Location where data is stored is a paramount criteria for controllers. If servers hosting data are located in the European Union or in an adequate country, data transfers can be operated without additional safeguards as these countries’ legislations are protective enough of personal data and individuals’ rights.
If servers hosting data are not located in the European Union, nor in an adequate country, appropriate legal safeguards compliant with Article 46 of the GDPR must be put in place.
Most used legal safeguards regarding SaaS tools are Standard Contractual Clauses for data transfers. SCCs are templates considered adequate by the European Commission which can be incorporated into any transfer contract.
However, following the decision of the EU Court of Justice known as "Schrems II", data transfers towards certain countries like the US now require complementary measures. For instance: