IT Services Agreement (Malaysia)
IT SERVICES AGREEMENT
Contracts Act 1950 (Act 136) | Communications and Multimedia Act 1998 | Personal Data Protection Act 2010
THIS IT SERVICES AGREEMENT is made on [Effective Date]
BETWEEN:
(1) [Provider Name] (SSM No.: [Provider Number]) of [Provider Address] ("Service Provider"); AND
(2) [Client Name] (SSM No.: [Client Number]) of [Client Address] ("Client").
1. SERVICES
1.1 The Service Provider shall provide the following IT services to the Client ("Services"): [Services Description]
1.2 Services shall commence on [Start Date] and continue for an initial term of [Contract Term], and thereafter shall continue on a month-to-month basis until terminated.
2. SERVICE LEVEL AGREEMENT
2.1 The Service Provider guarantees a system uptime of [Uptime Guarantee] measured on a monthly basis, excluding scheduled maintenance windows notified at least 48 hours in advance.
2.2 Critical incidents (system down or severe performance degradation) shall receive a response within [Critical Response Time] of notification.
2.3 Where the Service Provider fails to meet the agreed service levels, the Client shall be entitled to service credits of [Service Credit Rate]. Service credits are the Client's sole remedy for SLA breaches, subject to the limitation of liability provisions.
3. FEES AND PAYMENT
3.1 The Client shall pay the Service Provider a monthly retainer of [Monthly Fee], exclusive of Service Tax at 8% under the Service Tax Act 2018 (where applicable).
3.2 Payment shall be due on the [Payment Day] of each calendar month upon receipt of the Service Provider's invoice.
4. DATA PROTECTION
4.1 Both Parties shall comply with the Personal Data Protection Act 2010 (PDPA 2010, Act 709) in relation to any personal data processed in connection with the Services.
4.2 The Service Provider shall process the Client's data only on the Client's written instructions, implement the Security Principle under Section 9 of the PDPA 2010, and notify the Client promptly of any actual or suspected data breach.
5. TERMINATION
5.1 Either Party may terminate this Agreement for convenience by giving [Notice Period] written notice to the other Party.
5.2 Either Party may terminate this Agreement immediately upon written notice for material breach that remains uncured for 14 days after written notice of such breach.
5.3 Upon termination, the Service Provider shall cooperate in the transition of Services to the Client or a replacement provider and return all Client data within 30 days.
6. GOVERNING LAW
6.1 This Agreement is governed by the laws of Malaysia. Disputes shall be referred to the courts of Malaysia or, if mutually agreed, to arbitration at the Asian International Arbitration Centre (AIAC).
Authorised Signatory (Service Provider)
________________
Signature
Authorised Signatory (Client)
________________
Signature
What Is a IT Services Agreement (Malaysia)?
An IT Services Agreement in Malaysia records the terms the parties accept and the commitments each makes to the other.
The regulatory framework applicable to IT services in Malaysia includes the Communications and Multimedia Act 1998 (Act 588), administered by the Malaysian Communications and Multimedia Commission (MCMC), which governs network facilities and services. IT service providers delivering network services or application services may require licences under the Communications and Multimedia Act 1998. The Computer Crimes Act 1997 (Act 563) is also relevant, establishing criminal liability for unauthorised access to computer systems, which has implications for IT service providers who access client systems remotely.
Where an IT Services Agreement involves the processing of personal data — including employee records, customer data, or transaction data — both parties must comply with the Personal Data Protection Act 2010 (PDPA 2010, Act 709). The client, as the data user, is primarily responsible for PDPA compliance, but the IT service provider, as a data processor with access to personal data, must implement adequate technical and organisational security measures as required by the Security Principle under Section 9 of the PDPA 2010.
