Data Centre Agreement (Malaysia)
DATA CENTRE AGREEMENT
Contracts Act 1950 (Malaysia) | Communications and Multimedia Act 1998 | Personal Data Protection Act 2010
THIS DATA CENTRE AGREEMENT is entered into on [Agreement Date]
BETWEEN:
(1) [Operator Name], of [Operator Address] (hereinafter referred to as the "Operator"); AND
(2) [Customer Name], of [Customer Address] (hereinafter referred to as the "Customer").
The Operator and the Customer are hereinafter collectively referred to as "the Parties".
1. SERVICES
1.1 The Operator shall provide the following data centre services to the Customer (the "Services"): [Service Type]
1.2 Space Specification: [Space Specification]
1.3 Power Allocation: [Power Allocation]
1.4 Network Connectivity: [Network Connectivity]
1.5 The Customer's equipment and data shall be located at the following data centre facility in Malaysia: [Data Centre Location]
2. SERVICE LEVEL AGREEMENT
2.1 The Operator commits to a facility availability of [Uptime SLA] per calendar month, measured on a 24-hour, 7-day basis ("Availability SLA").
2.2 "Downtime" means the total accumulated time in a calendar month during which the Services are unavailable to the Customer, excluding: (a) scheduled maintenance windows notified to the Customer at least 72 hours in advance; (b) events caused by the Customer or the Customer's equipment; and (c) force majeure events.
2.3 If Downtime in any calendar month exceeds the threshold permitted under the Availability SLA, the Customer shall be entitled to a service credit equal to [5]% of the monthly fee per hour of excess Downtime, up to a maximum of [30]% of the monthly fee for that month. Service credits are the Customer's sole and exclusive remedy for Availability SLA failures.
2.4 The Operator shall notify the Customer of any security incident affecting the Customer's equipment or data within 24 hours of becoming aware of such incident.
3. FEES AND PAYMENT
3.1 The Customer shall pay the Operator a monthly service fee of [Monthly Fee], invoiced monthly in advance.
3.2 Before the commencement of Services, the Customer shall pay a security deposit of [Security Deposit], refundable within thirty (30) days after the termination of this Agreement, subject to deduction of any outstanding amounts owed by the Customer.
3.3 All invoices are due within thirty (30) days of the invoice date. Overdue amounts shall attract interest at 1.5% per month. The Operator may suspend the Services if any invoice remains unpaid for more than fourteen (14) days after the due date.
3.4 All fees are exclusive of Service Tax (SST) under the Service Tax Act 2018 where applicable. SST shall be charged in addition at the prevailing rate.
4. DATA SOVEREIGNTY AND SECURITY
4.1 The Operator confirms that the Customer's equipment and data shall remain physically located at [Data Centre Location] and shall not be transferred to any other location without the Customer's prior written consent.
4.2 The Operator shall implement physical security measures at the facility including: access control (biometric or card reader), CCTV surveillance, on-site security personnel, and visitor management procedures.
4.3 Both Parties shall comply with the Personal Data Protection Act 2010 (PDPA 2010) in respect of any personal data processed in connection with this Agreement. The Customer (as data user under PDPA 2010) remains responsible for compliance with PDPA 2010 in respect of data stored in the facility.
4.4 The Customer grants the Operator permission to access the Customer's equipment only to the extent necessary to provide the Services or to comply with applicable law. The Operator shall not access the contents of the Customer's systems without prior written authorisation.
4.5 For Customers subject to Bank Negara Malaysia's Risk Management in Technology (RMiT) Policy Document, the Operator agrees to permit BNM or its designated representatives to inspect the relevant facility upon reasonable notice.
5. TERM AND TERMINATION
5.1 This Agreement shall commence on [Agreement Date] and shall continue for an initial term of [Contract Term], unless earlier terminated.
5.2 Either Party may terminate this Agreement at the end of the initial term or any renewal term by giving [Notice Period] written notice.
5.3 Either Party may terminate immediately for cause if the other Party commits a material breach and fails to remedy it within fourteen (14) days of written notice, or becomes insolvent.
5.4 Upon termination, the Customer shall remove all equipment from the facility within thirty (30) days. If the Customer fails to do so, the Operator may charge storage fees at a daily rate equal to 1/30th of the monthly fee. After a further thirty (30) days' written notice, the Operator may treat uncollected equipment as abandoned.
5.5 The Operator shall provide the Customer with all data in the Customer's account in a standard exportable format within fourteen (14) days of termination and shall securely delete or destroy all Customer data from Operator infrastructure within thirty (30) days of termination.
