Cloud Services Agreement (Hong Kong)

A Cloud Services Agreement in Hong Kong sets out the rights and obligations the parties agree to be bound by.

The Personal Data (Privacy) Ordinance (Cap. 486) — administered by the Office of the Privacy Commissioner for Personal Data (PCPD) — is the primary data protection statute in Hong Kong. Schedule 1 of Cap. 486 contains six Data Protection Principles (DPPs) that govern all personal data processing. DPP 4 imposes an obligation on data users (including customers of cloud services) to take all practicable steps to confirm that personal data held by the data user (or on its behalf by a data processor such as a cloud provider) is protected against unauthorised or accidental access, processing, erasure, loss, or use. This obligation requires customers to conduct due diligence on cloud providers' security measures and to include appropriate contractual protections in the cloud services agreement. The PCPD has published specific guidance on cloud computing recommending written contracts specifying data handling obligations, data centre locations, sub-processing arrangements, and incident response procedures.

For regulated entities in Hong Kong, additional sector-specific requirements apply. The Hong Kong Monetary Authority (HKMA) — the central bank and banking regulator — has issued the Supervisory Policy Manual module on technology risk management (TM-G-1) and the cloud computing guidance requiring authorised institutions (banks) to conduct risk assessments, perform due diligence on cloud providers, maintain an exit strategy, and notify the HKMA before outsourcing critical or important operations to cloud providers. The Securities and Futures Commission (SFC) has issued circular guidance on cloud computing for licensed corporations. The Insurance Authority (IA) similarly requires oversight of cloud arrangements by regulated insurers.

Hong Kong imposes no goods and services tax (GST) or value-added tax (VAT), meaning the agreed service fees are the total amounts payable without any consumption tax. All fees should be expressed in Hong Kong Dollars (HKD), though USD pricing is also common for international cloud providers. Payment is typically made by credit card, bank transfer, or direct debit under a subscription arrangement.

The Electronic Transactions Ordinance (Cap. 553) provides the legal framework for electronic contracts and electronic signatures in Hong Kong — cloud services agreements executed electronically are legally binding provided they comply with the requirements of Cap. 553. The Copyright Ordinance (Cap. 528) is relevant where the cloud service involves software licensing — customers should confirm they hold appropriate licences for any software deployed on cloud infrastructure. The Telecommunications Ordinance (Cap. 106) governs telecommunications services in Hong Kong and may be relevant to cloud connectivity and network services.

Cloud Services Agreement in Hong Kong is needed whenever an organisation engages a cloud provider to host, store, process, or manage data or applications on its behalf. The following specific circumstances each require a properly drafted agreement.

Cloud infrastructure migration: When a Hong Kong business migrates its IT operations to public cloud infrastructure (AWS Asia Pacific Hong Kong, Microsoft Azure Hong Kong, Google Cloud Hong Kong) or to a private or hybrid cloud deployment, the Cloud Services Agreement governs data residency, security standards, service levels, and compliance requirements under the Personal Data (Privacy) Ordinance (Cap. 486) and the Electronic Transactions Ordinance (Cap. 553).

Regulated financial institutions: When a bank, securities broker, or insurer regulated by the Hong Kong Monetary Authority (HKMA), the Securities and Futures Commission (SFC), or the Insurance Authority (IA) engages cloud services, the agreement must comply with the HKMA's Supervisory Policy Manual TM-G-1, the SFC's circular on cloud computing, or the IA's guidance — including requirements for risk assessment, due diligence, contractual protections, notification obligations, and exit strategy documentation.

SaaS business applications: When a Hong Kong organisation subscribes to a Software as a Service (SaaS) application — such as Salesforce CRM, SAP ERP, Workday HR, or Xero accounting — that processes personal data of Hong Kong employees, customers, or counterparties, the SaaS agreement must include PDPO-compliant data processing terms under Cap. 486.

Healthcare cloud services: When a Hong Kong private hospital, medical clinic, or health data platform engages cloud services to store patient medical records or health data, the agreement must address the heightened sensitivity of health data under DPP 3 of Cap. 486 and the requirements of the Private Healthcare Facilities Ordinance (Cap. 633). The PCPD has flagged health data as requiring special care.