Bank Negara Malaysia's (BNM) Risk Management in Technology (RMiT) Policy Document, issued in January 2020, applies to financial institutions and requires licensed banks, insurers, and payment service providers to impose technology risk management obligations on their third-party IT service providers through contractual controls. IT service providers engaged by BNM-regulated entities must comply with the outsourcing requirements under the RMiT, including provisions on data residency (requiring critical data to remain in Malaysia), audit rights, and business continuity planning.
The legal framework governing the IT Services Agreement (Malaysia) in Malaysia draws on several key statutes and regulatory bodies. Under Malaysian law, the Contracts Act 1950 (Act 136) governs contractual obligations. The Companies Act 2016 (Act 777) regulates corporate entities through the Companies Commission of Malaysia (SSM). The Employment Act 1955 (Act 265) and the Department of Labour govern employment matters. The Personal Data Protection Act 2010 (Act 709) and the Personal Data Protection Department protect personal data. The Inland Revenue Board of Malaysia (LHDN) administers tax obligations. The Industrial Court adjudicates employment disputes under the Industrial Relations Act 1967 (Act 177). Parties executing a IT Services Agreement (Malaysia) in Malaysia should confirm the document reflects current law, including any amendments enacted since the original drafting date. The Companies Act 2016 (Act 777) sets the foundational requirements.
When Do You Need a IT Services Agreement (Malaysia)?
An IT Services Agreement in Malaysia is required whenever a company engages an external IT service provider to manage, support, or maintain its technology infrastructure or systems.
An IT Services Agreement is needed when a Malaysian company outsources its IT function to a managed service provider (MSP) — covering network management, server maintenance, endpoint security, and helpdesk services. The agreement establishes service levels, response time obligations, and escalation procedures.
An IT Services Agreement is required when a company migrates to a cloud platform through a Malaysian cloud service provider or a global provider such as Microsoft Azure, Amazon Web Services (AWS), or Google Cloud, with the Malaysian entity entering a local IT services agreement for implementation, migration, and ongoing management services.
An IT Services Agreement is needed when a financial institution regulated by Bank Negara Malaysia (BNM) engages a technology service provider, as BNM's Risk Management in Technology (RMiT) Policy Document requires formal contracts covering security standards, audit rights, data residency, and exit management.
An IT Services Agreement is required when a company engages an IT firm to provide cybersecurity services — including penetration testing, vulnerability assessment, security operations centre (SOC) monitoring, or incident response — particularly given the increasing frequency of cyber incidents reported to CyberSecurity Malaysia (a government agency under the Ministry of Digital Malaysia).
An IT Services Agreement is needed when a Multimedia Super Corridor (MSC Malaysia) status company engages technology service providers, as the MSC Bill of Guarantees requires protection of intellectual property and specific contractual standards for technology transactions within the MSC ecosystem.
Parties in Malaysia should prepare a IT Services Agreement (Malaysia) proactively rather than waiting for a dispute to arise. Courts interpret agreements based on the written terms rather than oral representations. Under Malaysian law, the Contracts Act 1950 (Act 136) governs contractual obligations. The Companies Act 2016 (Act 777) regulates corporate entities through the Companies Commission of Malaysia (SSM). The Employment Act 1955 (Act 265) and the Department of Labour govern employment matters. The Personal Data Protection Act 2010 (Act 709) and the Personal Data Protection Department protect personal data. The Inland Revenue Board of Malaysia (LHDN) administers tax obligations. The Industrial Court adjudicates employment disputes under the Industrial Relations Act 1967 (Act 177). Where the transaction involves regulated activities, prior approval from the relevant authority may be required before execution.
What to Include in Your IT Services Agreement (Malaysia)
A valid IT Services Agreement in Malaysia under the Contracts Act 1950 must contain the following essential elements.
Parties and Scope: Full legal names and SSM registration numbers of the IT service provider and client. A precise description of the IT services to be provided, including whether the engagement is for managed services (ongoing), project-based, or ad hoc support.
