EOR contract Vietnam: Key clauses and red flags to check

In this post

An EOR contract is the agreement that decides who carries the legal, payroll, and data obligations when you hire in Vietnam without your own entity. This guide walks through the clauses to check before you sign in 2026, and the red flags that should pause the deal. It is an operational and commercial review, not legal advice, so treat the final document as something for qualified counsel to confirm.

TL;DR

A strong EOR contract names the Vietnam legal employer, allocates payroll, PIT, and SHUI tasks task by task, and attaches evidence requirements, so “full compliance” wording alone is not enough to sign on.
The 15 to 20 clauses that matter most cover scope, the local labor contract, payroll cadence, GDPR Article 28 data processing, IP assignment, liability, fees, service levels, and exit terms, each paired with a question to ask the provider.
For Dutch and EU buyers, the highest-risk gaps are a missing GDPR Article 28 DPA, no Vietnam personal data process under the new PDPL effective January 1, 2026, no SHUI or PIT proof, and restrictive exit clauses that block a later transfer to your own entity.

What to check in an EOR contract in Vietnam

A good EOR contract in Vietnam should state clearly who handles employment compliance, payroll, tax, employee data, intellectual property, liability, service levels, and exit support. The same logic applies whether the document is labelled an employer of record agreement or an EOR service agreement. If any of these sits in vague wording, the risk has quietly shifted back to you.

Before you sign, confirm the agreement covers this short checklist:

Scope: a task-level responsibility split, not “full HR support”.
Legal employer: the named Vietnam entity that signs the local labor contract.
Payroll and SHUI: a payroll calendar, correction window, and remittance proof.
Data protection: a GDPR Article 28 DPA plus a Vietnam PDPL process.
IP, liability, fees, and exit: ownership, indemnity, itemized cost, and transfer terms.

If you are still choosing between vendors rather than reviewing one agreement, it helps to compare EOR providers first before you get into clause-level detail.

short-checklist-of-EOR-contract-items-to-review-before-signing-in-Vietnam

How an EOR contract works in Vietnam

An EOR arrangement is a three-party reality, and the contract you sign is only one of the documents involved. Understanding the structure tells you where each obligation should land.

There are three relationships. You sign a service agreement with the provider. The Employer of Record (EOR) becomes the local legal employer and signs a Vietnamese labor contract with the worker under the Vietnam Labor Code 2019 (Law No. 45/2019/QH14), Article 21. You direct the day-to-day work, but you are not the legal employer.

This split is the whole point of the model. It also means a single clause that mixes service-agreement terms with local employment terms is a warning sign, because the two documents serve different legal functions. The EOR service agreement governs your relationship with the provider; the labor contract governs the worker’s employment.

We keep the basics short here. For the full background on the model, the pillar guide on EOR in Vietnam explains entity setup, eligibility, and timelines in more depth.

The 15+ clauses to check before you sign

This is the core of any pre-signing EOR contract review. The EOR contract clauses Vietnam buyers most often need to scrutinise are listed below, each row pairing the clause with why it matters and the exact question to put to the provider in writing.

Read the table as a working document. Ask for written answers, not verbal assurance, against every High-priority row before you commit.

