If your business runs Cloud PBX, SIP trunking or outbound campaigns, a clear VoIP SLA prevents downtime, surprise bills and regulatory headaches.
Imagine a Monday sales standup interrupted by dropped calls, or a finance team that can’t reach suppliers because SIP trunks aren’t routing — that real pain is exactly what a tightly written VoIP SLA avoids. This VoIP SLA checklist 2026 gives Malaysian SMEs seven contract clauses you should require before signing for Cloud PBX, SIP trunking, omnichannel voice services or bulk voice blasts. The list explains what each clause actually means, the numeric thresholds to ask for, and a short negotiation line you can send to vendors. Use these clauses to turn vague vendor promises into measurable obligations, service credits and clear exit rights.
Ask for a stated uptime (availability) target — 99.95% is a common business baseline; 99.99% is premium. Specify the measurement timeframe (monthly rolling or calendar month), what components are covered (SIP signaling, media path, portal/API), and carve out reasonable exclusions (scheduled maintenance with advance notice, force majeure).
Negotiation line: “We require 99.95% monthly availability for SIP signaling and RTP media with monthly reporting; scheduled maintenance must be notified ≥72 hours in advance and limited to X hours/month.”
Convert “good call quality” into numbers. Require one‑way latency ≤150 ms, jitter ≤30 ms, packet loss ≤1% (ideally <0.1% for premium voice), and a Mean Opinion Score (MOS) ≥4.0 for hosted voice paths. State the measurement method (RTP probes, active synthetic calls or call samples) and which party’s tools will be the source of truth if disputes arise.
Why these numbers: ITU‑T guidance recommends ≤150 ms one‑way delay for acceptable voice quality; industry monitoring guides use MOS ≥4.0 as a business standard. (ITU G.114; industry guides)
Define a clear credit formula (for example: credit = % of monthly fee × outage minutes / total monthly minutes) and a time window and process to claim credits. Insist on cumulative breach language: after N monthly breaches (e.g., three separate months of <99.95%) allow pro rata refunds and the right to terminate without penalty.
Example clause: “If monthly availability < 99.95%, customer receives X% credit; after three months in any 12‑month period where availability < 99.95%, Customer may terminate without penalty.”
Ask for network and service redundancy specifics: dual data‑centres in different regions, multihomed voice transit, and documented failover time (for example, automatic RTP failover < 60 seconds). Require annual DR tests with a post‑test report you receive and a remediation plan for any gaps found.
Red flag: a provider that promises “geo‑redundancy” but won’t share data‑centre locations, test plans or past test results.
Make data protection a contractual requirement. Require TLS for signaling and SRTP for media by default, logging and access controls that meet SOC2‑like practices, and explicit cooperation with your Data Protection Officer (DPO) for PDPA requests. For call recording, require the provider to support lawful consent flows, retention controls, and secure export so you can meet Malaysia’s PDPA and your internal policies.
Recent JPDP guidance (PDPA) includes mandatory DPO guidance and breach notification rules — include breach notification SLAs that match legal windows (e.g., notify within 72 hours of detection). (JPDP)
Require 24/7 NOC monitoring, a published escalation ladder with named response SLAs (e.g., response within 15 minutes for critical incidents; target Mean Time To Repair (MTTR) for major outages ≤4 hours), and monthly performance reports that include uptime, call quality metrics and incident summaries.
Ask for sample reports during procurement — if the provider can’t show historic reports, treat that as a procurement risk.
Include clauses about number portability timelines, handling of emergency calls (how 999/112 is routed and what disclaimers exist for VoIP), and a commitment that the provider will comply with lawful directives from MCMC. Specify responsibilities and timelines for number porting, and service behavior on loss of local Internet (e.g., automatic call diversion).
If a provider cannot explain how they route emergency calls or respond to regulatory directives, pause procurement until clarified — MCMC enforcement is active and non‑compliance has led to directives and fines. (Bernama)
Two practical steps make an SLA enforceable: (1) agree an independent or mutually accessible measurement method (synthetic call probes, RTP active monitoring or third‑party measurement); (2) require monthly machine‑readable reports and a change log for upgrades/maintenance. Add a short dispute‑resolution timeline (e.g., 14 days to raise a dispute after a report) and require the provider to deliver root‑cause analysis (RCA) within a fixed window after major incidents.
“An SLA is only as good as your ability to measure it.” — make monitoring & reporting the contractual source of truth, not only vendor dashboards.
Use this compact paragraph as an RFP insert: “Provider shall maintain monthly availability ≥99.95% for SIP signalling and RTP media, measure performance using mutually agreed active probes, and provide monthly machine‑readable QoS reports. Provider shall meet latency ≤150 ms one‑way, jitter ≤30 ms, packet loss ≤1% and MOS ≥4.0. Service credits apply per the attached schedule; Customer may terminate without penalty after three SLA failures in any rolling 12‑month period.”
For most SMEs, 99.95% monthly availability is a reasonable baseline (≈4.4 hours annual downtime). If voice is mission‑critical (contact centres, emergency services), negotiate 99.99% or require multi‑provider redundancy. Always pair uptime with clear remedies and measurement methods.
Not if you want a robust SLA. Scheduled maintenance can be allowed but should be limited (e.g., < 8 hours/month), with advance notice (≥72 hours) and preferably done during pre‑agreed low‑impact windows. Unlimited or unannounced maintenance is a red flag.
Include a Data Processing Addendum obliging the provider to support consent capture, configurable retention, secure storage, and export of recordings. Require cooperation for breach notifications and logs for audits so you can meet JPDP/PDPA requirements.
Contractualize monthly machine‑readable QoS reports and allow a third‑party probe or shared telemetry. Require RCAs and remediation plans for incidents where targets are missed.
Further reading: BERNAMA — MCMC issues 279 directives for MSQoS non‑compliance (July 29, 2025)
Further reading: SoyaCincau — MSQoS and the 7.7 Mbps baseline (March 29, 2024)
Further reading: Personal Data Protection Department (JPDP) — PDPA guidance and circulars (JPDP official)
Further reading: ITU‑T Rec. G.114 — guidance on one‑way delay for voice (industry reference)
Further reading: Telxi — VoIP QoS thresholds and MOS guidance
Further reading: ITGTEL — Contact Us
