Hiring Contractors in Indonesia as a Foreign Startup: Access, Compliance, and What Nobody Tells You
A practical guide for foreign startups hiring Indonesian contractors — covering PKWT contracts, tool access scoping, IP protection, and offboarding revocation.
Hiring Contractors in Indonesia as a Foreign Startup: Access, Compliance, and What Nobody Tells You
If you're a foreign startup hiring your first contractor in Indonesia, use a PKWT (fixed-term) agreement for project-based work — not a PKWTT (permanent) contract. That's the contract side. The part nobody writes about: what Slack channels, Figma files, Notion workspaces, and GitHub repos to give them on day one, and exactly how to pull all of that back when the project ends. This guide covers both layers.
Why This Matters for Foreign Startups
Indonesian contractors are attractive hires: strong engineering, design, and ops talent, costs roughly 30–50% below Singapore rates, and no requirement to establish a local entity for project-based work. But foreign founders routinely make two mistakes: misclassifying a long-term role as a PKWT (converting it to a permanent obligation automatically), and over-provisioning tool access at hire — then scrambling to reclaim it when the contract ends. The access layer compounds the contract risk: if a contractor departs with live Figma editor rights, GitHub contributor access, or admin-level Notion permissions, your IP exposure doesn't end when the invoice stops.
PKWT vs. PKWTT: Picking the Right Contract (and Why Misclassification Is Expensive)
Indonesian employment law recognizes two core contract types:
PKWT (Perjanjian Kerja Waktu Tertentu) — fixed-term. Use this for project-based, seasonal, or time-limited work. Maximum duration is five years including extensions. No probationary clause allowed — if you add one, the contract auto-converts to PKWTT and you inherit permanent employment obligations.
PKWTT (Perjanjian Kerja Waktu Tidak Tertentu) — permanent. Ongoing, indefinite employment with full severance entitlements. This is for core, recurring roles — not contract work.
The misclassification trap: if a contractor does ongoing work that looks like a permanent role (same hours, same reporting lines, no defined project end), Indonesian labor authorities can reclassify the PKWT as PKWTT. That triggers back-paid entitlements, severance obligations, and BPJS Ketenagakerjaan enrollment.
Practical rule: if the engagement is longer than 12 months or the deliverable isn't project-scoped, consult a local employment attorney or use an EOR to carry the risk.
What Access to Provision on Day One (And What to Lock)
Over-provisioning is the most common mistake foreign startups make with Indonesian contractors. A developer joining for a 3-month API integration project doesn't need admin access to your Slack workspace, edit rights on your company-wide Notion, or owner-level GitHub org permissions. Here's a practical four-tier access model:
Tier 1 — Project scope only. Access limited to the specific tools and repos needed for the engagement. A UI designer gets the client's Figma project; they don't get your internal brand guidelines or full Notion workspace.
Tier 2 — Guest or viewer roles first. Start with read-only or guest access. Upgrade to editor/contributor only when a specific task requires it, and document the reason.
Tier 3 — No admin access, ever. Contractors should not hold admin roles in Slack, GitHub, Notion, or your billing tools. If they need admin to do a one-off task, you execute it — they don't hold the keys.
Tier 4 — Separate contractor channels. In Slack, add contractors to project-specific channels only. Not your #general, not your internal announcements, not your strategy threads. External guest roles exist for this purpose.
IP Protection from Day One
Indonesian contract law does not automatically assign copyright to the commissioning party the way US work-for-hire doctrine does. Without an explicit IP assignment clause in the PKWT, your Indonesian contractor legally retains copyright over deliverables they created.
Three things your PKWT must include:
- IP assignment clause. All work product, code, designs, and documentation created during the engagement are assigned to [your company] upon full payment. The contractor retains no license.
- Confidentiality obligation. The contractor may not disclose, copy, or retain company data, client information, or unreleased product details beyond the engagement period.
- No-tools-retention clause. Upon contract end, the contractor must delete all downloaded files, credentials, and copies of proprietary materials within 48 hours.
These clauses need to be in the Indonesian-language version of the contract (PKWT must be written in Bahasa Indonesia). If you're signing an English agreement only, the IP assignment may be unenforceable in local courts.
The access layer reinforces the legal layer: an IP assignment clause means nothing if the contractor still has Figma edit access to your design system two months after the project ended.
Offboarding an Indonesian Contractor: The Access Revocation Protocol
The contract end date is the trigger — not the final invoice payment. When the PKWT ends (or when you terminate early), the access revocation happens the same day. This order matters:
Step 1 — Revoke active tool access. Go tool by tool: Slack (remove from workspace or downgrade to guest and then remove), Figma (remove from all projects and the team), GitHub (remove from org and any repos), Notion (remove from all pages and workspaces), plus any project management tools — Linear, Jira, Asana, ClickUp — they had access to.
Step 2 — Rotate shared credentials. If the contractor had access to any shared accounts (staging environment passwords, API keys, social media accounts), rotate those immediately. This is a harder problem if you've been sharing credentials via screenshot or Slack DM — another reason to use a credential management tool with per-contractor access grants.
