Moving workloads to AWS, Azure, or Google Cloud is no longer a purely technical decision — it's a legal one. Decree 13/2023 on Personal Data Protection (PDPD), alongside the 2018 Cybersecurity Law and its implementing circulars, has reset many old assumptions about cloud for Vietnamese organizations.
Ten-point pre-migration checklist
- 1. Classify data under PDPD: personal (PII), sensitive (health, financial), routine internal
- 2. Identify which data must remain inside Vietnam — primarily banking, telecom, public health data
- 3. Pick the nearest cloud region when not domestically required — Singapore (ap-southeast-1) for AWS/Azure/GCP
- 4. Sign a Data Processing Agreement (DPA) with the cloud vendor — include PDPD compliance clauses
- 5. Stand up a consent flow if you process PII — log consent and timestamp
- 6. Register with the Authority of Information Security if processing sensitive data on cross-border infrastructure
- 7. Establish a breach notification process — 72-hour reporting under PDPD
- 8. Retain data audit logs for at least 24 months
- 9. Run periodic DPIAs (Data Protection Impact Assessments) for workloads handling >10,000 PII subjects
- 10. Support data deletion on user request (right to erasure)
The most common misunderstanding
Many Vietnamese enterprises read Decree 13/2023 as requiring all data to remain inside Vietnam — that's not accurate. Only specific sectors carry that requirement. The vast majority of B2B SaaS operations run normally on Singapore hosting with a proper DPA and consent flow.
Digi43 works with legal advisors to support Vietnamese organizations on pre-migration compliance reviews, DPA template drafting with cloud vendors, and breach notification SOP setup. Get in touch for a one-to-two-week assessment package.
