How to approach a cross-border SaaS or data agreement touching the BVI
A cross-border SaaS or data agreement touching the BVI. A practical guide for in-house counsel. The Hong Kong angle in focus. Write to info@lockhartyip.com.
A SaaS contract or data-processing agreement that crosses the boundary between an operating entity and a BVI holding company looks routine until a dispute arises, a regulator asks questions, or a counterparty's counsel raises a choice-of-law objection. At that point, the document that was signed without much thought becomes the centre of a jurisdictional argument that can stall a platform, freeze a data flow, or invalidate an enforcement step.
A cross-border SaaS or data agreement touching the BVI requires the contracting parties to address, in sequence, the governing law of the contract, the AML and data-handling obligations that attach to each entity's jurisdiction, the enforcement route if the agreement breaks down, and the licensing posture of any technology or data service that reaches a regulated perimeter. The primary governing instruments are the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (where Hong Kong entities are involved), the BVI Business Companies Act (for the corporate vehicle), and – where virtual assets or data from a licensed platform are in scope – the Securities and Futures Ordinance and the Anti-Money Laundering and Counter-Terrorist Financing Ordinance as applied by the Securities and Futures Commission.
This guide walks through the decision in order: the threshold question, the documentation sequence, the governing-law and enforcement gate, the AML and licensing check, the common structural mistake, and a short readiness checklist. The guide is written for in-house counsel and founders advising on the cross-border interface between Hong Kong and the BVI.
What is the commercial decision and why does the BVI create a specific exposure?
The BVI sits in most holding structures as the layer above a Hong Kong operating company or a Cayman fund. It rarely conducts the regulated activity directly. That separation is the point of the structure – but it is also its vulnerability in a SaaS or data context.
When a SaaS vendor contracts with a BVI entity, or when a BVI entity is named as the data controller or processor in a data-sharing arrangement, two questions arise immediately. First, does the BVI entity have any real legal presence or regulatory standing to be a party to that agreement? Second, which jurisdiction's law governs a dispute, and where can the other party go to enforce it?
In our cross-border practice, we regularly see agreements where the BVI entity is named as the contracting party purely because it holds the group's IP or is the shareholder of the operating company. The technology or data service is delivered to, or by, the Hong Kong or Mainland operating entity. The mismatch between the contracting party and the entity that actually performs or receives the service is the first structural mistake – and it creates the first gate.
Why does this matter for regulatory exposure? Because the Anti-Money Laundering and Counter-Terrorist Financing Ordinance applies to Hong Kong entities and to persons conducting regulated activities in Hong Kong, regardless of the corporate layer above them. If a SaaS platform processes payments, handles customer data from a licensed entity, or interfaces with a virtual-asset service, the Hong Kong operating entity is within scope. The BVI holding layer is not a regulatory shield for activity conducted in Hong Kong.
How should you structure the contracting party decision?
The first step is to map which entity in the group actually performs or receives the service, and make that entity the contracting party. This sounds obvious. In practice, it is regularly skipped – either because the BVI company is the only entity with a bank account at the time of signing, or because in-house counsel has not been asked to review the commercial term sheet before execution.
For a SaaS agreement where the service is delivered to an operating entity in Hong Kong, the Hong Kong entity should be the subscriber. The BVI parent may be named as a guarantor, or a permitted affiliate provision may extend the licence to the BVI entity for legitimate purposes such as IP licensing or holding-company reporting. These are distinct legal relationships that require distinct provisions.
Where the BVI entity is the licensor of IP that the SaaS platform uses, the position reverses. The BVI entity grants rights; the Hong Kong entity exploits them. In that configuration, the data-processing obligations – and the AML exposure for any data that relates to customers of the Hong Kong entity – sit at the Hong Kong level. The BVI licensor is not absolved of all obligations: under the BVI Business Companies Act, the entity must maintain proper books and records, and any agreement that forms part of its commercial activity is within the scope of that obligation.
The practical sequence at this step is: identify the performing/receiving entity, confirm the corporate capacity of each proposed party (registered and in good standing), and draft the signature block to reflect the actual commercial relationship.