Cross-border data processing: When a Hong Kong organisation's cloud services involve data being processed in data centres outside Hong Kong — for example, in Singapore, Japan, or the United States — the agreement must address cross-border data transfer considerations under the PDPO guidance issued by the PCPD, even though Section 33 of Cap. 486 restricting cross-border transfers has not yet been brought into force.

Cloud Services Agreement in Hong Kong should contain the following key elements to be legally effective under the Personal Data (Privacy) Ordinance (Cap. 486), compliant with regulatory guidance from the Hong Kong Monetary Authority (HKMA) and the Securities and Futures Commission (SFC), and sufficient to manage data protection obligations and service quality.

Service Description: A precise definition of the cloud services provided — specifying the service model (IaaS, PaaS, or SaaS), the specific compute, storage, or software functionality, service tiers, and any exclusions or limitations. For regulated institutions, the service description must be sufficiently detailed to satisfy the HKMA’s Supervisory Policy Manual TM-G-1 due diligence requirements.

Service Level Agreement: Uptime commitments (typically 99.9% per calendar month), performance metrics, scheduled maintenance windows (excluded from uptime calculations), support response times tiered by severity (Severity 1 through Severity 4), service credit percentages for SLA breaches, and a cap on total credits. The Supply of Services (Implied Terms) Ordinance (Cap. 457) implies a baseline of reasonable care and skill even where the SLA is silent on a particular obligation.

Data Protection Compliance: The provider’s obligations as a data processor under the Personal Data (Privacy) Ordinance (Cap. 486), including compliance with Data Protection Principles 1 through 6 in Schedule 1 of Cap. 486. DPP 4 security obligations — requiring all practicable steps to protect personal data against unauthorised access, processing, erasure, loss, or use — must be specified in contractual terms. Incident notification requirements (breach notification timelines) and restrictions on onward transfer or secondary use of personal data under DPP 3 should be included.

Data Sovereignty and Residency: Identification of data centre locations where customer data will be stored and processed; whether the provider may transfer data between jurisdictions; the customer’s right to restrict data to specific geographic regions (e.g. Hong Kong, Asia-Pacific); and notification obligations if data centre locations change. For regulated financial institutions, additional data residency requirements from the HKMA apply.

Security Standards: The provider’s obligation to maintain and regularly audit technical and organisational security measures — including encryption at rest and in transit, identity and access management, network security, vulnerability management, penetration testing schedules, and audit log retention. Security incident response procedures and the timeline for notifying the customer following a security event must be specified.

Intellectual Property: Confirmation that the customer retains full ownership of all customer data uploaded to, created within, or processed by the cloud platform. The provider retains ownership of the platform, software, and underlying technology. No licence to the customer’s data beyond what is necessary to provide the services should be granted. Under the Copyright Ordinance (Cap. 528), software licensing terms should be addressed where applicable.

Regulatory Audit Rights: The customer’s right to conduct audits or commission third-party assessments of the provider’s data protection and security practices — a requirement under HKMA guidance for authorised institutions. The provider’s obligation to produce audit reports, certifications (ISO 27001, SOC 2), and regulatory examination assistance.

Termination and Data Exit: The transition period (30-90 days post-termination) during which customer data remains accessible for export; data export format (CSV, JSON, XML, or standard API); permanent deletion obligations and written certification of deletion within a specified period (typically 30 days after the transition period); deletion of backup and archival copies within 90 days; and transition assistance rates if migration support is required. These provisions align with DPP 2 of Cap. 486 (data retention) and the HKMA’s exit strategy requirements for authorised institutions.

Governing Law and Dispute Resolution: Hong Kong law as the governing law; dispute resolution by arbitration under the Hong Kong International Arbitration Centre (HKIAC) pursuant to the Arbitration Ordinance (Cap. 609), or by litigation in the Courts of First Instance; and jurisdiction clauses for interim relief. Forms-legal.com provides a free Cloud Services Agreement template for Hong Kong organisations alongside the related hk-data-processing-agreement and hk-saas-agreement.