Indonesia Data Privacy

Protect your data

Earning customer trust is the foundation of our business at AWS and we know you trust us to protect your most critical and sensitive assets: your data. We earn this trust by working closely with you to understand your data protection needs, and by offering the most comprehensive set of services, tooling, and expertise to help you protect your data. To do this, we provide technical, operational, and contractual measures needed to protect your data. With AWS, you manage the privacy controls of your data, control how your data is used, who has access to it, and how it is encrypted. We underpin these capabilities with the most flexible and secure cloud computing environment available today.

Our commitments to you

Data control

With AWS, you control your data by using powerful AWS services and tools to determine where your data is stored, how it is secured, and who has access to it. Services such as AWS Identity and Access Management (IAM) allow you to securely manage access to AWS services and resources. AWS CloudTrail and Amazon Macie enable governance, compliance, detection, and auditing, while AWS CloudHSM and AWS Key Management Service (KMS) allow you to securely generate and manage encryption keys.

Data privacy

We continuously raise the bar on privacy safeguards with services and features that let you to implement your own privacy controls, including advanced access, encryption, and logging features. We make it easy to encrypt data in transit and at rest using keys either managed by AWS or fully managed by you. You can bring your own keys that were generated and managed outside of AWS. We implement consistent and scalable processes to manage privacy, including how data is collected, used, accessed, stored, and deleted. We provide a wide variety of best practice documents, training, and guidance that you can leverage to protect your data, such as the Security Pillar of the AWS Well-Architected Framework. We only process customer data - that is any personal data you upload to your AWS account - under your documented instructions and do not access, use, or share your data without your agreement, except as required to prevent fraud and abuse, or to comply with law, as described in our AWS Customer Agreement and AWS GDPR Data Processing Addendum. Thousands of customers who are subject to GDPR, PCI, and HIPAA use AWS services for these types of workloads. AWS has achieved numerous internationally-recognized certifications and accreditations, demonstrating compliance with rigorous international standards, such as ISO 27017 for cloud security and ISO 27018 for cloud privacy. We do not use customer data or derive information from it for marketing or advertising purposes.
Learn more at our Data Privacy Center.

Data sovereignty

You can choose to store your customer data in any one or more of our AWS Regions around the world. You can also use AWS services with the confidence that customer data stays in the AWS Region you select. A small number of AWS services involve the transfer of data, for example, to develop and improve those services, where you can opt-out of the transfer, or because transfer is an essential part of the service (such as a content delivery service). We prohibit -- and our systems are designed to prevent -- remote access by AWS personnel to customer data for any purpose, including service maintenance, unless that access is requested by you or unless access is required to prevent fraud and abuse, or to comply with law. If we receive a law enforcement request, we will challenge law enforcement requests for customer data from governmental bodies where the requests conflict with law, are overbroad, or where we otherwise have appropriate grounds to do so. We also provide a bi-annual Information Request Report describing the types and number of information requests AWS receives from law enforcement.


At AWS, security is our top priority and security in the cloud is a shared responsibility between AWS and our customer. Financial services providers, healthcare providers, and governmental agencies are among the customers, who trust us with some of their most sensitive information. You can improve your ability to meet core security, confidentiality, and compliance requirements with our comprehensive services, whether that's through Amazon GuardDuty, or our AWS Nitro System, the underlying platform for our EC2 instances. In addition, services such as AWS CloudHSM and AWS Key Management Service allow you to securely generate and manage encryption keys, and AWS Config and AWS CloudTrail deliver monitoring and logging capabilities for compliance and audits.


Indonesia does not currently have a general law on personal data protection. However, some requirements to protect data are contained in the Law No. 11 of 2008 regarding Electronic Information and Transactions, Government Regulation No. 71 of 2019 regarding Operation of Electronic System and Transactions (GR 71) (which amended Government Regulation No. 82 of 2012 Concerning Electronic System and Transaction Operation), and Minister of Communications & Informatics Regulation No. 20 of 2016 regarding the Protection of Personal Data in an Electronic System (Ministerial Regulation 20). These regulations set out obligations for Electronic System Operators when they handle personal data, including security and confidentiality obligations. Importantly, GR 71 clarifies that Electronic System Operators in Indonesia can transfer data offshore, as long as they comply with their obligations in GR 71 and Ministerial Regulation 20. “Private scope” Electronic System Operators can store or process all types of data outside Indonesia, including by using an AWS Region outside Indonesia. “Private scope” is defined generally and covers all businesses in Indonesia other than those that are a “State Administrative Agency” (i.e. legislative, executive or judicial institution or institution formed by legislation in Indonesia). “Public Scope” Electronic System Operators (i.e. State Administrative Agencies) can store or process their data offshore, including by using an AWS Region outside Indonesia, during the two-year transition period starting from 10 October 2019. AWS launched the AWS Asia Pacific (Jakarta) Region in Indonesia, based in Greater Jakarta and comprised of three Availability Zones, which will gives AWS customers and partners the ability to run their workloads and store their data in Indonesia.

AWS is vigilant about your privacy and data security. Security at AWS starts with our core infrastructure. Custom-built for the cloud and designed to meet the most stringent security requirements in the world, our infrastructure is monitored 24x7 to ensure the confidentiality, integrity, and availability of our customer's data. The same world-class security experts who monitor this infrastructure also build and maintain our broad selection of innovative security services, which can help you simplify meeting your own security and regulatory requirements. As an AWS customer, regardless of your size or location, you inherit all the benefits of our experience, tested against the strictest of third-party assurance frameworks.

AWS implements and maintains technical and organizational security measures applicable to AWS cloud infrastructure services under globally recognized security assurance frameworks and certifications, including ISO 27001, ISO 27017, ISO 27018, PCI DSS Level 1, and SOC 1, 2 and 3. These technical and organizational security measures are validated by independent third-party assessors, and are designed to prevent unauthorized access to or disclosure of customer content.

For example, ISO 27018 is the first International code of practice that focuses on protection of personal data in the cloud. It is based on ISO information security standard 27002 and provides implementation guidance on ISO 27002 controls applicable to Personally Identifiable Information (PII) processed by public cloud service providers. This demonstrates to customers that AWS has a system of controls in place that specifically address the privacy protection of their content.

These comprehensive AWS technical and organizational measures are consistent with typical regulatory goals to protect personal data. Customers using AWS services maintain control over their content and are responsible for implementing additional security measures based on their specific needs, including content classification, encryption, access management and security credentials.

As AWS does not have visibility into or knowledge of what customers are uploading onto its network, including whether or not that data is deemed subject to the Privacy Act, customers are ultimately responsible for their own compliance with the Privacy Act and related regulations. The content on this page supplements the existing Data Privacy resources to help you align your requirements with the AWS Shared Responsibility Model when you store and process personal data using AWS services.

Have Questions? Connect with an AWS Business Representative
Exploring compliance roles?
Apply today »
Want AWS Compliance updates?
Follow us on Twitter »