compliance7

Getting an enterprise SaaS deal unstuck from legal review

Our enterprise SaaS deal went quiet in legal review with budget already approved. Here's the exact DPA package that got procurement moving again in 48 hours instead of weeks.

An enterprise SaaS deal stuck in legal review almost never dies from a "no." It dies from silence. The champion goes quiet, the calendar invite you sent gets no response, and you're left guessing whether the deal is moving through internal approval or just gone. Here's what actually happened the week our biggest deal of the quarter went quiet in legal, and the exact sequence that got it moving again in two days.

The deal was verbally done, then it stalled in legal review

The champion had said yes. Budget was approved, the VP had nodded along in the final demo, and the mutual action plan had a signature date circled three weeks out. Then nothing. No reply to two follow-up emails. No movement in the shared deal room.

This is the moment most founders panic and either go silent themselves (waiting politely) or start pinging the champion daily (which reads as desperate). Neither works. What we didn't know yet was that the deal hadn't cooled. It had hit procurement, and procurement had a question nobody on our side had prepared an answer for: where does the data processing agreement stand, and who at legal has reviewed our subprocessor list.

This is not a rare failure mode. Enterprise SaaS deals in the $100K-$500K ACV range typically run 90-180 days, and negotiation and legal review is consistently the stage most likely to blow past its target window, with procurement, security review, and contract redlines named as the top bottleneck at that stage. Custom DPA negotiations alone extend sales cycles by 4 to 12 weeks on average when they're handled reactively instead of prepared for in advance.

The mistake: treating legal review as the champion's job

We had assumed our champion would flag the DPA requirement to us before it became a blocker. That assumption was the actual mistake, not the DPA itself.

Champions are not lawyers, and they are usually not even in the room when procurement and legal compare notes internally. By the time a DPA gap surfaces on the buyer's side, it has already been sitting in someone's inbox for days, quietly aging the deal without anyone on the vendor side knowing. The champion isn't hiding it from you. They genuinely don't know it's urgent, because to them it looks like routine paperwork, not a deal-blocking dependency.

The fix isn't to trust the champion to escalate. It's to hand them something they can forward with zero effort on their part.

What we sent, and why it worked

We didn't call. We didn't ask "just checking in, any update?" We sent a single email to the champion with three attachments already prepared: a signed, standard-form DPA covering GDPR Article 28 requirements (built from the same checklist of clauses we now keep ready before any enterprise conversation starts), a public subprocessor list with the last-updated date visible, and a one-page security summary answering the five questions every procurement team asks first.

The subject line named the blocker directly: "DPA and subprocessor docs for [buyer's legal team], ready to forward." That specificity mattered. A vague check-in gives the champion nothing to act on. A ready-to-forward package gives them a five-second task instead of a research project.

Within four hours, the champion forwarded it to their legal contact directly. Within 48 hours, legal came back with two minor redline requests on liability language, which we resolved same-day using pre-approved fallback positions we'd already worked out for exactly this scenario. The deal closed the following week.

The real fix happens before the deal, not during it

The 48-hour recovery worked because the materials already existed. If we'd had to draft a DPA from scratch after the silence started, the same fix would have taken two to three weeks instead of two days, which is roughly the gap procurement teams report between vendors who show up prepared and vendors who scramble after the fact.

Security and compliance teams that give buyers self-serve access to this material see security review complete meaningfully faster, with one independent analysis putting the gap at 81% faster completion when documentation is proactively available versus requested and produced on demand. The lesson isn't "build a fancy trust portal." At an early stage, it's simpler: have your DPA, subprocessor list, and a response ready for the security questionnaire sitting in a folder, signed and current, before your first enterprise conversation starts. When procurement asks, you forward, you don't draft.

The other half of the fix is upstream of the DPA entirely: know before you need to know. Deals with three or more stakeholders engaged directly close at roughly triple the rate of single-threaded deals. If we'd had a direct line to someone on the buyer's legal or security team from week one instead of routing everything through the champion, we'd have heard about the DPA requirement before it ever became a silence.

What to do this week

Pull up your last three deals that went quiet during legal or procurement. Check whether the delay was actually a "no," or whether it was a document nobody had ready. If it's the latter pattern more than once, stop treating your DPA and security docs as something you produce on request. Draft them now, get them signed once, and keep them in a folder you can attach to an email in under a minute. The next time a deal goes quiet, that's the difference between a two-day recovery and a lost quarter.

Frequently asked questions

How long does a stalled enterprise SaaS deal usually take to recover?

It depends entirely on whether the blocking document already exists. If your DPA and security materials are pre-built, expect 48-72 hours once you identify the actual blocker. If you're drafting from scratch, expect 2-4 weeks, consistent with average custom DPA negotiation timelines.

How do I find out why a deal actually went quiet?

Don't ask the champion "any update?" Ask a specific, closed-ended question instead: "Has this moved to legal or security review on your end?" That question is easy to answer yes or no to, and it surfaces the real blocker instead of a vague "still reviewing internally."

Should I have a DPA ready before I even have enterprise prospects?

Yes, once you're closing deals above roughly $50K ACV or targeting companies with a dedicated legal or procurement function. Waiting until the first request means drafting under deal pressure, which is when mistakes and unnecessary delay both happen.

What's the single highest-leverage document to have ready in advance?

A signed, standard-form DPA with your subprocessor list attached. It's the document procurement asks for earliest and most consistently, ahead of even a full security questionnaire response.

Is this only a GDPR issue, or does it apply to US-only deals too?

It applies broadly. CCPA-covered buyers ask for equivalent service-provider terms, and even buyers with no specific regulatory trigger increasingly expect a DPA as a baseline maturity signal during procurement.

What if legal comes back with redlines I haven't seen before?

Keep a running list of every redline request you've resolved before, with the language that worked. Most procurement teams ask for the same handful of changes: audit rights, breach notification windows, and liability caps. Having pre-approved fallback positions for those three turns a multi-day negotiation into a same-day reply.

If your deal has gone quiet in legal review right now, the fastest path back is rarely a follow-up email. It's removing the reason for the silence entirely.

Read enough.
Ready to grow?

19 spots in the cohort. Applications open now.