Cloud Services Agreement (Singapore)
CLOUD SERVICES AGREEMENT
Ref: [Agreement Ref]
This Cloud Services Agreement ('Agreement') is entered into on [Agreement Date] between:
SERVICE PROVIDER: [Provider Name] (UEN: [Provider UEN]), of [Provider Address] ('Provider'); and
CUSTOMER: [Customer Name] (UEN: [Customer UEN]), of [Customer Address] ('Customer').
1. CLOUD SERVICES
1.1 The Provider shall provide the following [Service Type] services ('the Services'):
[Service Description]
1.2 Data Residency: [Data Residency].
1.3 The Services shall be made available from the commencement date set out in the Order Form.
2. SERVICE LEVELS
2.1 Availability: The Provider guarantees [Uptime Guarantee].
2.2 Service Credits: [SLA Remedies]
2.3 Support: [Support Level].
2.4 Scheduled Maintenance: The Provider shall give the Customer at least 72 hours' notice of planned maintenance that may affect availability.
3. DATA PROTECTION AND SECURITY
3.1 Each party shall comply with the Personal Data Protection Act 2012 (PDPA) in respect of personal data processed under this Agreement. The Provider acts as a data intermediary on behalf of the Customer.
3.2 Security: The Provider shall maintain security controls certified to [Security Standard] standard and shall implement appropriate technical and organisational measures to protect Customer data against unauthorised access, disclosure, or loss.
3.3 Data Breach Notification: The Provider shall notify the Customer within [Breach Notification Period] of becoming aware of a personal data breach affecting Customer data, to enable the Customer to comply with its PDPC notification obligations under the PDPA.
3.4 Sub-processors: The Provider shall not engage sub-processors to process Customer data without the Customer's prior written consent. A list of approved sub-processors is set out in the Schedule.
4. FEES AND PAYMENT
4.1 The Customer shall pay the Provider [Fees].
4.2 Invoices are payable within 30 days of issue. Late payment accrues interest at 5.33% per annum.
5. LIABILITY
5.1 The Provider's total aggregate liability under this Agreement in any 12-month period shall not exceed 12 months' fees paid by the Customer.
5.2 Neither party shall be liable for indirect, consequential, special, or punitive losses, including loss of profits or loss of data.
5.3 The above limitations do not apply to: (a) death or personal injury caused by negligence; (b) fraud; or (c) breaches of data protection obligations under the PDPA.
6. TERM AND TERMINATION
6.1 This Agreement commences on the date signed and continues for an initial term of [Contract Term], thereafter renewing automatically for successive 12-month periods unless terminated.
6.2 Either party may terminate this Agreement by giving [Notice Period] written notice before the end of any term.
6.3 On termination, the Provider shall provide the Customer with a full export of Customer data in a portable format within 30 days, after which the Provider shall securely delete all Customer data.
7. GOVERNING LAW
This Agreement shall be governed by the laws of the Republic of Singapore. Disputes shall be resolved by arbitration at the Singapore International Arbitration Centre (SIAC) under the SIAC Rules.
Signed for and on behalf of [Provider Name]:
Name: ____________________ Title: ____________________
Signature: ____________________ Date: [Agreement Date]
Signed for and on behalf of [Customer Name]:
Name: ____________________ Title: ____________________
Signature: ____________________ Date: [Agreement Date]
Cloud Service Provider
________________
Signature
Customer
________________
Signature
What Is a Cloud Services Agreement (Singapore)?
A Cloud Services Agreement in Singapore fixes the respective duties and entitlements of the parties to the arrangement.
The Monetary Authority of Singapore (MAS) imposes additional regulatory requirements on cloud services used by financial institutions. MAS Technology Risk Management Guidelines (TRM Guidelines), last revised in January 2021, require financial institutions to conduct due diligence on CSPs, maintain oversight of outsourced cloud arrangements, and report material technology incidents. MAS Notice 655 on Cyber Hygiene further mandates that financial institutions using cloud services implement multi-factor authentication, network perimeter defence, and patch management protocols. A Cloud Services Agreement for a financial sector customer must therefore include MAS-specific compliance clauses that a general-purpose cloud contract would omit.
