How to vet an Indonesian BPO partner (12-point buyer checklist, 2026)

Most buyer checklists for Indonesian BPO stop at three or four questions, entity, price, references, KPI. That is too coarse to catch the operational gaps that surface in month 3 of a contract. The 12-point list below was assembled from operational issues that Zipang has seen across its own programs and from diligence calls with buyers who selected a cheaper vendor and had to re-bid.

The list is intentionally ordered from legal-entity up to pricing. Items 1–3 are the foundation; if a vendor fails any of those, the conversation should stop. Items 4–7 are the operational core; failure here means the program will not produce at the rate the contract promised. Items 8–12 are the resilience and transparency items; failure here means a contract that survives steady state but breaks on a regulatory change, a security incident, or a price escalation.

A real Indonesian BPO operates through a Perseroan Terbatas (PT), either a local PT (domestic ownership) or a PT PMA (foreign-owned, with foreign investment approval from BKPM / OSS). The vendor should provide a copy of the NIB (Business Identity Number, issued via the OSS system), the NPWP (tax identification number), and the company's deed of establishment (akta pendirian). For a PT PMA, the BKPM / OSS approval letter should be available too.

What good answers look like: a PT that has been registered for 5+ years, with an NIB that matches the entity name, an NPWP that matches the deed, and a clear shareholder structure. KITAS (limited stay permit) for any foreign staff is a positive signal that the vendor has handled the immigration paperwork for international hires, which is the same paperwork you would need to bring your own staff to Indonesia.

What red flags look like: the vendor operates through a perorangan (individual freelancer pool) rather than a PT; the entity is younger than 12 months; the NIB does not match the trading name; the deed lists different directors from the website. Each of these is grounds to walk away before discussing the program.

A real Indonesian BPO handles BPJS Kesehatan (health insurance), BPJS Ketenagakerjaan (employment social security, including JHT, JP, and JKK), and PPh 21 (income tax withholding) on behalf of every operator on the program. The vendor should be able to produce evidence of BPJS enrollment for sample operators, monthly PPh 21 deposit slips, and year-end SPT 1721 filings (annual income tax recapitulation).

What good answers look like: vendor can show three months of BPJS Kesehatan payment records, three months of BPJS Ketenagakerjaan payment records, and the most recent SPT 1721 filing under the entity's NPWP. THR (holiday allowance) handling is in the contract; pesangon (severance) math is in the SOP. For PKWT (fixed-term) vs PKWTT (permanent) classification, the vendor can explain the 5-factor test and where each operator falls.

What red flags look like: vendor says 'we pay all taxes and insurance' but cannot produce a single document; vendor offers to handle statutory compliance 'at additional cost' without naming what the cost covers; vendor uses 1099-equivalent or pure contractor status for operators who, on the 5-factor test, would be classified as PKWTT employees. Each of these is a misclassification risk that, in a Kemnaker audit, lands on the buyer.

A real Indonesian BPO will disclose the structure of their screening funnel, gate by gate, and the pass-rate at each gate. Zipang's 5-gate funnel: CV relevance scan, async English and SOP-comprehension screening, role-specific quiz, structured video interview, paid trial task, is the reference benchmark; the gate 3 quiz is program-specific but the rest of the funnel is reusable. End-to-end pass-rates typically land at 6–12%.

What good answers look like: a vendor who can name all 5 gates, describe the rubric at each, and provide aggregate pass-rates per gate for a comparable program. Bonus points if they can describe a candidate's journey through the funnel and what disqualifies a candidate at each stage.

What red flags look like: vendor says 'we screen carefully' without naming the gates; vendor runs only CV review and one interview before production; vendor's pass-rate is implausibly high (above 30% end-to-end), that means the funnel is not filtering, and the program will produce operators who have not cleared a real rubric.

A real Indonesian BPO will run a paid trial task, scored against the client's actual production KPI, before the operator is committed to a long-term contract. The trial should be paid (a typical Indonesia BPO trial is paid at the same hourly rate as production), time-bounded (usually 1–2 weeks), and KPI-scored (the trial output is graded against a rubric that mirrors the live production rubric).

What good answers look like: vendor provides a sample trial task, the rubric, the time budget, and the pass threshold. The trial is paid; the pass threshold is published; the conversion from trial to production is published. For a 50-operator program, expect 80–120 trialists to yield the 50 production operators.

