If you're running an enterprise SaaS company and you have customers in China -- or customers with factories in China -- you've probably had the conversation. Someone on the team opens your app from Shanghai, and it's slow. Or blocked. Or both. And then the question comes: what do we need to do to serve China?

The answer is more tractable than most people think, but it involves navigating a regulatory and infrastructure environment that is genuinely different from anywhere else. At LightSource, we serve enterprise procurement teams at manufacturers with operations across the US, Europe, and Asia -- including mainland China. Getting this right took work, and the architecture we landed on is one that other B2B SaaS companies can learn from.

Here's what we did, what we learned, and what you need to know if you're considering it.

The Problem: Why China Is Different

China operates the Great Firewall (officially the Golden Shield Project), which filters and throttles internet traffic crossing the border. If your application is hosted on AWS us-east-1 or any standard global cloud region, users in mainland China will experience latency of 300-800ms on every request, with frequent packet loss, connection resets, and degraded performance on anything that loads third-party scripts, fonts, or assets from global CDNs.

This isn't a theoretical problem. For a procurement platform where buyers and suppliers need to collaborate in real time -- uploading RFQs, comparing quotes, negotiating pricing -- a slow or unreliable connection means the tool doesn't get used. And a tool that doesn't get used doesn't generate value.

The regulatory layer adds complexity. China's Cybersecurity Law (2017), Data Security Law (2021), and Personal Information Protection Law (PIPL, 2021) collectively establish a framework that requires certain data collected in China to be stored domestically, restricts cross-border data transfer, and mandates ICP licensing for any website or application serving Chinese users.

Step 1: Get an ICP License

An ICP (Internet Content Provider) license is the legal prerequisite for operating any website or web application accessible from mainland China. Without it, Chinese ISPs can block your domain, and CDN providers operating inside China will not serve your content.

There are two types:

ICP Filing (ICP备案): Required for any website hosted in China. This is the basic registration, typically processed in 20 business days. It ties your domain to a Chinese cloud hosting account and a Chinese business entity.

ICP Commercial License (ICP经营许可证, category B25): Required if you charge for services online -- which includes SaaS subscriptions, marketplace transactions, or any paid digital service. This takes 60-90 business days and has stricter documentation requirements.

For most B2B SaaS companies serving enterprise customers, you need the commercial license. LightSource obtained our ICP license through Beijing (京ICP备2021009027号-17), registered on our Chinese domain lightsource.cn.

The catch: ICP licenses can only be obtained by Chinese legal entities. If you're a US or European company, you need either a Wholly Foreign-Owned Enterprise (WFOE) in China, a joint venture where foreign investment doesn't exceed 50%, or a partnership with a licensed Chinese entity. This is a real barrier to entry, and it's one of the reasons many SaaS companies delay their China strategy until they have paying customers there who are asking for it.

Step 2: Choose Your Architecture

There are three common patterns for serving a SaaS application to Chinese users. Each makes different tradeoffs on performance, compliance, and data residency.

Pattern A: Full China Deployment

Host everything -- application servers, databases, user data -- inside mainland China on AWS China (Beijing or Ningxia), Alibaba Cloud, or Tencent Cloud. AWS China operates independently from AWS Global, run by local partners (Sinnet in Beijing, NWCD in Ningxia). As of 2025, AWS China offers roughly 122 services compared to 395 globally.

Pros: Best performance for Chinese users. Full compliance with data residency requirements. CDN acceleration via CloudFront China's edge locations in Beijing, Shanghai, Zhongwei, and Shenzhen.

Cons: You're maintaining two separate infrastructure stacks. Data is in China, subject to Chinese jurisdiction. Separate AWS accounts, separate billing, separate operations. For most B2B SaaS companies, this is overkill unless China is a primary market.

Pattern B: Edge Acceleration from Hong Kong (LightSource's Approach)

Serve the frontend -- static assets, CDN, initial page load -- from a nearby region (Hong Kong or Singapore), while keeping application servers and data in the US or Europe. The ICP license establishes legal presence, and the edge acceleration reduces latency for the initial experience.

Pros: Data stays in US jurisdiction. Single application stack to maintain. Reasonable performance for Chinese users (Hong Kong is ~30ms from Shenzhen, compared to 300ms+ from US). Legal presence established via ICP license and .cn domain.

Cons: Performance is good but not as fast as full mainland deployment. Cross-firewall traffic still experiences some throttling. API calls from the browser still route to US servers, so interactive operations carry latency.