The Personal Data Protection Act 2012 (PDPA) governs the collection, use, disclosure, and cross-border transfer of personal data stored in or processed through cloud services. Under Section 24 of the PDPA, the customer organisation — as the data controller — remains responsible for protecting personal data even when that data is processed by a third-party CSP. The Personal Data Protection Commission (PDPC) has issued Advisory Guidelines on the use of cloud computing services, emphasising that the customer must implement contractual safeguards including data processing restrictions, security audit rights, and breach notification obligations. Cross-border data transfer provisions under Part 6A of the PDPA (effective 1 February 2021) require the customer to confirm that the CSP provides a comparable standard of data protection in any jurisdiction where data is stored or processed.
A Cloud Services Agreement differs from a standard IT Services Agreement or a Software Licence Agreement in several material respects. Cloud agreements address multi-tenancy risks, data sovereignty requirements, and service elasticity — concepts absent from traditional on-premises software licensing. The Singapore International Arbitration Centre (SIAC) and the Singapore International Commercial Court (SICC) have handled disputes arising from cloud service outages and data breaches, establishing precedent for the interpretation of service level agreement (SLA) credits, force majeure in cloud contexts, and the allocation of liability for third-party infrastructure failures.
The Accounting and Corporate Regulatory Authority (ACRA) requires companies using cloud-based accounting systems to maintain records accessible within Singapore for audit and regulatory inspection under the Companies Act 1967 (Cap. 50), Section 199. The Inland Revenue Authority of Singapore (IRAS) similarly requires that tax-relevant records maintained in cloud environments be retrievable within a reasonable timeframe. A Cloud Services Agreement should therefore include data residency, portability, and retrieval obligations to satisfy these statutory requirements. On forms-legal.com, the Cloud Services Agreement template includes dedicated sections for MAS compliance, PDPA data protection, SLA metrics, and data sovereignty provisions.
When Do You Need a Cloud Services Agreement (Singapore)?
A Cloud Services Agreement in Singapore becomes necessary whenever an organisation procures cloud computing resources from an external provider. Below are the principal scenarios where a written agreement protects both the customer and the CSP.
Startups and SMEs migrating from on-premises servers to cloud infrastructure need a Cloud Services Agreement to define uptime guarantees, data backup frequency, disaster recovery procedures, and the CSP's liability for data loss. Under Singapore common law of contract, verbal or click-wrap arrangements may create binding obligations, but disputes over service levels and data recovery are far more difficult to resolve without a negotiated written agreement.
Financial institutions regulated by the Monetary Authority of Singapore (MAS) must execute a Cloud Services Agreement that satisfies the MAS Technology Risk Management Guidelines before outsourcing any technology function to a CSP. MAS Outsourcing Guidelines require the agreement to include audit and inspection rights, exit management provisions, and business continuity arrangements specific to the outsourced cloud service. Failure to maintain compliant cloud contracts may trigger MAS supervisory action.
Healthcare organisations subject to the Ministry of Health (MOH) and the Health Sciences Authority (HSA) must address patient data protection when storing electronic medical records (EMRs) in cloud environments. The Healthcare Services Act 2020 and MOH's National Electronic Health Record (NEHR) framework impose data security standards that a Cloud Services Agreement must incorporate, including encryption-at-rest requirements and access control specifications.
Government agencies and statutory boards procuring cloud services must comply with the Government Instruction Manual on IT Management (IM8) and the Smart Nation and Digital Government Office (SNDGO) cloud-first policy. Cloud Services Agreements for government use must address data classification (Official, Restricted, Confidential, Secret), security certification requirements under the MTCS standard, and sovereignty clauses restricting data processing to Singapore-based data centres.
E-commerce businesses processing customer payment data through cloud platforms must address Payment Card Industry Data Security Standard (PCI DSS) compliance in the Cloud Services Agreement. The agreement should specify which PCI DSS controls are the responsibility of the CSP and which remain with the customer — a demarcation known as the shared responsibility model.
Law firms, accounting practices, and other professional services firms storing client confidential information in cloud environments need agreements that address legal professional privilege, client data segregation, and compliance with the Law Society of Singapore or Institute of Singapore Chartered Accountants practice directions regarding cloud storage of client records.
What to Include in Your Cloud Services Agreement (Singapore)
A properly drafted Cloud Services Agreement for Singapore should contain the following essential elements to address commercial, regulatory, and data protection requirements.
