounts to do work-related tasks.
IT ticket history and helpdesk records
Search your helpdesk history for setup and access requests — “I need access to X”, “how do I connect X to Y”, “X won’t let me log in”. Tool names appear naturally in support requests and give you a record of what has been actively used in the past 12 months.
Compile everything into a spreadsheet. For each tool, record: tool name, vendor, primary user or owner, estimated number of users at your firm, monthly cost (if known), and a brief description of what it’s used for. Don’t worry about risk scoring yet — just get everything into one place first.
Step 2: Classify by data type (30 minutes)
Not all SaaS tools are equally risky. A subscription to a read-only market data feed is materially different from a CRM containing client contact details, matter notes, and financial positions. The risk of a given tool is driven primarily by what data it processes. Your job in this step is to classify each tool on your inventory by the most sensitive data type it touches.
| Tier | Data type | Examples | DPA required |
|---|---|---|---|
| Tier 1 — Regulated | Personal financial data, health, legal matter data, AML records | Client CRM, AML platform, matter management | Mandatory |
| Tier 2 — Personal | Employee PII, client contact details, email addresses | HR system, email marketing, scheduling tools | Required |
| Tier 3 — Confidential | Internal documents, commercial proposals, pricing | Document storage, proposals, project management | Recommended |
| Tier 4 — Internal | Non-personal operational data, aggregated metrics | Analytics, read-only market data, monitoring | Optional |
| Tier 5 — Public | Public information only, no personal or confidential data | Status pages, public calendars, reference tools | Not needed |
Add the tier classification to each row in your inventory. This step takes 30 minutes for most firms. The output tells you which tools carry meaningful compliance obligations and which can be deprioritised. Focus your remaining effort on Tier 1 and Tier 2 tools.
Step 3: Risk-score each Tier 1 and Tier 2 tool (45 minutes)
For each tool in Tier 1 or Tier 2, answer four questions. Each question is scored as a risk indicator: if the answer is “no” or “unknown”, the tool has an unresolved risk that requires action.
- Is there a signed Data Processing Agreement with this vendor on file, executed in the last 3 years, that covers the specific processing activities your firm uses it for?
- Have you reviewed and documented who at your firm has access to this tool in the last 12 months? Are former employees deprovisioned?
- Is the vendor’s security posture documented? Do they have SOC 2 Type II, ISO 27001, or equivalent? When did you last check?
- If the vendor suffered a data breach today, could you identify what client personal data was at risk, notify affected data subjects within 72 hours, and produce a report for your DPA?
Each “no” or “unknown” answer is a gap. A Tier 1 tool with three or four “no” answers is a high-priority remediation item. Record the score for each tool. You now have a risk-ranked list of your SaaS estate that prioritises action based on actual exposure rather than vendor size or monthly cost.
Common findings at this stage include: a widely used document sharing tool with no DPA, an AI writing assistant that has been granted access to staff email accounts and processes client correspondence, and a project management tool used to track client matters that has never had an access review. These are not unusual — they are the norm in most professional services firms that have not previously conducted this audit.
Step 4: Consolidate and remediate (ongoing)
The output of your afternoon audit is a prioritised action list. The actions fall into three categories: remediate (get the DPA signed, do the access review, document the transfer mechanism), replace (this tool processes sensitive data but can’t pass the four-question test — find an alternative), or remove (this tool is not essential and the risk outweighs the benefit).
The consolidation opportunity is significant. Most firms that complete this audit discover they have multiple tools performing overlapping functions — two document sharing platforms, three project management tools, four different ways of tracking client interactions. Each is a separate vendor relationship, a separate DPA to maintain, a separate access review to run, a separate breach notification chain to manage.
Consolidating from 40 tools to 20 does not just reduce cost — it halves your DPA maintenance burden, halves your access review scope, halves the number of breach notification chains you need to manage, and halves the number of integrations that can fail, leak data, or be exploited. The security benefit of consolidation is often larger than the cost saving.
The platform consolidation case is strongest for the cluster of tools that professional services firms use most intensively: client relationship management, internal messaging, document management, project and matter tracking, invoicing, and time recording. These are the tools most likely to contain Tier 1 data. They are also the tools where a consolidated, compliance-grade platform — with a single DPA, unified RBAC, shared audit trail, and one access review — delivers the most risk reduction per tool replaced.
The access review finding: The most common critical finding in a SaaS audit is former employees who still have active accounts. In a 2024 study by Productiv, 67% of deprovisioning reviews found at least one former employee with active SaaS access. At Tier 1 tools — those processing client personal data — this is a reportable GDPR incident if exploited. Adding a 30-day offboarding check to your HR process for every tool on your Tier 1 inventory costs almost nothing and closes one of the most common breach vectors.
Building the ongoing practice: from one-time audit to continuous posture
A one-afternoon audit is a starting point, not a destination. SaaS stacks grow continuously — new tools are adopted, integrations are added, staff change roles and accumulate access. The audit you conduct today will be materially incomplete within 12 months unless you build a lightweight ongoing practice around it.
The minimum viable ongoing practice has three components. First, a procurement gate: any new SaaS tool that processes personal data requires a DPA to be in place before it is adopted, not after. This gate does not need to be bureaucratic — most reputable vendors have a standard DPA available on request or on their website. The gate is simply the habit of asking the question before signing up, not after.
Second, a quarterly access review for all Tier 1 and Tier 2 tools. This is a 30-minute exercise per tool: pull the user list, cross-reference against current staff, deprovision anyone who has left or changed roles. Quarterly is the minimum cadence that most regulators consider adequate. Monthly is better for tools that process financial or health data.
Third, a vendor security notification subscription: sign up for breach and status notifications from every Tier 1 vendor. Most provide these via email or RSS. When a vendor notifies you of a security incident, you have at most 72 hours to assess whether client personal data was affected and notify your data protection authority. You cannot meet that timeline if you learn about an incident from a news article three days later.
These three practices — procurement gate, quarterly access review, breach notification subscription — are sufficient to maintain a defensible compliance posture for a small professional services firm operating a rationalised SaaS stack. They require no dedicated security staff and no specialist tooling. They require only the discipline to make them routine.
One platform instead of forty data processors
HubSecure consolidates the core tools regulated firms use most — client management, messaging, documents, billing, time tracking — under one DPA, one RBAC model, and one audit trail. Fewer vendors. Smaller attack surface. Simpler compliance.
Reserve your founding seat