6. GENERAL PROVISIONS
6.1 The Operator's total liability to the Customer under this Agreement shall not exceed three (3) months' service fees, except in cases of fraud or wilful misconduct. Neither Party shall be liable for indirect or consequential losses.
6.2 This Agreement is governed by the laws of Malaysia and the Parties submit to the jurisdiction of the courts of [Governing Jurisdiction].
6.3 Both Parties shall treat the terms of this Agreement and all information regarding the other Party's business and operations as confidential and shall not disclose such information to any third party without prior written consent.
6.4 This Agreement constitutes the entire agreement between the Parties in relation to the data centre services and supersedes all prior agreements and representations.
Operator
________________
Signature
Customer
________________
Signature
What Is a Data Centre Agreement (Malaysia)?
A Data Centre Agreement in Malaysia fixes the respective duties and entitlements of the parties to the arrangement.
The Personal Data Protection Act 2010 (PDPA 2010) is central to data centre agreements in Malaysia. Where the client stores or processes personal data of individuals in the data centre, the client (as data user under PDPA 2010) must comply with the seven data protection principles, including the Security Principle, which requires appropriate security measures to protect personal data from loss, misuse, modification, unauthorised access, and disclosure. The data centre operator, as a data processor acting on the client's instructions, must implement physical security measures consistent with the client's PDPA 2010 obligations.
Malaysia's communications and digital infrastructure sector is regulated by the Malaysian Communications and Multimedia Commission (MCMC) under the Communications and Multimedia Act 1998. Data centre operators providing network facilities and network services are subject to licensing requirements under the Communications and Multimedia Act 1998. The Malaysian Digital Economy Corporation (MDEC) plays a role in promoting Malaysia's position as a data centre hub in Southeast Asia, and many large data centre operators in Malaysia benefit from the Multimedia Super Corridor (MSC Malaysia) status, which confers specific regulatory and tax incentives under the Multimedia Development Corporation Act 1997.
For Malaysian companies listed on Bursa Malaysia or subject to regulatory oversight by Bank Negara Malaysia (BNM) or the Securities Commission Malaysia (SC), data centre agreements must address data residency and sovereignty requirements. Bank Negara Malaysia's Risk Management in Technology (RMiT) Policy Document (effective 2020) requires financial institutions to assess and manage risks associated with outsourcing to data centres, including those outside Malaysia. The National Cyber Security Agency (NACSA) under the Prime Minister's Department oversees cybersecurity standards applicable to critical national information infrastructure.
A Data Centre Agreement differs from a Cloud Services Agreement in that a data centre agreement typically involves the physical co-location of the client's hardware in the operator's facility, while a cloud services agreement involves the provision of virtualised computing resources over a network, usually without the client owning or controlling any specific physical hardware.
The legal framework governing the Data Centre Agreement (Malaysia) in Malaysia draws on several key statutes and regulatory bodies. Under Malaysian law, the Contracts Act 1950 (Act 136) governs contractual obligations. The Companies Act 2016 (Act 777) regulates corporate entities through the Companies Commission of Malaysia (SSM). The Employment Act 1955 (Act 265) and the Department of Labour govern employment matters. The Personal Data Protection Act 2010 (Act 709) and the Personal Data Protection Department protect personal data. The Inland Revenue Board of Malaysia (LHDN) administers tax obligations. The Industrial Court adjudicates employment disputes under the Industrial Relations Act 1967 (Act 177). Parties executing a Data Centre Agreement (Malaysia) in Malaysia should confirm the document reflects current law, including any amendments enacted since the original drafting date. The Companies Act 2016 (Act 777) sets the foundational requirements.
When Do You Need a Data Centre Agreement (Malaysia)?
A Data Centre Agreement in Malaysia is required whenever a business, government agency, or institution engages a data centre operator to house its IT infrastructure or provide managed hosting services.
A Data Centre Agreement is required when a bank or financial institution regulated by Bank Negara Malaysia engages a data centre operator to house its core banking system or disaster recovery infrastructure. The BNM Risk Management in Technology (RMiT) Policy Document requires financial institutions to conduct thorough due diligence on data centre providers, and the agreement must address business continuity, incident response, and the right of BNM to inspect the facility.
A Data Centre Agreement is needed when a technology company requires colocation space in a Malaysian data centre to host its servers serving Southeast Asian customers. Malaysia's data centres — concentrated in Cyberjaya, Kuala Lumpur, and Johor — benefit from low latency connections to Singapore and the broader ASEAN network, and the agreement must address the specific power, cooling, and connectivity specifications required.
