Cloud Services Agreement (Malaysia)
CLOUD SERVICES AGREEMENT
Contracts Act 1950 (Malaysia) | Personal Data Protection Act 2010 | Communications and Multimedia Act 1998 | Service Tax Act 2018
THIS CLOUD SERVICES AGREEMENT is made on [Agreement Date]
BETWEEN:
(1) [Provider Name] (SSM No. [Provider SSM]) of [Provider Address] (hereinafter referred to as the "Provider"); AND
(2) [Customer Name] (SSM No. [Customer SSM]) of [Customer Address] (hereinafter referred to as the "Customer").
1. CLOUD SERVICES
1.1 Service Type: [Service Type]
1.2 Service Description: [Service Description]
1.3 Data Hosting Region: [Data Hosting Region]
1.4 The Provider shall make the Services available with a monthly uptime of at least [Uptime Guarantee], calculated excluding scheduled maintenance windows notified to the Customer at least 48 hours in advance.
2. SERVICE LEVEL AGREEMENT (SLA)
2.1 If the Provider fails to meet the uptime guarantee of [Uptime Guarantee] in any calendar month, the Customer shall be entitled to a service credit of [Service Credit], applied against the following month's invoice.
2.2 Service credits are the Customer's minimum remedy for SLA breaches and do not limit the Customer's right to claim actual damages under Section 74 of the Contracts Act 1950 for losses arising from downtime.
3. FEES AND PAYMENT
3.1 The Customer shall pay the Provider a subscription fee of [Subscription Fee] on a [Billing Cycle] basis.
3.2 Service tax at 8% under the Service Tax Act 2018 shall be added to all invoices where applicable.
3.3 The minimum subscription term is [Minimum Term] from the effective date of this Agreement.
4. DATA PROTECTION
4.1 The Provider acts as a data processor on behalf of the Customer in relation to personal data processed through the Services. The Provider shall process personal data only on the documented instructions of the Customer and in compliance with the Personal Data Protection Act 2010 (PDPA 2010).
4.2 The Provider shall implement appropriate technical and organisational security measures, including those required by the PDPA 2010 Security Principle. Security certifications maintained by the Provider: [Security Certification]
4.3 Cross-border data transfers shall comply with Section 129 of the PDPA 2010.
4.4 The Provider shall notify the Customer of any personal data breach within 72 hours of becoming aware, in accordance with the Personal Data Protection (Amendment) Act 2023 breach notification requirements.
5. TERMINATION AND DATA RETURN
5.1 Upon termination of this Agreement, the Provider shall maintain the Customer's access to export all data for [Data Export Period] following the effective date of termination.
5.2 After the data export period, the Provider shall securely delete all Customer data and provide written certification of deletion.
5.3 The Provider shall transfer all access credentials and configuration data to the Customer within 5 business days of termination.
6. GOVERNING LAW AND DISPUTE RESOLUTION
6.1 This Agreement is governed by the laws of Malaysia.
6.2 Disputes shall be resolved by: [Dispute Resolution]
Provider Representative
________________
Signature
Customer Representative
________________
Signature
What Is a Cloud Services Agreement (Malaysia)?
A Cloud Services Agreement in Malaysia sets out the rights and obligations the parties agree to be bound by.
The Personal Data Protection Act 2010 (PDPA 2010) is the primary statute governing the processing of personal data in Malaysia. Cloud service providers that process personal data on behalf of Malaysian clients act as data processors under the PDPA 2010, and the agreement must specify the nature of the data processed, the processing purposes, security measures, and obligations regarding data breach notification. The Department of Personal Data Protection (JPDP) under the Ministry of Communications enforces the PDPA 2010, and non-compliance may result in fines of up to RM500,000 and imprisonment for up to 3 years under Section 130 of the PDPA 2010.
The Communications and Multimedia Act 1998 (CMA 1998) governs the provision of network and application services in Malaysia, administered by the Malaysian Communications and Multimedia Commission (MCMC). Cloud providers offering network services or hosting facilities in Malaysia may require a licence or registration under the CMA 1998 depending on the nature of their services.