The sequence above describes the standard position. Your matter turns on the documents, the jurisdictions actually engaged, and the order of steps – which is where the route is won or lost. For a structured read on how this applies to your group's structure across Hong Kong and the BVI, write to us at info@lockhartyip.com.
Which law governs the agreement, and why does that choice have consequences?
Governing law in a cross-border SaaS or data agreement is not merely a commercial preference. It determines the enforceability of limitation clauses, the treatment of data-breach liability, the recognition of intellectual-property assignments, and the forum in which a dispute is resolved.
The BVI has a common-law legal system. So does Hong Kong. That shared foundation creates a degree of mutual recognisability between the two systems, but it does not make the choice of law inconsequential. Hong Kong law, administered by the courts of Hong Kong, offers a well-tested enforcement infrastructure, access to interim measures, and a clear pathway to arbitral enforcement through the New York Convention for counterparties outside Greater China. BVI law, administered by the Eastern Caribbean Supreme Court, is well suited to corporate and shareholder disputes but is a less natural home for a technology or data-services agreement that will be performed in Asia.
In our cross-border practice, we generally advise that Hong Kong law and Hong Kong-seated arbitration serve the technology agreement better than BVI law and BVI courts, where the operative activity is in Hong Kong or Greater China. The reasoning is practical: the evidence, the witnesses, and the data all sit in Hong Kong or on the Mainland. An HKIAC-administered arbitration produces an award that is enforceable in Hong Kong and – through the mutual-enforcement arrangements between Hong Kong and the Mainland – capable of registration in the Mainland courts. A BVI court judgment does not carry the same direct route.
Where the BVI entity holds IP and the SaaS agreement is structured as a cross-licence, the governing law may legitimately be split: BVI law for the IP ownership and assignment provisions, Hong Kong law for the data-processing and service-level obligations. This split requires careful drafting to avoid two governing-law clauses that conflict in a dispute. The gate at this step is a written, unambiguous choice-of-law and dispute-resolution clause that accounts for both parties' corporate seats.
What AML and licensing obligations attach to the data or SaaS context?
This is the step most commonly skipped in a technology transaction, and the one that creates the greatest regulatory exposure. The Anti-Money Laundering and Counter-Terrorist Financing Ordinance applies to a broad category of financial institutions and – since the virtual-asset licensing regime commenced on 1 June 2023 – to virtual-asset trading platforms licensed by the Securities and Futures Commission.
A SaaS agreement that provides data-processing, customer-onboarding technology, or analytics to a licensed virtual-asset trading platform is within the AML compliance perimeter of the platform. The platform's AML obligations do not disappear at the boundary of its technology vendor. Under the AML guidelines issued by the Securities and Futures Commission, a licensed platform is expected to conduct due diligence on its technology and data vendors where those vendors have access to customer data or perform functions within the platform's AML programme.
What does this mean for the agreement? It means that the SaaS agreement should contain, at minimum: a representation and warranty from the vendor as to its own compliance posture; a data-handling annex that limits the vendor's use of customer data to the agreed service purpose; audit and inspection rights for the licensed platform; and a notification obligation if the vendor becomes aware of a breach or regulatory inquiry touching the data in scope.
Where the SaaS platform itself is a virtual-asset service – providing trading, custody, or exchange functionality – the question of whether it requires its own licence under the Securities and Futures Commission regime is a threshold issue. A BVI entity providing virtual-asset services to Hong Kong users is not automatically outside the licensing perimeter. The Securities and Futures Commission has taken the position that the relevant test is whether the service is actively marketed to Hong Kong investors, and whether a Hong Kong nexus is present. Parties should verify the current position before acting, as the perimeter continues to be tested in practice.
For fiat-referenced stablecoins, the Hong Kong Monetary Authority commenced a licensing regime for issuers in 2025. Where a SaaS agreement involves the issuance, distribution, or processing of fiat-referenced stablecoins, the HKMA regime applies as an additional layer. Parties should verify the current commencement date and perimeter of that regime before citing it in a transaction document.