Service description and scope must define the specific cloud services to be provided — whether IaaS, PaaS, SaaS, or a combination — the geographic location of data centres, the service features included in the base subscription, and any optional add-on services. The agreement should reference the CSP's service catalogue and specify the version or edition of each cloud product. The Infocomm Media Development Authority (IMDA) Multi-Tier Cloud Security (MTCS) certification tier held by the CSP should be recorded in the agreement.
Service Level Agreement (SLA) provisions must define measurable performance targets including monthly uptime percentage (e.g., 99.95%), maximum scheduled maintenance windows, incident response times by severity level, and mean time to recovery (MTTR). The agreement should specify the methodology for measuring uptime — whether based on the CSP's monitoring tools, third-party monitoring, or customer-reported availability. SLA credits for missed targets should be expressed as a percentage of the monthly service fee, with a cap on total credits and a clearly defined claims procedure.
Data protection and PDPA compliance clauses must address the processing of personal data in accordance with the Personal Data Protection Act 2012 (PDPA). The agreement should define each party's role — the customer as data controller and the CSP as data intermediary under Section 4(2) of the PDPA — and impose obligations on the CSP regarding data use restrictions, sub-processor engagement, security measures, and breach notification. Under the mandatory breach notification regime (effective 1 February 2021), the CSP must notify the customer within a contractually agreed timeframe — typically 24 to 72 hours — of any data breach affecting the customer's data. Cross-border data transfer clauses must comply with Part 6A of the PDPA.
MAS regulatory compliance provisions are required where the customer is a financial institution regulated by the Monetary Authority of Singapore (MAS). The agreement must incorporate the requirements of the MAS Technology Risk Management Guidelines, MAS Outsourcing Guidelines, and MAS Notice 655 on Cyber Hygiene. Key clauses include: the CSP's obligation to submit to MAS inspection, the customer's right to audit the CSP's controls, data residency restrictions for specified data categories, and exit management procedures allowing the customer to migrate data upon termination without service disruption.
Intellectual property and data ownership clauses must confirm that all customer data — including data generated through the use of the cloud service — remains the property of the customer. The agreement should grant the CSP only the limited rights necessary to provide the contracted services and should prohibit the CSP from using customer data for analytics, machine learning training, or marketing without express written consent. Pre-existing intellectual property rights of each party should be identified and preserved.
Commercial terms must specify the subscription fee structure (monthly, annual, usage-based), payment terms, currency (typically SGD or USD), and the applicability of Goods and Services Tax (GST) at the prevailing rate of 9% (effective 1 January 2024) as administered by the Inland Revenue Authority of Singapore (IRAS). The agreement should address fee escalation mechanisms, volume discount thresholds, and the treatment of overage charges for resource consumption exceeding contracted limits.
Termination and exit management provisions should define the notice period for termination, the CSP's obligation to provide data export in a standard format (CSV, JSON, or database dump), the data retention period following termination, and the timeline for certifiable data deletion. The Companies Act 1967 (Cap. 50), Section 199, requires that business records be maintained for at least five years, and the agreement should confirm that the CSP will cooperate with the customer's record retention obligations during the exit transition. On forms-legal.com, the Cloud Services Agreement template addresses each of these elements with structured fields for SLA metrics, PDPA compliance declarations, and MAS-specific clauses.
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). Cloud Services Agreement (Singapore) (Singapore) [Legal document template]. Forms Legal. https://forms-legal.com/singapore/business/intellectual-property/cloud-services-agreement-singapore
"Cloud Services Agreement (Singapore) (Singapore)." Forms Legal, 2026, https://forms-legal.com/singapore/business/intellectual-property/cloud-services-agreement-singapore.
@misc{formslegal-cloud-services-agreement-singapore,
author = {{Forms Legal}},
title = {Cloud Services Agreement (Singapore) (Singapore)},
year = {2026},
howpublished = {\url{https://forms-legal.com/singapore/business/intellectual-property/cloud-services-agreement-singapore}},
note = {Free legal document template. Based on Companies Act 1967 (Cap. 50)}
}
Frequently Asked Questions
The Multi-Tier Cloud Security (MTCS) standard (SS 584) is a cloud security certification framework developed by the Infocomm Media Development Authority (IMDA) in collaboration with the Information Technology Standards Committee (ITSC). MTCS classifies cloud services into three security tiers: Tier 1 covers baseline security for non-sensitive data, Tier 2 addresses cloud services handling sensitive business data, and Tier 3 applies to cloud services processing regulated data subject to statutory requirements — such as financial data governed by the Monetary Authority of Singapore (MAS) or personal data under the Personal Data Protection Act 2012 (PDPA). A Cloud Services Agreement should specify the MTCS tier that the CSP has achieved for the relevant cloud service, as this certification provides independent verification of the CSP's security controls. Government agencies procuring cloud services under the Smart Nation and Digital Government Office (SNDGO) guidelines are required to select CSPs with MTCS certification appropriate to the data classification level. MTCS certification is valid for two years and requires periodic surveillance audits, so the agreement should also require the CSP to maintain current certification throughout the contract term.
