Abandoned SaaS trials

what it is

An abandoned SaaS trial is a free trial or evaluation account for a SaaS application that was created for assessment purposes, never formally adopted, and never formally closed.

Trial accounts are typically created by one person, usually a team lead or an individual contributor who wanted to evaluate a tool. They register with a work email address. They load data to test the application's features. After the evaluation, if the tool is not selected, they simply stop using it.

Most vendors do not automatically delete trial accounts after a set period. The account stays open, the credentials remain valid, and any data loaded during the evaluation stays in the vendor's system. From a security perspective, the account is indistinguishable from an active account.

why it accumulates

Every organization evaluates tools that do not make the final cut. In growing organizations with distributed buying, the number of these evaluations can be significant.

The person who ran the trial views the account as closed because they stopped using it. From the vendor's perspective and from an access perspective, it is still open. No explicit closing action was taken.

There is typically no process for tracking evaluations and ensuring that accounts are formally closed if the tool is not adopted. Tool procurement processes, where they exist, focus on what gets approved and purchased. What gets tested and rejected is not tracked.

The trial account may also have been created by someone who later left the company. In that case, the account sits with credentials tied to a work email that no longer exists, but the vendor account may still be accessible if the vendor allows password reset without email verification, or if the credentials were saved locally.

what it costs you

Data exposure in vendor systems. Data loaded for evaluation purposes, which may include customer records, employee data, internal documents, or financial figures, sits in the vendor's system under no active management. If the vendor experiences a breach, that data is in scope. If the vendor's data practices have changed since the trial, you have no visibility into it and no active agreement governing the data.

Active access with no owner. The credentials for the trial account are known to whoever created it. If that person has left the company, the credentials may have been written down, saved in a browser, or reused elsewhere. An account with no current owner and no monitoring is an access path with no oversight.

GDPR processor exposure. Data loaded into a trial account is data you sent to a processor. GDPR requires a Data Processing Agreement for any processor handling personal data on your behalf. A trial vendor where you loaded customer or employee data for evaluation is a processor. A DPA likely does not exist for an informal trial account.

Audit completeness. An inventory of data processors that excludes trial accounts with real data loaded is incomplete. This becomes visible in audits that ask about data flows to third parties.

what works

Most active trial accounts surface through a direct, non-judgmental question to department heads and team leads about what has been evaluated in the past 12 to 18 months. People answer freely when the question carries no blame, and recent memory covers most of the evaluations that left data behind. The system-side evidence fills in what memory misses. The identity provider's connected-app view shows OAuth grants from applications that appear nowhere on the official tool list, and a grant created months ago with little activity since carries the signature of an evaluation that ended without a closing step. A grant created by an account belonging to a former employee is an orphaned trial almost by definition. Expense records add a third angle: a single vendor charge never followed by recurring payments usually marks a paid trial that nobody converted and nobody cancelled.

Explicit closure is what separates a finished trial from an abandoned one. Each account found gets closed through the vendor's official process rather than simply left unused, because unused and closed are different states with different obligations attached. Where customer or employee data was loaded during the evaluation, written confirmation of deletion from the vendor closes the GDPR question as well: the trial vendor was a processor handling personal data, almost certainly without a DPA, and a documented deletion is the cleanest available end to that exposure.

The organizations that stop accumulating new abandoned trials build closure into the evaluation itself. Any trial that involves loading company data ends with a documented account deletion, whether the tool is adopted or rejected. Procurement processes naturally track what gets approved and purchased; extending them to track what was tested and rejected costs little and removes the category at its source.