If an earlier filing, structure or enforcement attempt produced an adverse or stalled result – or if your team is uncertain whether your technology or data service falls within a licensed perimeter – a second read of the position can identify the compliance gap and the routes still open. Write to us at info@lockhartyip.com.
How does data governance work when the BVI entity is in the chain?
Data governance in a multi-entity structure raises a question that SaaS agreements rarely address directly: who is the data controller, and who is the processor? In a group where the BVI entity holds customer data as part of its function as the IP owner or the group treasury, but the data was collected by the Hong Kong operating entity from its customers, the answer is not obvious.
Hong Kong does not yet have a mandatory cross-border data transfer regime with the same prescriptive structure as, for example, the European General Data Protection Regulation. The Personal Data (Privacy) Ordinance governs the collection and use of personal data in Hong Kong. Its transfer restriction provision – which limits the transfer of personal data to jurisdictions that do not provide comparable protection – applies to the Hong Kong entity that collected the data. The BVI entity receiving that data is not, of itself, subject to the Ordinance, but the Hong Kong entity that transfers the data remains liable for ensuring the transfer is lawful.
The practical consequence is that a SaaS or data agreement where the BVI entity is a data recipient needs a data-transfer mechanism between the Hong Kong collecting entity and the BVI receiving entity. In our cross-border practice, this is most commonly achieved through a group data-sharing agreement, a data-transfer addendum to the SaaS agreement, or a controller-to-controller standard clause set adopted by both entities. The mechanism must be documented before the data transfer occurs, not after a regulator raises the question.
Where the data includes customer data from a Mainland Chinese entity – a common configuration when the group operates across the Greater Bay Area – the cross-border data-transfer rules under the PRC Personal Information Protection Law add a further layer. Those rules require, in most cases, a security assessment or a standard contract filing before personal information is transferred abroad. The PRC rules do not cease to apply because the receiving entity is a BVI company rather than a foreign operating company.
What is the enforcement route if the agreement breaks down?
Enforcement is the gate that most commercial lawyers treat as a boilerplate concern. In a cross-border SaaS or data agreement touching the BVI, it is a substantive one. The assets that matter – the IP, the platform code, the customer data – are often in Hong Kong or on the Mainland. A judgment from the Eastern Caribbean Supreme Court against a Hong Kong entity does not have an automatic enforcement route in Hong Kong. A BVI court order freezing assets held by a Hong Kong entity requires separate application to the Hong Kong courts.
Hong Kong-seated arbitration, administered under the HKIAC Administered Arbitration Rules, provides the most direct enforcement path for a technology or data dispute with a Greater China dimension. An award issued in a Hong Kong-seated arbitration is enforceable in Hong Kong as a domestic award. It is also enforceable in the Mainland through the reciprocal arrangements between Hong Kong and the Mainland that govern arbitral-award enforcement. The 2020 Supplemental Arrangement allows simultaneous enforcement applications in Hong Kong and the Mainland, which is material where assets are split across the boundary.
Where the dispute involves a BVI party that holds assets only in the BVI, the enforcement position requires a separate application in the BVI courts. This is not unusual, but it means that the dispute-resolution clause should anticipate the need to enforce against a BVI entity and should not assume that a single forum can reach all assets. A well-drafted clause for this structure might provide for HKIAC arbitration, with an express carve-out for interim measures before any court of competent jurisdiction – which preserves the ability to seek asset-freezing relief in Hong Kong, the Mainland, or the BVI concurrently.
The common mistake at this step is to select arbitration without specifying the seat, or to select the BVI as the seat on the assumption that it benefits the BVI party. An unspecified seat defaults, under the HKIAC Administered Arbitration Rules, to Hong Kong. That default is generally favourable for a dispute with a Greater China enforcement dimension – but only if the parties have not already contracted around it in a way that creates ambiguity.
What is the most common structural mistake, and how is it avoided?
The most common structural mistake in a cross-border SaaS or data agreement touching the BVI is the misidentification of the licensed or regulated entity. A group's legal team – often working under time pressure from a commercial deadline – names the BVI holding company as the contracting party because it is the entity with which the vendor's counterpart is most familiar. The BVI entity signs the SaaS agreement. The service is delivered to the Hong Kong operating company. The data flows to the Hong Kong company's customers. The AML obligations sit with the Hong Kong company.