The Personal Data Protection Act 2012 (PDPA) regulates cross-border data transfers through Part 6A, which became effective on 1 February 2021. Under Section 26 of the PDPA, an organisation in Singapore may transfer personal data to a jurisdiction outside Singapore only if the receiving jurisdiction provides a comparable standard of data protection, or if the organisation implements contractual safeguards binding the overseas recipient to PDPA-equivalent obligations. For cloud computing arrangements, where customer data may be replicated across data centres in multiple countries, the Cloud Services Agreement must identify every jurisdiction where data may be stored or processed and confirm the legal basis for the transfer. The Personal Data Protection Commission (PDPC) has published a list of recognised jurisdictions and approved contractual clauses that organisations may adopt. Where the CSP uses sub-processors in third countries, the agreement should require the CSP to flow down equivalent data protection obligations and to obtain the customer's prior written consent before engaging new sub-processors. Failure to comply with cross-border transfer requirements may result in PDPC enforcement action, including financial penalties of up to SGD 1 million or 10% of annual turnover under the amended PDPA provisions.
A Singapore Cloud Services Agreement should define SLA metrics across four performance dimensions. Availability measures the percentage of time the cloud service is operational and accessible during each calendar month — a target of 99.95% equates to approximately 21.9 minutes of permissible downtime per month, excluding scheduled maintenance windows. Response time metrics define the maximum acceptable latency for user requests, typically measured at the 95th percentile. Incident response time metrics specify the CSP's obligation to acknowledge and begin resolving reported incidents within defined timeframes — commonly 15 minutes for critical (Severity 1) incidents affecting all users, one hour for high-impact (Severity 2) incidents, and four hours for medium-impact (Severity 3) incidents. Data durability metrics, particularly relevant for storage services, express the probability that stored data will not be lost — leading CSPs offer 99.999999999% (eleven nines) durability. The agreement should define the measurement methodology, the reporting frequency, and the SLA credit mechanism for missed targets — typically expressed as a percentage of the monthly fee, capped at 30% to 100% depending on the severity and duration of the breach. Under Singapore common law of contract, SLA credits are treated as a form of liquidated damages, which must represent a genuine pre-estimate of loss (and not a penalty) to be enforceable by the Singapore courts.
Financial institutions regulated by the Monetary Authority of Singapore (MAS) must satisfy several regulatory requirements before and during the use of cloud services. The MAS Technology Risk Management Guidelines (TRM Guidelines), last revised in January 2021, require financial institutions to conduct risk assessments and due diligence on CSPs covering security controls, resilience capabilities, and regulatory compliance posture. MAS Notice 655 on Cyber Hygiene mandates that financial institutions implement multi-factor authentication for administrative access to cloud environments, network security monitoring, and timely patching of cloud-hosted systems. The MAS Outsourcing Guidelines require the Cloud Services Agreement to include provisions for MAS inspection and audit of the CSP, notification to MAS before outsourcing material technology functions to the cloud, and exit management procedures allowing the financial institution to transition services to an alternative provider without disruption. Data residency requirements under the Banking Act (Cap. 19) and the Securities and Futures Act 2001 may restrict the storage of certain customer data to Singapore-based data centres. The agreement must also address concentration risk — the risk that multiple financial institutions rely on the same CSP — and include business continuity and disaster recovery provisions aligned with MAS Business Continuity Management Guidelines.