Service Level Agreement (SLA): Defined service levels including system uptime guarantees (e.g., 99.5% monthly availability), incident response times categorised by severity, resolution timeframes, and reporting obligations. Service credits or remedies for SLA breaches should be specified.
Fees and Payment: Total fees or monthly retainer in Malaysian Ringgit (RM), invoicing frequency, payment terms (typically net 30 days), and Service Tax obligations under the Service Tax Act 2018 at 8% for taxable IT services where the provider's turnover exceeds RM 500,000.
Confidentiality and Data Protection: Obligations to maintain confidentiality of client data and systems information. PDPA 2010 compliance obligations for the IT provider as a data processor, including the Security Principle under Section 9 of the PDPA 2010 and data breach notification obligations.
Security Requirements: Specific cybersecurity standards the IT provider must maintain, including compliance with any applicable BNM RMiT requirements, ISO 27001 certification obligations, and penetration testing schedules for clients in regulated industries.
IP Ownership: Ownership of any tools, scripts, or configurations developed specifically for the client during the engagement. Generally, pre-existing tools and methodologies remain the provider's property, while client-specific deliverables are assigned to the client.
Term, Termination, and Exit Management: Contract duration, renewal terms, grounds for termination (for cause and for convenience), notice periods, and an exit management plan specifying data return, system handover, and transition assistance obligations upon termination.
Limitation of Liability: Caps on the IT provider's aggregate liability (commonly limited to three to six months' fees) and exclusions for indirect or consequential losses, subject to exceptions for fraud, wilful default, and data protection breaches.
Additional compliance elements for a IT Services Agreement (Malaysia) used in Malaysia include: Under Malaysian law, the Contracts Act 1950 (Act 136) governs contractual obligations. The Companies Act 2016 (Act 777) regulates corporate entities through the Companies Commission of Malaysia (SSM). The Employment Act 1955 (Act 265) and the Department of Labour govern employment matters. The Personal Data Protection Act 2010 (Act 709) and the Personal Data Protection Department protect personal data. The Inland Revenue Board of Malaysia (LHDN) administers tax obligations. The Industrial Court adjudicates employment disputes under the Industrial Relations Act 1967 (Act 177). Forms-legal.com provides this template as a starting point for Malaysia-compliant documentation.
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). IT Services Agreement (Malaysia) (Malaysia) [Legal document template]. Forms Legal. https://forms-legal.com/malaysia/business/contracts/it-services-agreement-malaysia
"IT Services Agreement (Malaysia) (Malaysia)." Forms Legal, 2026, https://forms-legal.com/malaysia/business/contracts/it-services-agreement-malaysia.
@misc{formslegal-it-services-agreement-malaysia,
author = {{Forms Legal}},
title = {IT Services Agreement (Malaysia) (Malaysia)},
year = {2026},
howpublished = {\url{https://forms-legal.com/malaysia/business/contracts/it-services-agreement-malaysia}},
note = {Free legal document template. Based on Companies Act 2016 (Act 777)}
}
Frequently Asked Questions
A Service Level Agreement (SLA) in a Malaysian IT Services Agreement is a contractual schedule that defines the minimum performance standards the IT service provider must meet, including system availability (uptime), incident response times, resolution targets, and reporting obligations. For example, an SLA may guarantee 99.5% monthly uptime for a managed server, with a Critical incident (system down) response time of one hour and resolution within four hours, a High severity incident response of two hours, and a Medium severity incident response of eight business hours. Where the provider fails to meet the agreed SLA, the agreement typically provides for service credits — reductions in the monthly fee — as the client's remedy. Under the Contracts Act 1950, the service credit mechanism must be carefully drafted to avoid being characterised as an unenforceable penalty clause under Section 75, which permits only reasonable pre-estimates of loss as liquidated damages.