A Data Centre Agreement is required when a government ministry or statutory body outsources its data infrastructure to a private data centre operator. Such arrangements are subject to the Government Contracts Act 1949, the Public Sector ICT Security Policy (ISMS) issued by NACSA, and the requirement that government data remain within Malaysian borders, making data sovereignty clauses critical.
A Data Centre Agreement is needed when a Malaysian company is required to demonstrate data residency compliance to customers or regulators — for example, companies processing health data subject to the Private Healthcare Facilities and Services Act 1998 or companies serving the financial sector that must comply with BNM's outsourcing requirements. The agreement must specify the physical location of the data centre and prohibit cross-border transfer of client data without consent.
A Data Centre Agreement is required when a disaster recovery or business continuity plan requires a secondary site in a geographically separate location. The agreement must address failover time objectives (RTO and RPO), testing rights, and the priority of services during a declared disaster or emergency.
What to Include in Your Data Centre Agreement (Malaysia)
A complete Data Centre Agreement in Malaysia must include the following essential elements.
Identification of Parties: The agreement must state the full legal names, SSM registration numbers (under the Companies Act 2016), and registered addresses of both the data centre operator and the client. Where the operator holds licences under the Communications and Multimedia Act 1998, these should be referenced.
Service Description: The agreement must precisely describe the services provided — colocation cabinet/cage/suite specifications (U space, power in kW, cooling capacity), managed server specifications, network connectivity (bandwidth, IP addresses, transit arrangements), and any value-added services such as remote hands, smart hands, or physical security escorts.
Service Level Agreement (SLA): The agreement must specify measurable uptime commitments — typically 99.9% or 99.999% facility availability — and define the consequences of service level failures, including service credits. The SLA must define how downtime is calculated (excluding scheduled maintenance), the credit claim process, and whether credits are the client's sole remedy for service failures.
Physical Security: The agreement must describe the data centre's physical security measures — access control (biometric, card reader), CCTV coverage, on-site security guards, and visitor management procedures. For clients subject to BNM RMiT requirements or PDPA 2010 Security Principle obligations, the agreement should specify audit rights and the right to conduct security assessments.
Data Sovereignty and Residency: The agreement must specify that the client's data and equipment remain physically within Malaysia (or within a specified data centre location) and may not be transferred to facilities outside Malaysia without the client's prior written consent. This is critical for compliance with PDPA 2010 and BNM RMiT requirements.
Power and Cooling: The agreement must specify the allocated power capacity in kilowatts, the guaranteed power availability (including UPS and generator backup), the cooling infrastructure, and the agreed power usage effectiveness (PUE) target. Charges for power consumption should be clearly stated in MYR per kWh or as a fixed monthly allocation.
Fees and Payment: The agreement must state the monthly or annual service fee in Malaysian Ringgit (MYR), the payment terms, the invoicing cycle, and the fees for additional services (remote hands, cross-connect charges, additional power). Early termination fees and the deposit amount should be specified.
Confidentiality and Data Protection: The agreement must include confidentiality obligations on the operator regarding the client's equipment, data, and technical information. PDPA 2010 data processing obligations should be addressed, including the operator's obligation to implement security measures and notify the client of security breaches.
Termination: The agreement must specify the minimum contract term (typically 12 to 36 months for colocation), the notice period for termination at the end of the initial term (typically 90 days), and the early termination fee. The agreement should address the decommissioning and removal of the client's equipment upon termination. The forms-legal.com Data Centre Agreement (Malaysia) template covers the mandatory elements under Companies Act 2016 (Act 777).
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). Data Centre Agreement (Malaysia) (Malaysia) [Legal document template]. Forms Legal. https://forms-legal.com/malaysia/business/services/data-centre-agreement-malaysia
"Data Centre Agreement (Malaysia) (Malaysia)." Forms Legal, 2026, https://forms-legal.com/malaysia/business/services/data-centre-agreement-malaysia.
@misc{formslegal-data-centre-agreement-malaysia,
author = {{Forms Legal}},
title = {Data Centre Agreement (Malaysia) (Malaysia)},
year = {2026},
howpublished = {\url{https://forms-legal.com/malaysia/business/services/data-centre-agreement-malaysia}},
note = {Free legal document template. Based on Companies Act 2016 (Act 777)}
}Frequently Asked Questions
Colocation and managed hosting represent different models of data centre services in Malaysia. In a colocation arrangement, the client owns and maintains its own physical servers, networking equipment, and storage hardware, which are housed in the data centre operator's facility — the operator provides the physical space (cabinet or cage), power, cooling, and network connectivity. The client retains full control over its hardware and software. In a managed hosting arrangement, the data centre operator owns and manages the physical servers and infrastructure on the client's behalf, and the client accesses the computing resources as a service. Managed hosting involves the operator taking responsibility for hardware maintenance, firmware updates, and basic monitoring. The distinction matters for PDPA 2010 purposes — in both cases, the client (as data user) remains responsible for data protection, but the contractual allocation of security responsibilities differs significantly between colocation (client-managed hardware) and managed hosting (operator-managed hardware).