Under Singapore law, the customer retains ownership of all data uploaded to or generated through a cloud service, subject to the terms of the Cloud Services Agreement. Singapore common law of contract recognises that data ownership is determined by the contractual relationship between the parties, not by physical possession or storage location. A well-drafted Cloud Services Agreement should include an explicit clause stating that all customer data — including metadata, logs, and derived data — remains the exclusive property of the customer throughout the contract term and after termination. The CSP should be granted only a limited, revocable licence to process customer data for the sole purpose of delivering the contracted services. Intellectual property created by the customer using the cloud platform (such as software code, databases, or analytical models) should also be designated as customer property in the agreement. Upon termination, the CSP must provide the customer with a data export in a standard, machine-readable format within a contractually specified timeframe and must certifiably delete all copies of customer data from its systems, including backup copies, within a defined period — typically 30 to 90 days. The Companies Act 1967 (Cap. 50), Section 199, requires business records to be retained for five years, and the exit provisions should accommodate this statutory obligation.
When a cloud service provider (CSP) experiences a data breach affecting a Singapore customer's personal data, multiple notification and response obligations arise. Under the mandatory data breach notification regime of the Personal Data Protection Act 2012 (PDPA), effective 1 February 2021, the data controller (the customer organisation) must notify the Personal Data Protection Commission (PDPC) within three calendar days of determining that the breach is notifiable — defined as a breach affecting 500 or more individuals or a breach that is likely to result in significant harm. The Cloud Services Agreement should require the CSP to notify the customer of any security incident within a contractually defined timeframe — typically 24 to 72 hours — and to provide sufficient detail for the customer to assess whether PDPC notification is required. For financial institutions, MAS Notice on Cyber Hygiene and the MAS Technology Risk Management Guidelines impose additional reporting obligations to MAS. The CSP must cooperate with the customer's incident investigation, preserve forensic evidence, and implement remediation measures. Liability for breach-related costs — including PDPC penalties of up to SGD 1 million or 10% of annual turnover, legal fees, customer notification costs, and credit monitoring services — should be allocated in the agreement's indemnity provisions. Singapore courts apply the contributory negligence framework when both parties bear some responsibility for the breach.
A Singapore company may contractually require its cloud service provider to store and process data exclusively within Singapore-based data centres, and several regulatory frameworks make such a requirement advisable or mandatory for certain data categories. The Monetary Authority of Singapore (MAS) Banking Act (Cap. 19) restricts the offshoring of customer banking data without MAS approval. Government agencies subject to the Government Instruction Manual on IT Management (IM8) must store data classified as Restricted, Confidential, or Secret in Singapore-located infrastructure. The Personal Data Protection Act 2012 (PDPA), Part 6A, permits cross-border transfers only where adequate safeguards are in place, making Singapore-only storage the simplest compliance path. A Cloud Services Agreement should include a data residency clause specifying the permitted storage jurisdictions, requiring the CSP to identify the physical data centre locations, and prohibiting the CSP from relocating data without the customer's prior written consent. Major CSPs operating in Singapore — including AWS (Asia Pacific Singapore Region), Microsoft Azure (Southeast Asia), and Google Cloud (Singapore) — offer data residency commitments through their enterprise agreements. The agreement should also address backup and disaster recovery data, which may be replicated to secondary locations, and confirm that such locations also fall within the permitted jurisdictions.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
SaaS Agreement (Singapore)
A SaaS Agreement governs the provision of cloud-hosted software-as-a-service to customers in Singapore. It covers subscription terms, service levels, data protection under the PDPA 2012, uptime commitments, acceptable use, and liability limitations under Singapore law.
IT Services Agreement (Singapore)
An IT Services Agreement governs the provision of information technology services — including software development, system integration, managed services, and IT support — in Singapore. It covers deliverables, service levels, IP ownership, PDPA obligations, and liability under Singapore law.
Software Licence Agreement (Singapore)
A Software Licence Agreement grants a licensee the right to use software owned by the licensor in Singapore. It governs the permitted scope of use, restrictions, support obligations, intellectual property ownership, and liability limitations under Singapore contract and IP law.
Non-Disclosure Agreement (Singapore)
A confidentiality agreement binding parties to protect proprietary information under Singapore contract law and the Personal Data Protection Act 2012 (No. 26 of 2012). Suitable for employment, business partnerships, and M&A due diligence contexts.
Service Agreement (Singapore)
A general service contract governing the provision of services between a service provider and client under Singapore common law and the Consumer Protection (Fair Trading) Act (Cap. 52A). Suitable for professional, trade, and commercial service engagements.