What red flags look like: vendor treats the trial as a free 'evaluation period' rather than a paid task; vendor runs the trial without a published rubric; vendor's trial-to-production conversion is above 70% (the trial is not filtering); vendor refuses to share the trial task until after the contract is signed.

A real Indonesian BPO will write a 30-day replacement window and a 90-day non-performance window into the contract. The 30-day window covers any operator who falls below the gold-set threshold, who triggers an escalation event, or who fails a policy update retraining. The 90-day window covers non-performance issues that surface later, consistently slow throughput, repeated QA flags, or failure to maintain shift coverage. Replacement is the operator's responsibility, not the client's.

What good answers look like: a contract clause that names the 30-day and 90-day windows, lists the trigger conditions, and commits to a 5-business-day replacement timeline. Vendor can describe how the replacement operator is onboarded (same 5-gate funnel, paid trial before production).

What red flags look like: vendor offers a 'best effort' replacement without a contractual window; vendor's replacement timeline is 'we'll try' rather than 5 business days; vendor asks the client to re-run hiring for the replacement. The replacement guarantee is the operational backstop; without it, a single underperforming operator can derail a 50-person pod.

A real Indonesian BPO will provide a real-time KPI dashboard, accessible to the buyer's program manager, showing per-operator and aggregate metrics on the same rubric used for production. Weekly email summaries are not enough; the buyer needs to be able to query the dashboard mid-week, slice by operator, slice by queue, and slice by severity.

What good answers look like: a dashboard URL with role-based access for the buyer's team, real-time or near-real-time updates (sub-hour latency on operator metrics, end-of-day on queue metrics), and a published metric catalog. The dashboard should show: accuracy (precision, recall), throughput (tasks per operator per shift), time-to-decision, escalation rate, and replacement / churn rate.

What red flags look like: vendor sends a weekly PDF summary and calls that the 'dashboard'; vendor's dashboard is a screen share of an internal tool the buyer cannot access directly; vendor's KPIs are defined in marketing language ('high quality', 'fast turnaround') rather than in operational numbers. If the buyer cannot see the data, the buyer cannot manage the program.

A real Indonesian BPO will document data residency per client: where the data is stored, how it is encrypted in transit and at rest, and which country's regulations apply. Indonesia's UU PDP 2022 (personal data protection law) is the home-jurisdiction requirement; GDPR Article 28 is the requirement for any EU client; CCPA / CPRA for California clients; UK GDPR for UK clients. The contract should reference the specific articles that apply and the technical controls that satisfy them.

What good answers look like: a data processing addendum that names the legal basis for processing, the data categories, the retention period, the sub-processor list, and the cross-border transfer mechanism. Vendor uses region-pinned cloud storage (e.g., Singapore for APAC clients, EU-region for European clients) and encryption keys are not co-located with the data.

What red flags look like: vendor cannot name where the data is stored; vendor says 'we comply with all data laws' without naming the specific articles; vendor's sub-processor list is not disclosed; vendor does not have a breach notification process or commits to a notification window above 72 hours. Data residency is the issue that becomes existential if a regulator asks.

A real Indonesian BPO will have a standard NDA and IP-assignment template, ready to be signed before any client data or client SOPs enter the production environment. The NDA should cover: confidentiality of client data and SOPs, prohibition on screenshots or external discussion, mandatory reporting paths for any personal data encountered, and post-employment restrictions for a defined cooling-off period. The IP-assignment should cover work product produced under the contract and any derivative works.

What good answers look like: a template the vendor has signed before (not a custom draft for each new client), with the key clauses in plain language and a 1–3 day review turnaround. The NDA is mutual, the vendor's confidential information is also protected, and the IP-assignment is limited to work produced under this specific contract.

What red flags look like: vendor says 'we'll just use your standard NDA' without offering one of their own; vendor's NDA is one-sided and does not protect the buyer's confidential information going the other way; vendor refuses to sign an IP-assignment until the contract is signed. NDA and IP-assignment are preconditions for any data sharing; if the vendor drags, the program will not start cleanly.

A real Indonesian BPO will provide three or more customer references with email contact, including the program manager or operations lead at the client, not just marketing logos. The references should be for programs of comparable size and scope: a 50-operator customer-support pod is the right reference for a 50-operator customer-support RFP, not a 5-operator virtual-assistant client.