Bank Negara Malaysia's Risk Management in Technology (RMiT) Policy Document, effective 1 January 2020, requires all financial institutions regulated by BNM — including licensed banks, insurance companies, takaful operators, and payment system operators — to manage technology risks associated with their use of data centres and outsourced IT services. Under RMiT, financial institutions must conduct due diligence on data centre providers before engagement, including assessing physical security, business continuity capability, and access controls. The RMiT policy requires that critical systems and data of financial institutions be hosted in data centres located within Malaysia, and that any outsourcing of critical systems receive BNM approval. Data Centre Agreements for BNM-regulated institutions must include the right of BNM to inspect the facility and access records, audit rights, incident notification obligations (within 24 hours of a security incident), and defined exit management procedures to ensure data recovery upon contract termination.
A Data Centre Agreement in Malaysia should include an uptime guarantee aligned with the Tier classification of the facility under the Uptime Institute's Tier Standard or the TIA-942 standard. Tier I facilities (basic) offer approximately 99.671% availability (28.8 hours downtime per year); Tier III facilities (concurrently maintainable) offer 99.982% availability (1.6 hours downtime per year); Tier IV facilities (fault tolerant) offer 99.995% availability (26 minutes downtime per year). Most commercial data centres in Malaysia at Cyberjaya and Kuala Lumpur operate at Tier III or equivalent standards. The Data Centre Agreement should specify: the contracted availability percentage; the definition of 'downtime' (excluding scheduled maintenance windows); the credit mechanism for downtime exceeding the SLA threshold (typically a specified percentage of the monthly fee per hour of excess downtime); whether the total credits are capped; and whether credits constitute the client's sole and exclusive remedy for availability failures.
Data stored in a Malaysian data centre that constitutes personal data of individuals must comply with the Personal Data Protection Act 2010 (PDPA 2010). The PDPA 2010 applies to any person who processes personal data in connection with a commercial transaction in Malaysia. The company that owns or controls the personal data (the 'data user' under PDPA 2010) bears the primary compliance obligation, including ensuring the data centre operator implements appropriate security measures under the Security Principle of PDPA 2010. The data centre operator acts as a data processor and must comply with the data user's security requirements. The PDPA 2010's Transfer Restriction Principle (Section 129) prohibits transferring personal data outside Malaysia to countries not appearing on the Minister's approved list, unless the data subject consents or specified conditions are met — making Malaysian data residency a practical compliance requirement. Non-compliance with PDPA 2010 may result in a fine of up to RM 300,000 or imprisonment of up to two years under Section 130.
When a Data Centre Agreement in Malaysia is terminated — whether at the end of the term, by notice, or for breach — the client typically has a specified period (often 30 to 60 days) to decommission and remove its equipment from the data centre facility. The Data Centre Agreement should specify the decommissioning process, access arrangements for removal, and the final invoice date. If the client fails to remove its equipment within the specified period, the operator may charge storage fees at a daily rate, and after a further notice period, the operator may be entitled to treat the equipment as abandoned and dispose of it, subject to giving reasonable notice. The client's right to access its data must be preserved throughout the decommissioning process. For managed hosting, the operator must provide all client data in a specified format within the agreed timeframe. The agreement should also address the secure deletion or destruction of any data remaining on the operator's infrastructure after the client's departure to comply with PDPA 2010 retention and security obligations.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
Cloud Services Agreement (Malaysia)
A professionally drafted Cloud Services Agreement for Malaysia governing SaaS, IaaS, and PaaS arrangements, service level agreements (SLAs), data protection obligations under the Personal Data Protection Act 2010, uptime guarantees, and termination rights under the Contracts Act 1950 and Communications and Multimedia Act 1998.
IT Services Agreement (Malaysia)
An IT Services Agreement for Malaysia that governs the ongoing provision of information technology services — including managed IT, helpdesk, infrastructure management, and support — between an IT service provider and a client. Compliant with the Contracts Act 1950, Computer Crimes Act 1997, and PDPA 2010.
SaaS Agreement (Malaysia)
A Software as a Service (SaaS) Agreement for Malaysia governing subscription access to cloud-hosted software. Covers subscription fees, uptime SLA, data ownership, PDPA 2010 compliance, acceptable use, and termination under the Contracts Act 1950 and Electronic Commerce Act 2006.