Summary
- PT. Arupa Cloud Nusantara is not a simple web hosting brand. Its own pages describe a technology aggregator founded in 2017, with over 350 clients, more than 50 distribution partners, more than 20 solutions as a service, and a current public contact address at South Quarter Tower A in South Jakarta.
- The company sells hosted capacity across several layers: Arupa Compute, Virtual Data Center, Virtual Server, Private Cloud, Backup, Arupa Backup, Zerto disaster recovery, object storage, managed cloud, cloud migration, and, via a 2026 Civo announcement, a sovereign Kubernetes cloud intended for Indonesian workloads.
- Network evidence is visible but narrow. APNIC identifies AS136102 and AS137286 as resources of PT. Arupa Cloud Nusantara; RIPEstat saw both ASNs globally visible in IPv4 on 11 July 2026; PeeringDB shows a 1 Gbps OpenIXP / NiCE port for AS136102 and a 1 Gbps DCI-IX port for AS137286. No public source found IPv6 announcements for either ASN.
- The unresolved operational test is physical rather than linguistic. Public pages describe flexible capacity, fast recovery, local compliance, and managed support, but they do not publish rack counts, data centre lease limits, power and cooling topology, hardware spare parts policy, backup restoration tests, multi-site failover drills, or exit procedures for customers who need to move their workloads.
The cloud promise is real, but the hard questions sit beneath the brand
Arupa is a good example of why small and medium-sized cloud providers must be analysed from two angles simultaneously. The first angle is commercial: what does the provider offer and who is it for? From this perspective, the company has a much stronger public footprint than a simple hosting reseller. Itshomepagestates that it helps enterprises, SMEs, and technology partners with cloud, data, and cybersecurity solutions. Itsabout pagesays that Arupa Cloud Nusantara has operated as a trusted technology aggregator since 2017 and lists over 350 trusted clients, more than 50 distribution partners, over 20 solutions as a service, and 100% local expertise. Itspartner programme pageinvites MSPs, system integrators, resellers, and ISV partners to join a growing ecosystem around cloud and data security services.
The second angle is physical: what equipment, buildings, routes, people, and contracts make the commercial promise true on a bad day? This evidence is thinner. The same public pages describe flexible cloud infrastructure, local engineers, fast recovery, and data stored in Indonesia, but they rarely name the data centre hall, the rack footprint, the electrical design, the upstream hand-off point, the hardware spare stock, or the support escalation path. A buyer can see the service categories.
They cannot fully trace the dependency chain from an Arupa invoice to a power supply, a switch, a disk shelf, a hypervisor cluster, a backup repository, and a human incident manager.
That does not mean the capacity is fictitious. The company has network resources registered with APNIC, two visible autonomous systems, and public interconnection records. It also has a current formal office address and several recent product announcements. The correct conclusion is more precise: Arupa has enough public evidence to be considered an operational Indonesian cloud and services company, but not enough to assign a resilience level to the hosted capacity it sells.
The risk is therefore not “is this company real?” but “which parts of the cloud are under Arupa’s direct operational control, and which depend on a data centre owner, an operator, a hardware vendor, a software licensor, or a migration partner?”
Identity, addresses, and the Zettagrid boundary
Arupa’s public identity carries several overlapping labels. APNIC records forAS136102andAS137286name PT. Arupa Cloud Nusantara, describe it as a corporate/direct member of IDNIC, and place the former registry address at Eightyeight@Kasablanka Office Tower, 18th floor, Menteng Dalam, Tebet, South Jakarta. PeeringDB’sorganisation profilealso names PT. Arupa Cloud Nusantara and uses the alias Zettagrid Indonesia at the Eighty Eight Kasablanka address. Arupa’s currentcontact pageinstead points to South Quarter, Jalan R.A. Kartini Kav. 8, Tower A, 9th floor, Cilandak Barat, South Jakarta, with marketing and support email addresses.
The address difference is a signal, not a contradiction. Company, registry, interconnection, and marketing records are often out of step. But for a cloud provider, address rigour matters because customers need to know which site is an office, which is a network registration address, and which holds production equipment. Arupa’s public office pages do not claim that the South Quarter office is the data centre. APNIC and PeeringDB identify the company and its numbering resources, not the physical rack footprint.
The company should therefore be understood as an operator and technology partner with office and registry addresses, while the hosting substrate lies elsewhere.
The Zettagrid label also requires careful handling. Several pages and third-party profiles use Arupa, Zettagrid Indonesia, or both. TheBroadcom partner award postrefers to PT Arupa Cloud Nusantara as Zettagrid Indonesia and states that it won a Broadcom partner award from Crayon Indonesia for 2025 after similar recognition in 2024. That supports the notion that Arupa is part of a VMware/Broadcom-oriented cloud services ecosystem. It does not by itself say whether every Arupa service is delivered on Arupa-owned hardware, Zettagrid-operated infrastructure, colocation, partner clouds, or a mix of those layers.