This is the pattern LightSource uses. Our frontend is accelerated through AWS from Hong Kong, our data lives in the United States, and our Chinese enterprise customers access the platform through lightsource.cn with their ICP-filed domain. For a B2B procurement platform where the primary users are professional buyers running sourcing events, this architecture provides a usable experience without the operational complexity of a full China deployment.

Pattern C: No China Infrastructure (Rely on VPNs)

Don't deploy anything specific to China. Assume enterprise users have VPN access and can reach your global application.

Pros: No additional infrastructure or compliance work.

Cons: Unreliable. China has been tightening VPN enforcement since 2017. Enterprise VPNs are technically permitted but consumer VPNs are routinely blocked. Performance is inconsistent. You're asking your customer to solve an infrastructure problem that should be yours to solve. This is not a real strategy -- it's a placeholder.

Step 3: Handle Data Residency

China's PIPL (Personal Information Protection Law) requires that personal information collected in China be stored domestically unless one of three cross-border transfer mechanisms is satisfied:

1. Security Assessment by the Cyberspace Administration of China (CAC) -- required for large-scale data handlers

2. Personal Information Protection Certification from an accredited institution (new certification measures took effect January 2026)

3. Standard Contractual Clauses (SCCs) signed with the overseas data recipient

For B2B SaaS companies handling enterprise procurement data -- supplier quotes, BOM structures, pricing negotiations -- the data is typically commercial/business data, not personal information of Chinese citizens at scale. This distinction matters. If your application primarily handles business-to-business transaction data rather than consumer personal information, the cross-border transfer requirements are less restrictive, though you should still have legal counsel confirm your specific situation.

In May 2025, Shanghai authorities issued the first publicly disclosed enforcement action specifically targeting cross-border data transfer violations -- a European luxury brand's subsidiary that transferred personal information to France without using any required transfer mechanism. The signal is clear: enforcement is real and increasing.

Watch for accidental data replication. Teams say "our data lives in the US" because the database is in the US. But data architecture is not just databases. CDN logs may include query strings with customer identifiers. Error logs may include request payloads. AI traces may include RFQ text. Support tooling may copy attachments into a US ticketing system. Screenshots in bug reports may contain supplier names. If you're claiming data residency in one jurisdiction, audit every system that touches user-generated content -- not just the primary data store.

Step 4: Localization Beyond Infrastructure

Infrastructure gets your application through the firewall. It doesn't make it usable for Chinese users. Consider:

Language: If your buyers and suppliers in China are communicating through the platform, the UI needs to support Simplified Chinese. LightSource handles this through localization of the core procurement workflows.

Payment and invoicing: Chinese business practices around fapiao (official tax invoices) and payment terms differ from Western norms. If your platform handles commercial transactions, this matters.

Third-party dependencies -- the real killer: This is where most apps actually break in China. Search your built application (not just your source code) for calls to any of these blocked domains:

• googleapis.com, gstatic.com, google-analytics.com, googletagmanager.com

• recaptcha.net, maps.googleapis.com

• stripe.com, intercom.io, intercomcdn.com

• segment.com, sentry.io, hotjar.com

Some of these work intermittently, which is worse than being fully blocked. A blocked dependency fails quickly. An intermittent dependency makes your app feel haunted. Google Fonts is the classic small failure -- a designer adds a font import, the browser waits, text rendering stalls, and a user in Hangzhou thinks the product is broken. Nobody notices from San Francisco.

Self-host fonts. Self-host critical JavaScript. Make third-party scripts non-critical by default.

Authentication: Google SSO is not a China login strategy. For enterprise SaaS, the answer is usually SAML or OIDC with the customer's identity provider, plus a fallback method that doesn't depend on blocked services. If you use CAPTCHA, test the exact challenge in China -- some WAF-managed challenges quietly depend on unreachable scripts. A login page that loads but can't authenticate creates a support ticket that looks like user error.

WebSockets and real-time features: Cross-border WebSockets can work but connection lifetime is unpredictable. If a workflow matters, it should survive a broken socket. Use durable job state. Let the user refresh without losing progress. Don't design the China path for ideal conditions.

Mobile: WeChat integration is effectively mandatory for business communication in China. If your platform has a notification or messaging component, WeChat compatibility is worth considering.

What We'd Recommend

If you're a B2B SaaS company and China represents 5-15% of your user base or your customers have significant China-based operations:

1. Start with the ICP license. This is the longest lead time item (60-90 days for commercial) and requires a Chinese legal entity. Start the process before you need it.

2. Deploy Pattern B (edge acceleration from Hong Kong). It gives you 80% of the performance benefit with 20% of the operational complexity.

