The legal framework: two instruments, one obligation

Vietnam's data localization requirements derive primarily from two pieces of legislation:

The Cybersecurity Law (Law No. 24/2018/QH14), which entered force on January 1, 2019, is the foundational instrument. Article 26 requires that domestic and foreign companies providing services in cyberspace to Vietnamese users store data relating to Vietnamese users on servers located in Vietnam. The covered data categories include: personal data, data about service relationships, and data generated by users. The Ministry of Public Security (MPS) and the Ministry of Information and Communications (MIC) are the supervising authorities.

Decree No. 13/2023/NĐ-CP, the Personal Data Protection Decree (PDPD), which entered force on July 1, 2023, extended and clarified obligations for controllers and processors of personal data. The PDPD introduces the concept of "sensitive personal data" — including health records, biometric data, financial information, and political views — and imposes heightened obligations for its processing, including explicit consent requirements and stricter cross-border transfer conditions.

"The question is not whether your vendor has a Singapore region. The question is whether your data stays in Vietnam when their system processes it."

What data localisation means in practice for AI deployment

For AI systems processing Vietnamese personal or business data, the localization requirement means that the data used for inference — the input sent to the model — must not be transmitted to servers outside Vietnam if it falls within the covered categories. This has direct implications for several common AI deployment patterns:

High-risk deployment patterns under Vietnam data rules
  • SaaS AI with US or EU data centres: If customer data, employee records, or financial data is sent to a vendor's API hosted in the United States or Europe for processing, this constitutes a cross-border transfer that requires either a data residency exemption or a supplemental cross-border data transfer agreement under the PDPD.
  • Cloud LLM APIs: Using OpenAI, Google Cloud AI, or Azure AI services to process Vietnamese personal data — even for internal business applications — sends that data outside Vietnam. This requires documented legal basis and, for sensitive data, explicit consent from the data subjects.
  • Backup and training data: AI vendors that use customer data to improve or retrain their models must obtain specific consent under the PDPD if any personal data is involved. Check vendor DPA (Data Processing Agreement) terms carefully.

The SEA data sovereignty landscape

Vietnam is not unique in this direction — data sovereignty requirements are tightening across Southeast Asia, creating a regional compliance map that matters for any enterprise operating in multiple countries:

Country Key Instrument Data Localisation Requirement
Vietnam Cybersecurity Law 2018 + Decree 13/2023 Domestic storage for specified user data; cross-border transfer restrictions on personal data
Indonesia GR 71/2019 + MoComm Regulation 5/2020 Electronic system operators processing Indonesian personal data must use local data centres or domestic cloud
Thailand Personal Data Protection Act 2022 (PDPA) Cross-border transfer restrictions; requires adequate protection standard in receiving country
Singapore Personal Data Protection Act 2012 (PDPA) Cross-border transfers permitted where receiving country provides comparable protection; more liberal than Vietnam/Indonesia
Malaysia Personal Data Protection Act 2010 Cross-border transfers to countries on approved white list or with adequate protection measures

IDC's "Data Sovereignty in APAC" research (2023) found that 78% of APAC CIOs identified data sovereignty as a top cloud strategy concern, up from 54% in 2021. The trend is toward stricter enforcement, not liberalisation. AI vendors who have built their infrastructure on a "global cloud" model with no in-country option are increasingly uncompetitive in regulated enterprise procurement in SEA.

What to look for in an AI vendor contract

Procurement teams evaluating AI vendors for Vietnamese enterprise deployment should verify these specific contractual provisions before signing:

On-premise and private cloud as compliance strategy

For enterprises in sectors with strict data sensitivity requirements — banking, healthcare, government — on-premise or private cloud deployment of AI systems is increasingly the only approach that satisfies both legal counsel and regulators without complex contractual engineering.

The objection to on-premise AI has historically been cost and capability: on-premise infrastructure was expensive, and the best AI models were only available as cloud APIs. Both constraints are weakening. Edge-deployable LLMs have reached production-grade capability at hardware costs accessible to mid-enterprise budgets. Private cloud deployments in Vietnamese data centres (Viettel IDC, VNPT, CMC) can now host competitive AI infrastructure at costs comparable to international cloud for equivalently-sized workloads, without the regulatory complexity of cross-border data flows.

The practical guidance for 2026: if your AI use case processes employee data, customer identity data, financial transaction data, or health information — build your vendor shortlist starting from providers that can demonstrate Vietnamese-territory data processing. Then evaluate features. The compliance risk of the reverse approach — evaluate features first, negotiate data residency as an afterthought — has become too large to accept.

Sources

Law No. 24/2018/QH14 — Cybersecurity Law of Vietnam, National Assembly, June 12, 2018.

Decree No. 13/2023/NĐ-CP — Personal Data Protection Decree, Government of Vietnam, April 17, 2023.

Indonesia Government Regulation No. 71/2019 — Electronic System and Transaction Operations, Government of Indonesia, 2019.

Thailand Personal Data Protection Act B.E. 2562 (2019), effective 2022, Royal Thai Government.

Singapore Personal Data Protection Act 2012 (No. 26 of 2012), Government of Singapore.

IDC — "Data Sovereignty and the Future of Cloud in Asia Pacific 2023," International Data Corporation, 2023.

ASEAN Digital Masterplan 2025, Association of Southeast Asian Nations, 2021.