What Arupa sells: compute first, but not only
TheArupa Computepage presents the product family as flexible and scalable infrastructure for business growth. Within that family,Virtual Data Centeris positioned as a VMware cloud in Indonesia, giving customers control over server, storage, and network capacity without owning physical servers.Virtual Serveris the simpler VPS-type promise: fast, reliable, and flexible servers with capacity available in minutes.Private Cloudis presented as dedicated cloud infrastructure for an organisation, with stronger isolation and full control.
These are materially different operational commitments. A virtual server customer mainly needs a running VM, network reachability, snapshots or backups, and an upgrade path. A virtual data centre customer needs resource pools, tenant isolation, network segmentation, storage performance, and management plane availability. A private cloud customer may need reserved hardware, predictable maintenance windows, explicit hardware replacement timelines, and a clear ownership model for licences and appliances. If all three are sold under a single cloud story, the provider must make the capacity boundary for each product visible.
Backup and disaster recovery make this boundary even sharper. TheBackuppage says the service automatically protects and restores company data.Arupa Backupis described as an all-in-one service combining local and cloud backup, disaster recovery, and managed operation. A separate launch article states thatArupa Backupincludes data backup, data recovery, disaster recovery, security, monitoring, and even on-premises customer hardware, managed by Arupa’s expert team.Zerto SecondSitepromises real-time replication, an RPO measured in seconds, and an RTO measured in minutes.Active-Active DRpresents the goal as permanent business continuity.
Each of these claims can only be true if the slowest layer is sufficiently fast. A second-scale RPO is a replication statement; it depends on application write throughput, link quality, replication lag, storage latency, and failure detection. A minute-scale RTO is a recovery statement; it depends on procedures, DNS, firewall changes, application dependencies, identity systems, database consistency, and support approval. The public product pages say what the customer should get, but not the test evidence showing that a specific customer can get it.
Object storage and Kubernetes widen the dependency map
Arupa’s storage story extends beyond VM backup. ItsArupa Object Storagepage describes storage for archives, backups, multimedia content, and logs, and states that data is secured in an Indonesian Tier III data centre with encryption and regulatory compliance language. A later article states that Arupa has been anapproved MinIO reseller in Indonesiafor three years, promoting MinIO AIStor for S3-compatible storage, AI/ML, generative AI, data lakehouse, and cloud-native workloads.
That helps explain Arupa’s market position. It does not just sell generic compute slots. It assembles cloud, backup, storage software, licences, and local implementation. That can be valuable for an Indonesian enterprise that wants a local partner rather than a distant self-service cloud. But object storage also raises different operational tests. The important questions are durability, erasure coding or replication policy, failure domains, deletion protection, immutability, restore bandwidth, S3 compatibility limits, the export path, and who pays for data egress during a migration or incident.
A data sheet that says “object storage” does not answer those questions.
The Kubernetes layer adds another dependency. Arupa’s 22 May 2026 article states that it formed astrategic partnership with Civoto bring a sovereign Kubernetes-based cloud platform to Indonesia, with local support, implementation services, and assistance with regulatory needs. Civo’sIndonesia pagedescribes an Indonesian region hosted in Jakarta, designed for public cloud freedom and private cloud control, with managed Kubernetes, compute, managed databases, load balancers, local hosting, and alignment with the Indonesian personal data protection law.
The evidence about Civo is strong for service intent: Kubernetes capacity, local jurisdiction, and a product partnership. It is weaker on the physical questions this article tests. They do not publish the rack count behind the Jakarta region, the facility identity on the public page, the site failover design, the operator mix, the hardware spare parts pool, or whether Arupa’s role is reseller, operator, first-line support, implementation partner, or a combination that varies by customer.
The prudent reading is that the partnership widens Arupa’s cloud-native offering, while leaving the underlying site and recovery design to be verified in the customer’s contractual documents.
The two ASNs show an operational network, not a complete cloud map
The routing registry gives Arupa one of its strongest public anchors. APNIC identifiesAS136102as IDNIC-ARUPA-AS-ID and records import policies from AS24538 and AS7717, exports to AS23949 and AS7717, and a default route to AS24538. It identifiesAS137286under the same AS name, with imports from AS7717, AS17451, and AS56258, exports to the same three ASNs, and a default route to AS17451. Contact and abuse records point to Arupa.
