Again, makes total sense from the perspective of an American legal department. They're falling back on the tools they know to de-risk vendors, which is formal certifications and accreditations. ISO, SOC, etc. The lawyers are going to be extra twitchy because of how vague and hand-wave-y GDPR is.

An actual compliance audit from an accredited auditor, paid for by the SaaS offering of course, is not going to be cheap or easy.