When a regulatory inquiry arrives – or when the vendor's insolvency administrator asks who the agreement counterparty actually is – the group discovers that the agreement as signed does not reflect the commercial and regulatory reality. The BVI entity cannot perform the obligations; the Hong Kong entity is not the contracting party; and the indemnity and liability provisions in the agreement are addressed to the wrong legal person.
The correction is structural, not cosmetic. It requires either a novation of the agreement to the correct entity, a proper affiliate-coverage clause that extends the agreement's coverage to the Hong Kong operating company, or – if the BVI entity is genuinely the appropriate contracting party – a service agreement between the BVI and Hong Kong entities that allocates the operational obligations correctly within the group.
A second common mistake is the absence of a data-handling annex in a SaaS agreement where the vendor will process personal data. Vendors routinely propose their standard data-processing addendum, which is written for a European or US regulatory context. That addendum rarely addresses the Personal Data (Privacy) Ordinance, the FATF travel rule for virtual-asset transfers, or the AML obligations of a licensed Hong Kong entity. The in-house team that accepts the vendor's standard addendum without review is accepting a compliance gap.
The route around both mistakes is the same: legal review before execution, not after the regulator or the counterparty raises the issue. That review should address the contracting party, the data-handling obligations, the governing law, and the enforcement route as a package, not as four separate and sequential tasks.
Decision checklist: is the agreement ready to execute?
Before executing a cross-border SaaS or data agreement that touches the BVI, in-house counsel should be able to confirm the following points without hesitation.
- The contracting party on each side is the entity that will actually perform or receive the service – not a holding company above it.
- Each contracting party is in good standing under its home corporate statute: the BVI Business Companies Act for the BVI entity, the Companies Ordinance (Cap. 622) for the Hong Kong entity.
- The governing law clause names a single law for each substantive part of the agreement, or the split is documented and deliberate.
- The dispute-resolution clause specifies the seat of arbitration and the administering body (for a Greater China enforcement dimension, HKIAC and Hong Kong seat is the standard starting point).
- The AML and licensing posture of the platform or data service has been assessed against the Securities and Futures Commission's regime for virtual-asset trading platforms and, where applicable, the HKMA's stablecoin regime.
- The data-handling annex addresses the Personal Data (Privacy) Ordinance as applied by the Hong Kong collecting entity, and – where Mainland data is in scope – the PRC Personal Information Protection Law requirements.
- A data-transfer mechanism between the Hong Kong collecting entity and the BVI receiving entity is documented and in place before the first transfer.
- The agreement contains audit rights, notification obligations, and a restriction on secondary use of customer data, where the vendor has access to customer data of a licensed entity.
- The enforcement route has been mapped: which courts can reach which assets, and whether simultaneous enforcement in Hong Kong and the Mainland (or Hong Kong and the BVI) is required for the group's asset profile.
- The agreement has been reviewed for compliance with the relevant AML guidelines issued by the Securities and Futures Commission, and any gap has been addressed in the data-handling annex or a side letter.
This checklist is a starting point, not a substitute for advice on a specific transaction. The documents, the counterparties, and the regulatory status of the platform determine the analysis in each case.
Related practices
- Tech & Web3 – licensing, AML compliance and structuring for technology and virtual-asset businesses with a Hong Kong or cross-border dimension
- Sanctions & AML – counterparty due diligence, source-of-funds analysis and compliance-file preparation for cross-border transactions
Frequently asked questions
What documents are needed for a cross-border SaaS or data agreement touching the BVI?
Which jurisdiction's law applies to a cross-border SaaS or data agreement touching the BVI?
What does the route look like for a cross-border SaaS or data agreement touching the BVI?
Speak with Lockhart & Yip
For a scoped view of your matter, contact info@lockhartyip.com. Discuss your matter →
Related
- Tech Web3
- Digital Asset Fund Structured Through Hong Kong United 4
- Cross Border Saas Or Data Agreement Touching Singapore 5
This publication is general information and does not constitute legal advice. For advice on your situation, contact info@lockhartyip.com.