3. Audit your third-party dependencies. This is the single highest-impact, lowest-cost step. If your app loads Google Fonts or Analytics, it's broken in China regardless of your server architecture.

4. Get legal counsel on PIPL. Don't guess about data residency. The regulatory environment is evolving and enforcement is increasing.

5. Talk to your customers. Ask your China-based users what their experience is like today. The answer will tell you how urgently you need to move.

Sources

• The Complete Guide to China's ICP License (B25) -- AppInChina on ICP filing types, requirements, and timelines

• A 2025 Guide to ICP Licences in China -- Chinafy on when an ICP license is required

• Content Delivery in China -- AWS documentation on China CDN architecture and requirements

• Getting Started with AWS Services in China Regions -- AWS on Beijing and Ningxia region setup

• China PIPL Compliance 2026: Essential Guide -- Overview of PIPL requirements and cross-border data transfer mechanisms

• Navigating China's Cross-Border Data Transfer in 2026 -- IT Consultis on the three legal pathways for cross-border data transfer

• China Data Protection: Annual Review of 2025 and Outlook for 2026 -- Bird & Bird on enforcement trends and regulatory outlook

Frequently Asked Questions

Do I need an ICP license to serve Chinese users?

If your website or application is hosted on servers inside mainland China, yes -- an ICP filing is legally required. If you serve content from outside China (e.g., Hong Kong or Singapore), you don't technically need an ICP license, but your site will likely be slow or intermittently blocked behind the Great Firewall. For enterprise SaaS companies with Chinese customers, obtaining an ICP license and establishing a China-optimized delivery path is the practical approach.

Can a foreign company get an ICP license directly?

Not directly. ICP licenses must be issued to Chinese legal entities. Foreign companies typically establish a Wholly Foreign-Owned Enterprise (WFOE) in China, form a joint venture with a Chinese partner, or work with a licensed Chinese entity to obtain the license on their behalf. The process requires a Chinese business license and takes 20 business days for a basic filing or 60-90 days for a commercial license.

Does my data need to be stored in China?

It depends on the type of data. China's PIPL requires that personal information of Chinese citizens be stored domestically or transferred abroad through one of three approved mechanisms (security assessment, certification, or standard contractual clauses). For B2B SaaS platforms handling primarily commercial/business data -- supplier quotes, BOMs, procurement transactions -- the requirements are less restrictive, but legal counsel should confirm your specific situation.

What is the Great Firewall and how does it affect SaaS performance?

The Great Firewall (Golden Shield Project) is China's internet filtering and throttling system. It affects SaaS applications by adding 300-800ms of latency to requests crossing the border, causing packet loss and connection resets, and blocking many common third-party services (Google, Facebook, many analytics and tracking tools). Enterprise SaaS companies address this by deploying frontend acceleration from nearby regions like Hong Kong or by hosting inside mainland China.

What third-party services are blocked in China?

Google services (Fonts, Analytics, Maps, Recaptcha), Facebook, Twitter/X, most Meta properties, many Western analytics tools (Mixpanel, Amplitude), Stripe.js, Intercom, and HubSpot tracking scripts are all blocked or severely throttled. Any third-party dependency your application loads should be audited for China compatibility. Self-hosting fonts and using China-compatible analytics alternatives are common fixes.

How does LightSource serve Chinese users?

LightSource holds an ICP license from Beijing (京ICP备2021009027号-17) and operates lightsource.cn for Chinese customers. The frontend is accelerated through AWS from Hong Kong, while application data remains in the United States. This architecture provides usable performance for enterprise procurement teams in China without requiring a full mainland China deployment or duplicating the infrastructure stack.

How long does the ICP licensing process take in practice, and what tends to delay it?

A basic ICP filing for non-commercial sites takes around 20 business days; a commercial ICP license takes 60 to 90 days. The most common delays are incomplete documentation from the Chinese legal entity, mismatches between the registered business scope and the website's stated purpose, and provincial-level review backlogs. Most foreign companies underestimate the time to set up the underlying Chinese legal entity (WFOE or partnership), which is the prerequisite step.

Should I use Hong Kong as a beachhead instead of hosting inside mainland China?

For early-stage enterprise SaaS with a small Chinese user base, Hong Kong hosting often makes sense -- no ICP filing required, faster to deploy, and the latency to mainland China is manageable for most B2B applications. The tradeoff is performance: Hong Kong-hosted sites still cross the Great Firewall, so latency can spike under congestion and certain government inspections can throttle traffic. The right point to migrate inside the wall is when consistent sub-500ms response times become a customer requirement.