Clause to check	Why it matters	What to ask the provider	Red flag
1. Legal employer and Vietnam entity	The contract must name who legally employs the worker.	Which Vietnam entity signs the local labor contract, and can you share registration details?	The provider will not name the entity or relies on undisclosed partners.
2. Scope and responsibility matrix	Arrangements fail when payroll, HR, and compliance tasks are not allocated.	What do you handle versus what stays with us, task by task?	Vague “full compliance” wording with no task-level split.
3. Local employment contract	Vietnam labor contracts have mandatory contents.	Will the worker get a Vietnamese or bilingual labor contract with all required terms?	No commitment to a compliant local contract or no employee copy.
4. Role, workplace, working time, leave	These core terms affect payroll, overtime, and disputes.	How are job titles, hours, rest periods, and leave documented?	Details handled “as applicable” with no clear process.
5. Payroll cycle and salary payment	You need predictable timing and error correction.	What payroll calendar, cut-off, payslip format, and correction SLA apply?	Payroll timing is not defined in the contract.
6. PIT withholding and filings	Income tax filings should not be left ambiguous.	Who calculates, withholds, files, and reconciles PIT, and what evidence do we get?	Tax responsibility pushed back to you with no process.
7. SHUI registration and proof	Social, health, and unemployment insurance is core compliance.	Can you provide SHUI registration and remittance proof with a contribution breakdown?	No proof, or statutory contributions treated as optional.
8. Benefits, leave, holidays	The fee should separate statutory from optional benefits.	Which statutory and optional benefits sit inside the monthly fee?	Benefits bundled vaguely with no employee-facing record.
9. Onboarding timeline and documents	Start dates need an operational workflow.	What documents are required and what onboarding SLA applies?	“Instant hiring” promise with no document flow.
10. Work permit and visa scope	For foreign nationals, scope must be explicit.	Can you support work permits, and what is included or excluded?	Support implied but excluded in the contract or charged separately.
11. GDPR Article 28 DPA	EU buyers act as controllers and need processor terms.	Will you sign an Article 28 DPA covering data types, sub-processors, security, and deletion?	No DPA, only a generic privacy clause, no sub-processor list.
12. Vietnam PDPL and transfers	Employee data moves between the EU, Vietnam, and cloud tools.	How do you handle Vietnam PDPL duties and cross-border transfer records?	No process for Vietnam personal data or transfer documentation.
13. Information security controls	Payroll and HR data are sensitive.	What access controls, audit logs, and breach notice timelines apply?	Only high-level “secure platform” wording.
14. IP ownership and confidentiality	Work products must be protected through the EOR chain.	How is employee-created IP assigned to us, and is confidentiality mirrored in the labor contract?	IP sits only in the service agreement, not employee documents.
15. Performance management boundaries	The client directs work but the EOR is legal employer.	Who handles warnings, disciplinary steps, and documentation?	Contract lets you discipline or terminate directly with no EOR process.
16. Liability cap and indemnity	Risk allocation should not undermine the EOR value.	What liabilities are covered for payroll, tax, labor claims, and data breaches?	Provider disclaims local compliance liability or caps it too low.
17. Fees, deposits, FX, pass-through	Hidden cost terms change the ROI versus entity setup.	What is in the monthly fee, and are onboarding, FX, or deposits extra?	Unexplained pass-through costs or unilateral fee changes.
18. SLA and service response	A provider should commit to written service levels.	What SLA covers payroll accuracy, response time, and offboarding?	No written SLA for payroll errors or urgent offboarding.
19. Termination, offboarding, transfer	Exit terms are where lock-in surprises appear.	What notice, final pay, data handover, and own-entity transition support apply?	Restrictive exit, high transfer fees, unclear final payroll.
20. Audit rights and evidence	You should be able to prove compliance if questioned.	What documents can we request, how often, and in what format?	Provider refuses routine evidence or relies on verbal confirmation.

EOR contract clauses to check before signing in Vietnam, with the question to ask and the red flag to watch.

Two clauses carry most of the financial weight: payroll and fees. A defined payroll calendar with a correction window is what keeps payroll on time every month, and itemized fees are what stop the EOR cost from drifting above an entity setup. Keep buyer costs in EUR rather than USD when you model them.

Not sure which clauses matter most? Sunbytes can help you review the operational side of your EOR setup before you sign. We check payroll, SHUI evidence, DPA readiness, onboarding, offboarding, and provider responsibilities so your Vietnam hire does not start with unclear obligations.

Review your EOR contract →

Vietnam-specific clauses foreign companies often miss

Several clauses look minor on a European reading but carry real weight under Vietnam employment practice. These are the ones EU buyers most often overlook.

Check these country-specific items explicitly in the EOR contract:

Local or bilingual labor contract: the worker should receive a Vietnamese or bilingual contract with all mandatory terms under the Vietnam Labor Code 2019, Article 21.
SHUI and PIT proof: recurring remittance evidence and payroll summaries, not just a statement that contributions are handled.
Payroll calendar and public holidays: a fixed cut-off and pay date, with Vietnam public holidays reflected in leave handling.
Work permit scope: for foreign nationals, who sponsors and what is excluded.
Final pay and offboarding: how the last salary, settlement, and SHUI deregistration are handled on exit.

For the contribution side specifically, the broader detail belongs in a dedicated guide on EOR compliance requirements in Vietnam. Where buyer cost appears, keep figures in EUR for a Dutch or EU finance reader.

