Skip to main content
Bijak·Cloud

Choosing a Malaysian cloud: 5 questions to ask any provider — Bijak Cloud

A procurement-focused checklist for Malaysian enterprises evaluating sovereign-AI cloud providers — data residency, SLAs, subprocessors, audit logs, and exit strategy.

Bijak Cloud Team June 5, 2026 3 min read
procurement malaysia

Procurement teams evaluating cloud providers often start with a feature matrix. That’s the wrong place to start. The features look similar across vendors; what separates a good sovereign-AI provider from a risky one is the answers to five questions about control, accountability, and reversibility.

1. Where does my data physically reside?

If the provider cannot name the data centre, the city, and the legal jurisdiction for every byte you store, you do not have data residency — you have a marketing claim. Ask for:

  • A list of every region you can deploy into.
  • The legal entity operating each region.
  • A written attestation that no data, metadata, or telemetry leaves the chosen region.
  • The default region for inference, training, and logs.

2. What’s in your SLA and who backs it?

A 99.9% uptime SLA sounds reasonable until you read the small print. Ask for:

  • Service credits tied to uptime, not just a “best effort” clause.
  • Penalties that compound across tiers (e.g. regional and global).
  • A clear definition of “uptime” — does planned maintenance count?
  • Whether the SLA is backed by a parent company guarantee, a sovereign guarantee, or just the operating entity.

3. Can I see your full subprocessor list?

Every third-party service that touches your data is a sub-processor. A transparent provider publishes a full list and notifies you of changes. Ask for:

  • A current sub-processor list, including observability, billing, and AI tooling vendors.
  • A change-notification SLA (typically 30 days).
  • The right to object to a new sub-processor.
  • A list of regions each sub-processor operates in.

4. Are your audit logs immutable and exportable?

When regulators ask questions, your audit logs are the answer. Ask for:

  • Whether audit logs are append-only and tamper-evident.
  • Whether you can export logs in a portable format (JSON, CSV, OpenTelemetry).
  • The retention window for audit logs.
  • Whether logs themselves count as customer data or vendor data (this matters under PDPA).

5. What’s your exit strategy and data portability story?

Vendor lock-in is the silent tax on cloud spend. Before you sign, ask for:

  • Whether your data can be exported in standard formats (Parquet, JSON, S3-compatible).
  • Whether models and embeddings are portable, or tied to proprietary formats.
  • The cost and timeline for full data export at contract end.
  • A reference customer who has completed an exit and can speak to the experience.

Why these questions matter for AI workloads

AI workloads amplify every risk above. A 200ms inference latency becomes 2,000ms once it crosses a border. A sub-processor list that misses one observability tool becomes an undisclosed disclosure under PDPA. Audit logs that you cannot export become a regulator problem in year two.

What good answers look like

A sovereign-AI cloud provider should answer all five questions with specifics, not generalities. Region names. SLAs with named penalties. A sub-processor list you can download. Append-only logs you can export to your SIEM. An exit playbook with documented timelines. If the answers are vague, the answers are not answers.

Bijak Cloud’s answers to all five →