The legal framework: two instruments, one obligation
Vietnam's data localization requirements derive primarily from two pieces of legislation:
The Cybersecurity Law (Law No. 24/2018/QH14), which entered force on January 1, 2019, is the foundational instrument. Article 26 requires that domestic and foreign companies providing services in cyberspace to Vietnamese users store data relating to Vietnamese users on servers located in Vietnam. The covered data categories include: personal data, data about service relationships, and data generated by users. The Ministry of Public Security (MPS) and the Ministry of Information and Communications (MIC) are the supervising authorities.
Decree No. 13/2023/NĐ-CP, the Personal Data Protection Decree (PDPD), which entered force on July 1, 2023, extended and clarified obligations for controllers and processors of personal data. The PDPD introduces the concept of "sensitive personal data" — including health records, biometric data, financial information, and political views — and imposes heightened obligations for its processing, including explicit consent requirements and stricter cross-border transfer conditions.
"The question is not whether your vendor has a Singapore region. The question is whether your data stays in Vietnam when their system processes it."
What data localisation means in practice for AI deployment
For AI systems processing Vietnamese personal or business data, the localization requirement means that the data used for inference — the input sent to the model — must not be transmitted to servers outside Vietnam if it falls within the covered categories. This has direct implications for several common AI deployment patterns:
- SaaS AI with US or EU data centres: If customer data, employee records, or financial data is sent to a vendor's API hosted in the United States or Europe for processing, this constitutes a cross-border transfer that requires either a data residency exemption or a supplemental cross-border data transfer agreement under the PDPD.
- Cloud LLM APIs: Using OpenAI, Google Cloud AI, or Azure AI services to process Vietnamese personal data — even for internal business applications — sends that data outside Vietnam. This requires documented legal basis and, for sensitive data, explicit consent from the data subjects.
- Backup and training data: AI vendors that use customer data to improve or retrain their models must obtain specific consent under the PDPD if any personal data is involved. Check vendor DPA (Data Processing Agreement) terms carefully.
The SEA data sovereignty landscape
Vietnam is not unique in this direction — data sovereignty requirements are tightening across Southeast Asia, creating a regional compliance map that matters for any enterprise operating in multiple countries:
| Country | Key Instrument | Data Localisation Requirement |
|---|---|---|
| Vietnam | Cybersecurity Law 2018 + Decree 13/2023 | Domestic storage for specified user data; cross-border transfer restrictions on personal data |
| Indonesia | GR 71/2019 + MoComm Regulation 5/2020 | Electronic system operators processing Indonesian personal data must use local data centres or domestic cloud |
| Thailand | Personal Data Protection Act 2022 (PDPA) | Cross-border transfer restrictions; requires adequate protection standard in receiving country |
| Singapore | Personal Data Protection Act 2012 (PDPA) | Cross-border transfers permitted where receiving country provides comparable protection; more liberal than Vietnam/Indonesia |
| Malaysia | Personal Data Protection Act 2010 | Cross-border transfers to countries on approved white list or with adequate protection measures |
IDC's "Data Sovereignty in APAC" research (2023) found that 78% of APAC CIOs identified data sovereignty as a top cloud strategy concern, up from 54% in 2021. The trend is toward stricter enforcement, not liberalisation. AI vendors who have built their infrastructure on a "global cloud" model with no in-country option are increasingly uncompetitive in regulated enterprise procurement in SEA.
What to look for in an AI vendor contract
Procurement teams evaluating AI vendors for Vietnamese enterprise deployment should verify these specific contractual provisions before signing:
- Data Processing Agreement (DPA): Does the vendor provide a Vietnam-specific DPA that explicitly designates Vietnamese data centres as the processing location for your data? Generic global DPAs from US or European vendors typically do not satisfy Vietnamese requirements.
- Sub-processor disclosure: AI systems frequently use sub-processors — cloud infrastructure, model providers, monitoring services. The DPA should disclose all sub-processors and confirm their processing locations.
- Training data use: Does the vendor use customer data to retrain models? If yes, what consent mechanism is in place? This is material for PDPD compliance.
- Incident notification: Decree 13/2023 requires data breach notification to affected individuals within 72 hours of discovery. Does the vendor's contract include a breach notification obligation that enables you to meet this timeline?
- Audit rights: Vietnamese regulators can request evidence of compliance. Does your contract give you the right to audit the vendor's data handling practices?
On-premise and private cloud as compliance strategy
For enterprises in sectors with strict data sensitivity requirements — banking, healthcare, government — on-premise or private cloud deployment of AI systems is increasingly the only approach that satisfies both legal counsel and regulators without complex contractual engineering.
The objection to on-premise AI has historically been cost and capability: on-premise infrastructure was expensive, and the best AI models were only available as cloud APIs. Both constraints are weakening. Edge-deployable LLMs have reached production-grade capability at hardware costs accessible to mid-enterprise budgets. Private cloud deployments in Vietnamese data centres (Viettel IDC, VNPT, CMC) can now host competitive AI infrastructure at costs comparable to international cloud for equivalently-sized workloads, without the regulatory complexity of cross-border data flows.
The practical guidance for 2026: if your AI use case processes employee data, customer identity data, financial transaction data, or health information — build your vendor shortlist starting from providers that can demonstrate Vietnamese-territory data processing. Then evaluate features. The compliance risk of the reverse approach — evaluate features first, negotiate data residency as an afterthought — has become too large to accept.
Sources
Law No. 24/2018/QH14 — Cybersecurity Law of Vietnam, National Assembly, June 12, 2018.
Decree No. 13/2023/NĐ-CP — Personal Data Protection Decree, Government of Vietnam, April 17, 2023.
Indonesia Government Regulation No. 71/2019 — Electronic System and Transaction Operations, Government of Indonesia, 2019.
Thailand Personal Data Protection Act B.E. 2562 (2019), effective 2022, Royal Thai Government.
Singapore Personal Data Protection Act 2012 (No. 26 of 2012), Government of Singapore.
IDC — "Data Sovereignty and the Future of Cloud in Asia Pacific 2023," International Data Corporation, 2023.
ASEAN Digital Masterplan 2025, Association of Southeast Asian Nations, 2021.