FAQ
Do we need MLPS readiness if our SaaS has no Chinese users?
Generally no, but the assumption "we serve no Chinese users" is more fragile than it looks. The MLPS framework triggers based on where systems are operated and what data they process — not on customer geography alone. If your SaaS is hosted in mainland China (Aliyun, Tencent Cloud, etc.) it is subject to MLPS regardless of customer location. If your SaaS is hosted overseas but stores or processes data from Chinese users, you may still trigger PIPL Cross-Border requirements, which functionally requires China-side compliance posture.
Short answer
Generally no, but the assumption "we serve no Chinese users" is more fragile than it looks. The MLPS framework triggers based on where systems are operated and what data they process — not on customer geography alone. If your SaaS is hosted in mainland China (Aliyun, Tencent Cloud, etc.) it is subject to MLPS regardless of customer location. If your SaaS is hosted overseas but stores or processes data from Chinese users, you may still trigger PIPL Cross-Border requirements, which functionally requires China-side compliance posture.
Why the question matters
The MLPS classification framework defines five protection levels (L1 through L5) for information systems operating in mainland China. L2 and above require formal evaluation by a licensed assessment organization, which is the cost driver behind compliance work. Buyers often ask the version of this question that means: "Can we skip MLPS entirely?"
The answer depends on three factors:
1. **Hosting location.** A SaaS hosted in mainland China (or with primary operations team in mainland China) is operating an information system in mainland China and falls under MLPS regardless of customer base. A SaaS hosted entirely overseas without Chinese-resident operations does not, directly.
2. **Data flow.** If overseas-hosted SaaS receives personal information from Chinese users — even if those users are a minority — the system is subject to PIPL Cross-Border data requirements. PIPL Article 38 requires either CAC security assessment, standard contract clauses (similar to GDPR SCCs), or PIPL-equivalent third-party certification. Effectively, you have a China-flavored compliance burden whether you wanted one or not.
3. **Critical Information Infrastructure status.** If your system handles data classified as Important Data (重要数据) or operates in a sector designated as CII, the assessment burden rises substantially regardless of customer geography.
A useful framing: if you want to actively avoid MLPS, do not host operations in mainland China, do not actively market to Chinese users, and do not collect Chinese-user personal information. If you do any of those three, the question becomes "what level applies," not "does MLPS apply."
What we typically recommend
For SaaS in this position, we usually scope a Discovery Call to walk through:
- The system's actual data flow with respect to Chinese users - The hosting and operations footprint - The realistic likelihood of triggering MLPS / PIPL Cross-Border in the next 12 months as the business grows
The output is a yes/no/maybe answer that's defensible to your legal team and a recommended path: target L2 readiness now, target L3 readiness now, defer until growth triggers it, or actively design to stay below the threshold.
Related FAQs
- How to scope an IoT security engagement (P1.5) - PIPL individual consent vs separate consent (P1.5)
Related services and pillars
- MLPS Readiness solution - Governance, Risk & Compliance service - MLPS Readiness pillar - Cross-Border Data pillar
Authoritative disclaimer
This page provides general technical orientation, not legal advice. For binding legal interpretation, consult counsel licensed in the relevant jurisdiction.
---