Bank Negara Malaysia (BNM) has issued guidelines on cloud services for financial institutions under the Risk Management in Technology (RMiT) Policy Document 2019, which impose specific requirements on financial institutions that use cloud services, including data localisation considerations and cloud provider due diligence. A Cloud Services Agreement for a financial institution customer must address RMiT compliance.
A Malaysia Cloud Services Agreement differs from a general IT services agreement in its specific treatment of uptime guarantees (expressed as a percentage such as 99.9% monthly), service credits for downtime, disaster recovery and business continuity provisions, data portability upon termination, and the cross-border data transfer restrictions under the PDPA 2010 when data is stored in servers outside Malaysia.
The legal framework governing the Cloud Services Agreement (Malaysia) in Malaysia draws on several key statutes and regulatory bodies. Under Malaysian law, the Contracts Act 1950 (Act 136) governs contractual obligations. The Companies Act 2016 (Act 777) regulates corporate entities through the Companies Commission of Malaysia (SSM). The Employment Act 1955 (Act 265) and the Department of Labour govern employment matters. The Personal Data Protection Act 2010 (Act 709) and the Personal Data Protection Department protect personal data. The Inland Revenue Board of Malaysia (LHDN) administers tax obligations. The Industrial Court adjudicates employment disputes under the Industrial Relations Act 1967 (Act 177). Parties executing a Cloud Services Agreement (Malaysia) in Malaysia should confirm the document reflects current law, including any amendments enacted since the original drafting date. The Companies Act 2016 (Act 777) sets the foundational requirements.
When Do You Need a Cloud Services Agreement (Malaysia)?
A Malaysia Cloud Services Agreement is required whenever a business engages a cloud service provider to host applications, store data, or provide software over the internet on a commercial basis.
A Cloud Services Agreement is needed when a Malaysian company registered under the Companies Act 2016 subscribes to a SaaS platform — such as an enterprise resource planning (ERP) system, customer relationship management (CRM) tool, or payroll software — that stores Malaysian employee personal data. The PDPA 2010 requires the data controller (the company) to enter into a data processing agreement with the data processor (the SaaS provider).
A Cloud Services Agreement is required when a financial institution regulated by Bank Negara Malaysia (BNM) under the Financial Services Act 2013 or Islamic Financial Services Act 2013 engages a cloud provider under the Risk Management in Technology (RMiT) Policy Document 2019. The RMiT requires financial institutions to conduct due diligence on cloud providers, maintain exit strategies, and negotiate specific contractual provisions addressing data security and regulatory access.
A Cloud Services Agreement is necessary when a healthcare provider regulated under the Private Healthcare Facilities and Services Act 1998 engages a cloud provider to store patient records and medical data. Healthcare data is sensitive personal data under the PDPA 2010, and the agreement must address encryption, access controls, and breach notification obligations.
A Cloud Services Agreement is needed when a Malaysian startup raises venture capital and is required by investors to formalise its cloud infrastructure arrangements, specify uptime SLAs that the business relies upon for revenue generation, and address data portability and exit provisions to protect the company's data assets.
A written Cloud Services Agreement is required when the cloud provider is a foreign entity (such as Amazon Web Services, Microsoft Azure, or Google Cloud) offering services to Malaysian businesses, to specify the applicable law, jurisdiction for disputes, and the provider's obligations under Malaysian data protection law notwithstanding the provider's primary incorporation in another jurisdiction.
What to Include in Your Cloud Services Agreement (Malaysia)
A valid Malaysia Cloud Services Agreement must contain the following essential elements to protect the customer's data, operations, and legal interests.
Parties: Full legal names and Companies Commission of Malaysia (SSM) registration numbers for Malaysian entities under the Companies Act 2016. For foreign providers, the jurisdiction of incorporation and local representative details should be stated.
Service Description: A precise technical description of the cloud services to be provided, including the service tier (SaaS/IaaS/PaaS), geographic region of data hosting, permitted use cases, and any usage limits (storage, compute, API calls, bandwidth).