*Vietnam-specific clauses: local contract, SHUI and PIT proof, payroll calendar, and offboarding.*

Data protection and GDPR clauses for EU companies

When your EOR processes employee data on your behalf, you are usually the controller and the provider is the processor. That relationship needs a contract, not a privacy notice.

Require a data processing agreement under GDPR Article 28, Regulation (EU) 2016/679. It should set the subject matter and duration, the data types and categories of data subjects, sub-processor disclosure and approval, security measures, breach notification timelines, assistance with data subject requests, and deletion or return of data at exit.

Vietnam adds a second layer. The Personal Data Protection Law took effect through Decree 356/2025, effective January 1, 2026, replacing Decree 13/2023. Ask how the provider documents Vietnam personal data obligations and any cross-border transfer of employee data, since payroll and HR data routinely move between the EU, Vietnam, and cloud systems.

If you want the data side in a single reference, a focused article on EOR data privacy and GDPR clauses collects the processor terms in one place. Where the law is involved, ask qualified counsel to confirm transfer mechanisms rather than relying on a checklist.

Red flags in an EOR agreement

Some contract patterns should stop the deal until they are fixed. Rather than walking away, ask for the safer alternative in writing and judge the response.

The most common red flags, and what to request instead:

Red flag	Why it matters	Safer alternative to ask for
Cannot name the Vietnam legal employer	You cannot verify who signs the contract or carries employer duties.	Ask for the entity name, role, registration details, and any subcontractor used.
Vague scope of services	Unclear scope creates disputes over payroll, tax, and termination.	Request a responsibility matrix for EOR, client, and employee.
No GDPR Article 28 DPA	EU buyers need processor terms when employee data is processed.	Require a DPA with security measures, breach notice, deletion, and assistance.
No Vietnam PDPL process	Vietnam data obligations may apply to employee data and transfers.	Ask how PDPL duties and cross-border transfer records are handled.
No SHUI or PIT evidence	You may not be able to prove statutory duties were met.	Ask for recurring remittance proof and payroll summaries.
Liability shifted back to client	The EOR value weakens if the provider excludes core compliance.	Review liability and indemnity with counsel; require accountability for provider tasks.
Hidden or unilateral fees	Vague pass-through costs create budget surprises.	Ask for itemized fees, FX treatment, deposits, and change rules.
Restrictive exit or transfer terms	You may later move employees to your own entity.	Ask for exit timeline, transfer process, data export, and final payroll support.
Missing IP assignment chain	You may not own a work product if IP is not assigned correctly.	Ask how IP and confidentiality are mirrored in the labor contract.
Provider promises “zero risk”	An EOR reduces burden but cannot remove every legal or tax risk.	Expect balanced language: reduced burden with responsibilities clearly allocated.

Red flags in an EOR agreement, paired with the safer requirement to ask for instead.

Questions to send your EOR provider before signing

Turn the red flags into a short procurement email. These are copy-ready questions you can send before any sales call, and they work best when you ask for written evidence rather than verbal assurance.

• Which Vietnam entity is the legal employer, and can you share registration details?

• Can you provide a task-level responsibility matrix for EOR, client, and employee?

• What payroll calendar, cut-off, and correction SLA apply, and what evidence do we receive?

• Can you provide SHUI and PIT remittance proof on a recurring basis?

• Will you sign a GDPR Article 28 DPA, and can you share your sub-processor list?

• How do you handle Vietnam PDPL obligations and cross-border data transfers?

• What liabilities are covered, and what are the exclusions and caps?

• What are the full itemized fees, including onboarding, offboarding, FX, and deposits?

• What are the exit terms if we transfer employees to our own Vietnam entity later?

• What documents can we request for audit, and how often?

If you want a structured way to score the answers, an EOR provider checklist turns these questions into a comparison sheet across vendors.

*A copy-ready provider question set, built directly from the red flags above.*

When to involve legal counsel

This article is an operational and commercial checklist, not legal advice. It helps you review a provider agreement and ask better questions, but it does not replace a qualified review.

Bring in counsel for the final contract terms, the governing law and jurisdiction, liability and indemnity wording, employment disputes, permanent establishment and tax exposure, and any cross-border data transfer mechanism under GDPR. A short legal review at the end is far cheaper than unwinding an obligation you did not realize you had accepted.

