Skip to content
Nusantech
← Back to insights

Data residency in Southeast Asia: what enterprise buyers should architect for before signing

Insights · Procurement · 8 min read ·

A regional bank we worked with discovered, six months into a customer-360 rollout, that their Indonesian customer events were being processed by an analytics service in the United States. The vendor had not lied. The architecture diagram in the proposal showed "regional cloud" and the contract said "we comply with applicable data protection law." Neither claim was wrong. Both were useless.

The fix took eleven months and three architectural redesigns. It would have taken three weeks if the procurement team had asked five specific questions during vendor selection.

Southeast Asia does not have a single data protection regime. It has five overlapping ones, each with its own definition of "personal data", its own consent rules, and its own thresholds for what triggers a residency or notification obligation. A vendor that says "we comply with APAC data privacy laws" is not telling you anything useful. You have to ask which laws, which clauses, and what happens when they conflict.

This is the architecture checklist we run with clients before signing.

The five regimes that actually bind regional deployments

Each of these has been updated within the last three years. If a vendor's proposal is quoting older versions, that's the first red flag.

  • Singapore - PDPA. Personal Data Protection Act, last substantially amended 2020 (mandatory breach notification, new data portability provisions). Singapore is generally the most permissive jurisdiction for outbound transfers in the region. Many regional architectures use SG as the contracting and data-controller seat for exactly this reason.
  • Indonesia - UU PDP (2022) + PP 71/2019. Personal Data Protection Law (operational from October 2024) overlays a layer of consent and notification rules on top of the existing electronic systems regulation. PP 71/2019 still governs which "public scope" electronic systems must be hosted on Indonesian territory. Public-sector systems and certain regulated sectors (banking, payments, healthcare) face stricter localisation.
  • Vietnam - PDPD (Decree 13/2023). Personal Data Protection Decree, effective July 2023. Introduces a "data impact assessment" filing obligation for cross-border transfers and very broad consent requirements. Foreign vendors regularly underestimate how aggressively the Ministry of Public Security enforces this.
  • Thailand - PDPA (2019, fully enforced 2022). Modelled closely on GDPR. Cross-border transfer rules tied to "adequate protection" determinations. Most regional vendors map Thailand to their EU controls and largely get it right - but the consent UX requirements differ in non-obvious ways.
  • Malaysia - PDPA (2010, amended 2024). The 2024 amendments added mandatory breach notification, data protection officer requirements for certain organisations, and a new cross-border transfer regime that materially changes how regional architectures should be designed for Malaysian data.

Each of these regimes treats five inputs differently: what counts as personal data, when consent is needed, where data can sit, who has to be notified on breach, and what cross-border transfers are allowed. A regional system that ignores any of these will work fine until the first audit, regulatory request, or breach - then it will not.

The architecture decisions that fall out of this

Once you know which regimes you're under, four architectural decisions follow. These have to be made before you choose a vendor, not after.

1. Where does the controller seat sit?

In a multi-country deployment, one entity is usually the data controller and others are processors or joint controllers. The controller seat determines which regulator is your primary authority, which jurisdiction's law governs contractual disputes, and where regulatory filings go. For most regional commercial deployments the controller seat is Singapore. For public-sector workloads or domestically-licensed financial services, the controller seat has to be the operating country.

2. What's the data classification scheme?

You cannot apply different residency rules to different data if you cannot tell the data apart. A classification scheme - typically four tiers like Public, Internal, Confidential, Restricted - has to be embedded in the schema, the API contracts, and the access logs. Adding this after the fact is one of the most expensive remediation programmes we have done.

3. Where do the data stores physically sit, by classification?

The decision is not "where is our cloud region" - it's "for each classification tier, which jurisdictions are acceptable hosts, and which are explicitly excluded." Indonesian public-scope systems must host on Indonesian territory. Singapore PDPA permits transfer to jurisdictions with "comparable protection" - but you have to document the comparability. The vendor's standard architecture diagram is not enough.

4. What flows are allowed, and how are they logged?

Cross-border transfers are not binary. Vietnamese PDPD requires an impact assessment for transfers; Indonesian UU PDP requires consent for most transfers and explicit regulator approval for others; Thai PDPA accepts a smaller set of legal bases. A transfer log that can answer "on date X, which categories of personal data left jurisdiction Y, under what legal basis" is a baseline regulator request - if your system can't produce it in 30 minutes, you have a problem.

Five questions to ask a vendor before signing

If a vendor cannot answer these in writing, with specific references, the architecture is not ready for a regional deployment.

  • For each operating country, which regulator do you treat as primary, and what is your filing history with them? Generic "we comply" answers fail this. You want named regulators (PDPC for SG, KDPR/Kominfo for ID, Ministry of Public Security for VN, PDPC for TH, JPDP for MY) and evidence of actual interaction.
  • What is your data classification scheme, and how is it enforced at the database and API layers? The scheme should be documentable in one page. Enforcement should show up in schema (typed columns), API contracts (explicit attribute lists), and access logs (per-classification queries).
  • For each classification tier, which jurisdictions host the data at rest, and which jurisdictions can process it in flight? This should be a table, not a paragraph. "Restricted - hosted ID, processed ID only. Confidential - hosted SG, processed SG/ID/MY. Internal - hosted SG, processed any APAC."
  • Show me a sample cross-border transfer log. A vendor that has built for this can hand you a redacted sample in a day. A vendor that has not will tell you "we can build that" - which means a 3-6 month delay after contract signing.
  • Who at your firm is the named DPO, and what is their direct contact? UU PDP, PDPD, and amended Malaysian PDPA all require this. A vendor without a named DPO is non-compliant for several of the regimes they will be operating under.

Where build vs buy comes back in

For multinationals with operations across three or more SEA markets, productised SaaS platforms hit a wall on data residency before they hit a wall on functionality. The wall is structural: SaaS pricing models depend on shared infrastructure, and shared infrastructure makes per-jurisdiction residency expensive to enforce. Some vendors absorb this and charge a premium; others promise residency but deliver it via region selection that doesn't survive regulatory scrutiny.

This is where custom-engineered systems contracted from a Singapore entity have a structural advantage. The architecture can be built from the start with the classification scheme, jurisdictional routing, and transfer logging baked in. The procurement contract can name Singapore law as the governing jurisdiction and Singapore courts as the dispute forum - giving the buyer a single, well-understood legal framework regardless of how many operating countries the system runs in.

That's not a sales pitch. It's the actual reason a Fortune Global 100 energy major running operations across six SEA markets contracted a regional platform from Singapore rather than buying off-the-shelf. The residency arithmetic only worked one way.

How to use this on Monday

Pull the architecture diagram from your last regional vendor proposal. Ask yourself:

  1. Can I name which entity in the vendor's group is the controller for each country?
  2. Can I list the data classification tiers and the hosts each tier is permitted on?
  3. Can I produce a sample cross-border transfer log for the last 30 days?
  4. Do I have the named DPO contact for each operating jurisdiction?

If any answer is "no" or "I'd need to ask the vendor," you are not yet at signing readiness. That conversation is faster to have now than after the contract is in force.

If you want help mapping this for a specific deployment, book a 30-minute call.

Get in touch

Tell us about
your project.

We reply within one business day. For procurement and RFP enquiries, we can provide a formal capability statement.

Send project brief →Book a 30-min call

Singapore · Jakarta · Asia-Pacific delivery