Service Level Agreement (SLA): The uptime guarantee expressed as a monthly percentage (e.g., 99.9% monthly uptime, equivalent to approximately 43.8 minutes of permitted downtime per month), the definition of downtime, the calculation methodology, and the service credits available to the customer for SLA breaches — typically expressed as a percentage of monthly fees.
Data Protection: Obligations consistent with the Personal Data Protection Act 2010 (PDPA 2010), including the provider's role as data processor, the nature and purpose of data processing, security measures (encryption at rest and in transit, access controls), data breach notification timelines, cross-border data transfer restrictions, and the provider's obligation to process data only on the customer's documented instructions.
Security Standards: Reference to internationally recognised security certifications held by the provider, such as ISO/IEC 27001, SOC 2 Type II, or CSA STAR, confirming that the provider maintains adequate technical and organisational security measures.
Fees and Payment: Monthly or annual subscription fees in Malaysian Ringgit (MYR/RM) or the agreed currency, the billing cycle, invoice payment terms (typically 30 days), applicable Sales and Service Tax (SST) under the Service Tax Act 2018, and provisions for fee adjustments upon renewal.
Data Portability and Termination: The provider's obligation to return or delete all customer data within a specified period (typically 30 days) following termination, in a standard portable format. The customer's right to extract data before termination is critical to avoid vendor lock-in.
Business Continuity and Disaster Recovery: The provider's recovery time objective (RTO) and recovery point objective (RPO) commitments, backup frequency, and the geographic distribution of backup data.
Governing Law: Malaysian law, with disputes referred to the courts of Malaysia or the Asian International Arbitration Centre (AIAC) under the Arbitration Act 2005 (Malaysia).
Additional compliance elements for a Cloud Services Agreement (Malaysia) used in Malaysia include: Under Malaysian law, the Contracts Act 1950 (Act 136) governs contractual obligations. The Companies Act 2016 (Act 777) regulates corporate entities through the Companies Commission of Malaysia (SSM). The Employment Act 1955 (Act 265) and the Department of Labour govern employment matters. The Personal Data Protection Act 2010 (Act 709) and the Personal Data Protection Department protect personal data. The Inland Revenue Board of Malaysia (LHDN) administers tax obligations. The Industrial Court adjudicates employment disputes under the Industrial Relations Act 1967 (Act 177). Forms-legal.com provides this template as a starting point for Malaysia-compliant documentation.
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). Cloud Services Agreement (Malaysia) (Malaysia) [Legal document template]. Forms Legal. https://forms-legal.com/malaysia/business/services/cloud-services-agreement-malaysia
"Cloud Services Agreement (Malaysia) (Malaysia)." Forms Legal, 2026, https://forms-legal.com/malaysia/business/services/cloud-services-agreement-malaysia.
@misc{formslegal-cloud-services-agreement-malaysia,
author = {{Forms Legal}},
title = {Cloud Services Agreement (Malaysia) (Malaysia)},
year = {2026},
howpublished = {\url{https://forms-legal.com/malaysia/business/services/cloud-services-agreement-malaysia}},
note = {Free legal document template. Based on Companies Act 2016 (Act 777)}
}
Frequently Asked Questions
The Personal Data Protection Act 2010 (PDPA 2010) applies to any person who processes personal data in connection with a commercial transaction in Malaysia. Cloud service providers that process personal data of Malaysian data subjects on behalf of their clients act as data processors under the PDPA 2010. The data controller (the client company) is primarily responsible for PDPA 2010 compliance and must enter into a contractual arrangement with the cloud provider requiring the provider to implement appropriate security measures, process data only as instructed, and notify the controller of data breaches. The PDPA 2010 was amended by the Personal Data Protection (Amendment) Act 2023, which introduced mandatory data breach notification requirements. The Department of Personal Data Protection (JPDP) enforces the PDPA 2010, with penalties of up to RM500,000 and/or imprisonment for breaches of the security, retention, and data integrity principles.