How Sunbytes helps make EOR contracts operationally clear

A contract review tells you what should happen. Operations decide whether it actually does. The gap between the two is where most EOR problems live.

When the agreement names payroll cut-offs, SHUI proof, and offboarding steps, Sunbytes runs those commitments through our Employer of Record (EOR) service in Vietnam so payroll lands on time every month and offboarding actions start within 24 hours. Our Dutch-led accountability and 4 to 5 hour NL to VN overlap mean the operational side is answered before a problem becomes urgent.

This is part of the broader employment infrastructure we build for international companies entering or scaling in Vietnam. Through our EOR, staffing, and Contractor of Record (COR) services, we make compliant hiring consistent at every stage of growth.

Why Sunbytes?

Founded in the Netherlands in 2011, Sunbytes has delivered more than 300 client projects across 20+ countries. Our delivery hub in Ho Chi Minh City gives us direct knowledge of Vietnam’s labor market, payroll rules, and regulatory environment.

Our three service pillars support EOR contract clarity at every stage:

Payroll and employment operations you can verify: Through Accelerate Workforce Solutions, we deliver payroll on time, onboarding in 2 to 4 weeks, and offboarding within 24 hours, with the SHUI and PIT evidence your contract should require.
Payroll accuracy and statutory proof: Through Payroll Services, we run the Vietnam payroll calendar, withholding, and remittance so the documentation behind each pay run is available on request.

Data handling aligned to your DPA: Through CyberSecurity Solutions, we apply access controls and security practices that support the GDPR Article 28 terms in your agreement, with ISO 27001 certification.

FAQs

What is an EOR contract in Vietnam?

It is the service agreement between your company and the EOR provider, which sits alongside the local employment contract between the EOR and the worker. An employer of record agreement makes the provider the legal employer in Vietnam, while you direct the day-to-day work. The exact division of responsibility should be written into the agreement, not assumed.

Who is the legal employer in an EOR arrangement?

The EOR is typically the local legal employer and signs the Vietnamese labor contract, while the client company directs the work. This is the core of the model, but the precise allocation of payroll, tax, and compliance duties must be defined in the contract. Where the wording is ambiguous, ask the provider to name the responsible party for each task.

What clauses should I check before signing an EOR agreement?

Check scope and the responsibility matrix, the named local employer, payroll, PIT and SHUI handling, the local employment contract, a GDPR Article 28 DPA, IP assignment, fees, liability, service levels, termination, and audit rights. Each clause should pair an obligation with the evidence you can request. Treat any “full compliance” phrase with no task-level detail as incomplete.

Does using an EOR remove all Vietnam compliance risk?

No. An EOR reduces the operational burden of hiring in Vietnam, but it does not erase every legal, tax, permanent establishment, or data risk. Responsibilities, liability, and evidence must still be allocated clearly in the contract. The goal is a known and shared risk position, not a claim of zero risk.

Should EU companies require a GDPR Article 28 DPA?

Yes, if the EOR processes personal data on your behalf, which is almost always the case for payroll and HR. The DPA should cover processor obligations, security measures, sub-processors, assistance with data subject requests, and deletion or return of data at exit. For transfers from the EU to Vietnam, ask counsel to confirm the appropriate transfer mechanism.

What EOR contract red flags should I watch for?

Watch for a provider that will not name the Vietnam legal employer, vague scope, a missing DPA, no SHUI or PIT proof, weak liability terms, hidden fees, missing IP assignment, and restrictive exit clauses. Each of these shifts risk back to you in a way that is easy to miss on a first read. The safer move is to ask for the specific evidence or wording in writing.

Can I transfer employees from an EOR to my own Vietnam entity later?

Usually yes, but the contract terms decide how smooth it is. Check the exit timeline, employee transfer process, employee consent steps, final payroll responsibility, data handover, and any transfer fees before you sign. Building the exit into the agreement up front avoids lock-in surprises later.

Should I ask a lawyer to review an EOR contract?

Yes, for the final contract terms, governing law, liability, employment disputes, tax and permanent establishment questions, and data transfer clauses. This guide is an operational checklist that helps you prepare for that review, not a substitute for it. A focused legal check on the high-risk clauses is the most efficient way to close the deal with confidence.