Step 3 — Archive their contributions. Before removing access, make sure all their work is committed, merged, exported, or otherwise captured in your systems. A repo commit, a Figma file handoff, a final invoice + deliverable confirmation.
Step 4 — Confirm deletion. Send a brief written confirmation (email is sufficient) that the contractor has deleted any downloaded company materials per their contract. Keep the record for 12 months in case of a future IP dispute.
For a practical guide on managing this revocation across 12+ tools simultaneously, see How to Offboard an Employee Across 12 SaaS Tools When You Have No IT Team.
EOR vs. Direct PKWT: What Changes for Access Management
| Direct PKWT (you manage) | EOR / PEO (e.g., Deel, Remote) | |
|---|---|---|
| Contract risk | You own misclassification risk | EOR absorbs it |
| BPJS enrollment | Not required for contractors | Depends on EOR structure |
| IP assignment | Must be in your PKWT | Separate IP agreement still needed |
| Access provisioning | You control fully | Still your responsibility |
| Offboarding access revocation | You execute | Still your responsibility |
| Cost | Lower | Higher (EOR fee typically 15–20% of salary) |
The critical insight here: an EOR handles payroll and compliance, but never handles access. Regardless of whether you hire directly or through Deel or Remote, you are the one granting and revoking Slack, Figma, GitHub, and Notion access. The tool lifecycle is always the employer's job.
This is where foreign startups get caught — they assume that because an EOR is managing compliance, access management is also handled. It isn't. See The Offboarding Gap: Why HR Software Won't Revoke Access for a breakdown of why this disconnect exists across every hiring structure.
If you're managing Indonesian and Taiwanese teams simultaneously, Best HR Tools for Cross-Border Startups Managing Teams in Both Indonesia and Taiwan covers the combined compliance + access picture.
FAQ
Q: Can I hire an Indonesian contractor without setting up a local entity? Yes. Foreign companies can engage Indonesian contractors directly under a PKWT without establishing a PT PMA (foreign-owned company) or local subsidiary. The contractor is not your employee — they're an independent service provider. You do not handle BPJS Kesehatan or BPJS Ketenagakerjaan for them. However, misclassifying a long-term role as a PKWT still carries legal risk — the classification must match the work's nature.
Q: Does a PKWT need to be in Bahasa Indonesia? Yes. Indonesian labor law requires fixed-term employment contracts to be written in Bahasa Indonesia. Bilingual versions are common and acceptable, but if there's a conflict between the Indonesian and English text, the Indonesian version governs in local courts. Have an Indonesian-speaking attorney or trusted translation service review IP and confidentiality clauses specifically.
Q: What happens to access if a contractor goes dark mid-project? Revoke immediately. Don't wait for a project handoff or a final invoice. A contractor who stops responding is a contractor who may retain access indefinitely if you don't act. The ghosted contractor access protocol covers the fastest sequence: Slack, GitHub, Figma, Notion, then shared credentials — in that order.
Q: Should I give an Indonesian contractor a company email address? It depends on the tool setup. A company email address gives access to Google Workspace, which potentially means Drive, Calendar, Gmail, and any OAuth-connected tools. If you issue a company email, treat it like full employee access and revoke it explicitly on day one of offboarding — deactivating the Google account cascades to everything connected. Many startups find it simpler to use guest access via the contractor's personal email for a cleaner revocation surface.
Q: Is there a minimum contract value or payment threshold for Indonesian contractors? No statutory minimum for independent contractor agreements. However, contractors earning above IDR 54,000,000/year may have PPh 21 income tax obligations — this is the contractor's individual responsibility, not yours, unless you've agreed to gross up their payments. Clarify this in writing in the PKWT to avoid disputes at contract end.
Get the Access Layer Right from Day One
Optserv tracks every tool grant you make to a contractor — Slack, Figma, GitHub, Notion, Linear — and fires a complete revocation workflow the moment a PKWT ends. When your Indonesian contractor's contract closes, access closes with it. Try Optserv free or explore how the lifecycle module handles contractor onboarding and offboarding end to end.
Sources
- ASEAN Briefing — Employment Contracts in Indonesia: Complete Legal Guide for 2026: https://www.aseanbriefing.com/doing-business-guide/indonesia/human-resources-and-payroll/employment-contracts-type-indonesia
- Emerhub — PKWT vs PKWTT: Understanding Employment Contracts in Indonesia: https://emerhub.com/indonesia/guide-to-employment-contracts-in-indonesia/
- Deel — 10 Steps to Manage Contractor Offboarding and Ensure IP Protection: https://www.deel.com/blog/steps-to-manage-contractor-offboarding-and-ensure-ip-protection/
- ILA Global Consulting — Employment Contracts in Indonesia 2026: https://ilaglobalconsulting.com/employment-contracts-indonesia/
Run your entire team from one place.
Optserv handles hiring, onboarding, access management, and offboarding — built for startups that want to operate like grown-ups without the enterprise overhead.
Try Optserv free