A typical Malaysia Cloud Services Agreement includes an uptime guarantee expressed as a monthly percentage — commonly 99.9% (approximately 43.8 minutes of permitted downtime per month), 99.95% (approximately 21.9 minutes), or 99.99% (approximately 4.4 minutes). The SLA should define what constitutes scheduled maintenance (typically excluded from downtime calculations), the monitoring methodology, and the reporting mechanism for customers to raise downtime incidents. Service credits for SLA breaches are typically graduated — for example, 10% of monthly fees for uptime between 99.0% and 99.9%, and 25% of monthly fees for uptime below 99.0%. Customers should ensure that service credits are the minimum remedy, not the exclusive remedy, so that they can also claim actual damages for SLA breaches that cause significant business loss under the Contracts Act 1950.
Malaysian companies can store data outside Malaysia, but must comply with the cross-border data transfer restrictions under the Personal Data Protection Act 2010 (PDPA 2010). Section 129 of the PDPA 2010 prohibits the transfer of personal data outside Malaysia unless the destination country provides a level of protection substantially similar to Malaysian standards, or the data subject consents to the transfer, or specific exemptions apply. The Minister of Communications has gazette a list of approved countries; transfers to non-approved countries require prior ministerial approval or reliance on adequacy assessments. Financial institutions regulated by Bank Negara Malaysia are subject to additional restrictions under the Risk Management in Technology (RMiT) Policy Document 2019, which requires that critical systems and data be hosted domestically or in jurisdictions approved by BNM. A Cloud Services Agreement should specify the data hosting location and address compliance obligations for cross-border transfers.
When a Malaysia Cloud Services Agreement terminates, the provider's obligation to return, port, or delete the customer's data is governed by the termination provisions of the agreement and the Personal Data Protection Act 2010 (PDPA 2010). A well-drafted Cloud Services Agreement requires the provider to: (1) provide the customer access to export all data in a portable, machine-readable format for a minimum of 30 days following the effective date of termination; (2) delete all copies of the customer's data from the provider's systems within a specified period after the export window closes; and (3) certify the deletion in writing. The PDPA 2010 data retention principle requires that personal data not be kept longer than necessary for the purpose for which it was collected, meaning the provider must delete personal data after termination. Customers should negotiate data portability provisions carefully to avoid vendor lock-in.
Service Tax under the Service Tax Act 2018 applies to taxable digital services provided in Malaysia, including cloud computing services such as SaaS, IaaS, and PaaS. The standard service tax rate increased to 8% effective 1 March 2024 for most services (up from 6%). Malaysian cloud service providers with taxable annual revenue exceeding RM500,000 must register with the Royal Malaysian Customs Department (RMCD) and charge service tax on taxable services. Foreign cloud service providers — including global providers such as Amazon Web Services, Microsoft Azure, and Google Cloud — that provide digital services to Malaysian consumers or businesses are required to register for the Service Tax on Digital Services (STDS) regime under the Service Tax (Amendment) Act 2019 if their annual revenue from Malaysian recipients exceeds RM500,000. Cloud Services Agreements should clearly state whether quoted fees include or exclude SST and specify the party responsible for remitting applicable taxes.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
SEO Services Agreement (Malaysia)
A professionally drafted SEO Services Agreement for Malaysia governing search engine optimisation retainers, project-based SEO campaigns, deliverables, performance metrics, reporting obligations, and payment terms under the Contracts Act 1950 and the Communications and Multimedia Act 1998.
Cybersecurity Policy (Malaysia)
A professionally drafted Cybersecurity Policy for Malaysian organisations covering information security governance, access controls, incident response, PDPA 2010 compliance, ISMS requirements under ISO/IEC 27001, and obligations under the Computer Crimes Act 1997 and Communications and Multimedia Act 1998.
Terms and Conditions (Malaysia)
A professionally drafted Terms and Conditions document for Malaysian businesses, covering e-commerce, SaaS platforms, and service providers. Addresses consumer rights under the Consumer Protection Act 1999, electronic contracts under the Electronic Commerce Act 2006, and data protection obligations under the Personal Data Protection Act 2010.