What good answers look like: three references with name, role, email, and a 30-minute call scheduled within a week. The reference can speak to the operational shape of the program: accuracy, throughput, replacement in action, KPI dashboard usage, not just to whether the contract ended well.

What red flags look like: vendor offers only logo references and no named contacts; vendor offers references for unrelated program types; vendor's references are all junior (analyst-level) rather than program-manager-level. The reference call is the buyer's single best diligence input; if the vendor cannot provide it, the vendor's claim is unsubstantiated.

A real Indonesian BPO carries Errors & Omissions (E&O) insurance and cyber-liability insurance at limits appropriate to the program size. E&O covers mistakes in the production output that cause client loss; cyber covers data breach, ransomware, and notification costs. For a USD 1M+ annual contract, expect E&O and cyber limits of at least USD 1M each, with the buyer named as an additional insured where possible.

What good answers look like: a certificate of insurance (COI) showing the carrier, the limits, the policy period, and the named insureds. Vendor can name the broker and the renewal date. Coverage applies to the Indonesia operation specifically, not just to a global parent policy that excludes Southeast Asia.

What red flags look like: vendor says 'we are insured' without producing a COI; vendor's coverage excludes the Indonesia operation; vendor's cyber coverage is below USD 500k for a USD 1M+ program. Insurance is the backstop when the operational controls fail; without it, the buyer absorbs the loss.

A real Indonesian BPO operates a 3-region disaster recovery plan: production in one region, hot-standby in a second region, cold-archive in a third. The DR plan covers: production outage (data center failure, network outage), security incident (ransomware, breach), and natural disaster (earthquake, flood, civil unrest). The RTO (recovery time objective) and RPO (recovery point objective) should be in the contract.

What good answers look like: a published DR plan with named regions, RTO/RPO numbers, and a documented tabletop exercise in the last 12 months. The plan is specific to the buyer's program, not a generic parent-company policy.

What red flags look like: vendor says 'we have backups' without naming the regions; vendor's RTO is above 24 hours for a 24/7 program; vendor has not run a DR test in the last 12 months. A program that runs 24/7 cannot tolerate a 48-hour outage; the DR plan is the test of whether the vendor takes that seriously.

A real Indonesian BPO will line-item the pricing: per-operator monthly cost, what's included (payroll, PPh 21, BPJS Kesehatan, BPJS Ketenagakerjaan, THR, supervisor time, hardware, software licenses, training, replacement), and what's a pass-through (one-time setup, change requests, scope expansion). Hidden payroll fees, 'administrative fees' that are 5–10% of base salary and not disclosed up front: are the single most common buyer complaint about cheap BPO vendors.

What good answers look like: a line-item pricing schedule that the buyer can audit against the contract; a published 'what's included' list; a clear change-order process for any scope addition; and a year-2 / year-3 price-escalation clause tied to a published index (BI rate, BPS wage index, or similar).

What red flags look like: vendor quotes a single all-in number without breaking out the components; vendor adds 'setup fees', 'training fees', or 'administrative fees' after the contract is signed; vendor's pricing is below the published Indonesia BPO pricing benchmark (USD 500–1,500 / month depending on role) and the vendor cannot explain how. A price that looks too good is hiding somewhere.

Use these 12 questions as the spine of an RFP or a vendor diligence call. A vendor that answers each in under 100 words with specific evidence (document names, metric values, contact information) is a vendor that has run the program before.

1. Provide your NIB, NPWP, deed of establishment, and (if applicable) BKPM / OSS approval letter. 2. Provide three months of BPJS Kesehatan and BPJS Ketenagakerjaan payment records and your most recent SPT 1721. 3. Describe your 5-gate screening funnel, gate by gate, with aggregate pass-rates per gate. 4. Provide a sample paid trial task, the rubric, the time budget, and the pass threshold. 5. What does your replacement guarantee cover, what is the timeline, and is replacement a contractual right? 6. Provide access to your KPI dashboard with role-based access for our team. 7. Where is our data stored, what is the encryption posture, and which regulations apply? 8. Provide your standard NDA and IP-assignment templates. 9. Provide three customer references with name, role, and email, for programs of comparable size. 10. Provide a certificate of insurance for E&O and cyber. 11. Provide your 3-region DR plan with RTO and RPO. 12. Provide a line-item pricing schedule with what's included and what is a pass-through.