The Personal Data Protection Act 2010 (PDPA 2010, Act 709) applies directly to data users — entities that process personal data in connection with commercial transactions in Malaysia. An IT service provider that accesses, stores, or processes personal data on behalf of a client may be characterised as a data processor rather than a data user, depending on the extent of its control over the data. As a data processor, the IT provider is not directly regulated by PDPA 2010 in the same way as the client (data user), but the client must impose contractual data protection obligations on the provider. The IT Services Agreement should require the provider to process personal data only on the client's instructions, implement the Security Principle under Section 9 of the PDPA 2010, notify the client of data breaches promptly, and not transfer personal data outside Malaysia without compliance with the Transfer Principle under Section 129 of the PDPA 2010. Violations of PDPA can result in fines up to RM 500,000 under Section 130.
IT service providers in Malaysia may require licences under the Communications and Multimedia Act 1998 (Act 588) depending on the nature of services provided. The Communications and Multimedia Act 1998 establishes a licensing framework administered by the Malaysian Communications and Multimedia Commission (MCMC) covering four categories: network facilities provider licence, network service provider licence, applications service provider licence, and content applications service provider licence. IT companies providing internet services, managed network services, or cloud services may need an applications service provider (ASP) licence. Companies providing voice-over-IP (VoIP), unified communications, or telecommunications infrastructure services require a network service provider (NSP) licence. IT services that do not involve the provision of network facilities or network/application services (for example, pure IT consulting, helpdesk, or software support) generally do not require MCMC licensing. Engaging in licensed activities without the required licence is a criminal offence under the Communications and Multimedia Act 1998.
An IT Services Agreement in Malaysia may be terminated by either party in accordance with its express termination provisions, or under general contract law principles in the Contracts Act 1950 (Act 136). Express termination provisions typically include: termination for cause (material breach by the defaulting party, with notice and a cure period of 14 to 30 days); termination for convenience by either party on 30 to 90 days' written notice; and automatic termination upon insolvency or winding-up of either party under the Companies Act 2016 or the Insolvency Act 1967 (Act 360). Upon termination, the IT provider must return all client data and confidential information, cooperate in the transition of services to a new provider (exit management), and cease using the client's systems and proprietary information. Section 40 of the Contracts Act 1950 permits the innocent party to treat a repudiatory breach as a discharge of the contract and claim damages.
Limitation of liability clauses in Malaysian IT Services Agreements are enforceable under the Contracts Act 1950, subject to the general principle that they must be incorporated into the contract with reasonable notice and must not be unconscionable. Malaysian courts have followed English common law in upholding limitation clauses in commercial contracts between parties of similar bargaining power. A cap on aggregate liability equal to three to six months' fees is common in Malaysian IT service contracts. However, limitation clauses may not exclude liability for fraud, wilful default, or death and personal injury caused by negligence — these are non-excludable under general law principles applied by the High Court of Malaya. Where an IT provider processes personal data under PDPA 2010, the agreement should also address liability for data protection breaches separately, as PDPA fines (up to RM 500,000 under Section 130) cannot be contractually excluded from regulatory enforcement.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
Software Development Agreement (Malaysia)
A Software Development Agreement for Malaysia that governs the engagement of a developer or software house to build custom software for a client. Addresses IP ownership, delivery milestones, payment, warranties, and liability under the Contracts Act 1950, Copyright Act 1987, and Digital Economy framework.
SaaS Agreement (Malaysia)
A Software as a Service (SaaS) Agreement for Malaysia governing subscription access to cloud-hosted software. Covers subscription fees, uptime SLA, data ownership, PDPA 2010 compliance, acceptable use, and termination under the Contracts Act 1950 and Electronic Commerce Act 2006.
Data Processing Agreement (Malaysia)
A Data Processing Agreement (DPA) for Malaysia that governs the processing of personal data by a data processor on behalf of a data user, as required by the Personal Data Protection Act 2010 (PDPA 2010, Act 709). Covers the seven PDPA data protection principles, security obligations, data breach notification, and sub-processor controls.