Case Study: European SaaS Company CAC Security Assessment

The Challenge

Our client, a German enterprise software company, had built a significant presence in China over 10 years. Their project management and collaboration tools were used by over 2.3 million users across 500+ Chinese enterprises.

Like most global SaaS companies, their architecture was centralized—all data processed in EU data centers. This worked fine until China's Personal Information Protection Law (PIPL) took effect in November 2021.

            The Problem: Under PIPL Article 40, data processors handling personal information of more than 1 million individuals must pass a CAC security assessment before transferring data abroad. Our client was well over this threshold.
        

The stakes were high:

¥15M+ annual revenue from Chinese customers at risk
Potential fines up to ¥50M for non-compliance
Reputational damage affecting global enterprise sales
Key customer contracts coming up for renewal

Our Approach

Phase 1: Data Mapping & Classification (6 weeks)

Before any filing, we needed to understand exactly what data was being transferred and why. We worked with the client's engineering and legal teams to:

Map data flows across 15 internal systems
Classify data by sensitivity (personal, sensitive personal, important)
Identify legal bases for each data transfer
Document data retention and deletion practices

Phase 2: Risk Assessment Documentation (4 weeks)

CAC requires a detailed self-assessment covering:

Legality, legitimacy, and necessity of data export
Data recipient's security capabilities
Risks of data leakage, damage, or misuse
Data subjects' ability to exercise rights
Security measures and contractual obligations

Phase 3: Submission & Review (6 months)

We submitted the application to the Shanghai Cyberspace Administration (the local CAC office). The review process involved:

Initial document review and supplementary requests
On-site inspection of local operations
Technical questions about security architecture
Three rounds of clarification and revision

Timeline

Month 1-2

Data Mapping — Catalogued all data flows, identified 47 distinct data categories transferred cross-border

Month 2-3

Risk Assessment — Prepared comprehensive documentation per CAC requirements

Month 3

Submission — Filed application with Shanghai CAC

Month 4

First Review — Received 23 supplementary questions

Month 5

On-site Inspection — CAC team visited Shanghai office

Month 6-7

Clarification Rounds — Addressed technical questions, revised documentation

Month 8

Approval — Received official approval letter

Key Success Factors

1. Thorough Preparation

We spent more time upfront on data mapping than most companies expect. This investment paid off—our initial submission was more complete than average, reducing back-and-forth with regulators.

2. Technical Accuracy

CAC reviewers are technically sophisticated. Vague or inaccurate descriptions of data flows and security measures will be caught. We ensured engineering teams were involved in drafting technical sections.

3. Proactive Communication

We maintained regular contact with the CAC office, responding to queries within 48 hours. This built goodwill and kept the process moving.

            The Result: Full approval granted. The client can continue transferring Chinese user data to EU servers legally. No data localization required. Business continuity maintained.
        

Lessons for Other Companies

Start early. The 8-month timeline was on the faster end. Some cases take 12-18 months.
Don't assume you're exempt. The 1M user threshold applies to cumulative data, not active users.
Data localization isn't always required. CAC assessment is one path; full localization is another. Assessment may be more cost-effective.
Get help from people who've done it. The regulations are new; practical experience matters more than theoretical knowledge.

European SaaS Company: Cross-Border Data Transfer Approval

The Challenge

Our Approach

Timeline

Key Success Factors

Lessons for Other Companies

Facing Similar Challenges?