RIPEstat’srouting status data for AS136102showed, at the 11 July 2026 check, all 327 available IPv4 RIS peers seeing the ASN, seven visible IPv4 prefixes, 2,560 IPv4 addresses, and no visible IPv6 space. Itsannounced prefixes datashowed prefixes including 103.10.148.0/22, 103.90.250.0/23, 103.90.250.0/24, 103.90.251.0/24, 103.145.194.0/23, 103.145.194.0/24, and 103.145.198.0/23 within the two-week window ending 11 July 2026. The correspondingrouting status data for AS137286showed 327 of 327 IPv4 peers seeing the ASN, three visible IPv4 prefixes, 2,048 IPv4 addresses, and no visible IPv6 space, while itsannounced prefixes datashowed 49.128.188.0/22, 103.90.248.0/23, and 103.145.196.0/23.
BGP.tools independently presentsAS136102as peered with four other networks and having two upstream providers, listing PT iForte Global Internet and Biznet Networks as upstreams. It presentsAS137286as peered with three other networks and having two upstream providers, listing Biznet Networks and PT PGAS Telekomunikasi Nusantara as upstreams. The same pages show no originating IPv6 space. That does not make the network weak; many Indonesian enterprise/cloud networks remain IPv4-dominated. It does mean that customer claims about IPv6 must be tested separately rather than inferred from the existence of a cloud product.
The ASNs must not be confused with the complete cloud map. A cloud provider may host customer workloads behind partner ASNs, private interconnections, tunnel services, public cloud regions, content networks, or customer-owned prefixes. Conversely, an ASN may originate downstream or customer address space that is not the provider’s own pool. The AS evidence shows that Arupa has active Internet routing. It does not reveal every tenant, storage cluster, hypervisor structure, or support path.
The prefixes show both Arupa space and customer-like contours
Prefix evidence adds an important nuance. APNIC assigns103.90.248.0/22to PT. Arupa Cloud Nusantara as allocated portable space, and the APNIC records for103.10.148.0/22and49.128.188.0/22are portable resources allocated to Arupa. These three blocks constitute strong evidence of enterprise resources.
Other visible originating space requires more caution. The APNIC registration for103.145.194.0/23shows the parent assignment to CV Qorner Organizer, while a more specific IDNIC entry for 103.145.194.0/24 names Arupa. APNIC’s parent assignment for103.145.196.0/23names CV Gweinity Elkalindo, while a more specific IDNIC /24 names Arupa. APNIC’s parent assignment for103.145.198.0/23names CV Geowhan Multi Teknologi, while a more specific IDNIC /24 names Arupa.
RADB route object lookups reinforce the layered nature of the routing. TheAS136102 origin setincludes entities described as Arupa by Biznet, proxy-registered entities, iForte transit customer routes, and several RPKI-derived route objects. TheAS137286 origin setincludes Arupa by Biznet, PGAS route objects, Level 3/Biznet route objects, and RPKI-derived entries. This is not unusual for a provider that uses transit operators and may carry downstream resources. But it tells customers not to assume that every route is the same type of asset.
The customer question is practical. If a workload uses Arupa-assigned address space, who maintains the route objects, RPKI, reverse DNS, and prefix portability? If a workload uses customer-owned or third-party resources originated by Arupa, how quickly can those routes be moved to another provider after a contractual dispute or outage? If Arupa changes upstreams, which prefixes are covered by valid ROAs and which depend on proxy route objects maintained by someone else? Addressing and routing are part of hosting portability, not an accounting triviality.
Interconnection is visible at OpenIXP and DCI-IX
PeeringDB shows two distinct Arupa network profiles.Arupa-JKT / AS136102carries the Zettagrid Indonesia alias, states the profile has six IPv4 prefixes, no IPv6 prefixes, 1–5 Gbps bandwidth, a mostly inbound ratio, and an open policy. Its PeeringDB exchange attachment isOpenIXP / NiCE, with IPv4 address 218.100.27.158 and a 1 Gbps port.PT. Arupa Cloud Nusantara / AS137286lists three IPv4 prefixes, no IPv6 prefixes, and an open policy. Its exchange attachment isDCI Indonesia DCI-IX, with IPv4 address 103.142.207.31 and a 1 Gbps port.
These records are useful because they place Arupa in two different Indonesian interconnection contexts. OpenIXP / NiCE is an Indonesian exchange profile with a PeeringDB history going back to 2010. DCI-IX is listed in Bekasi, and PeeringDB’sDCI-IX facility attachment dataplaces it in DCI Indonesia facilities, including JK1, JK2, JK3, JK5, H2-01, H2-02, E1, and E2. DCI’s own site describesDCI Indonesiaas operating an Indonesian data centre platform, with five locations, nine data centres, 132 MW of raw capacity, and a connectivity ecosystem including cloud providers, financial institutions, enterprises, and ISPs.
Interconnection records are not the same as data centre records. A 1 Gbps exchange port can support useful local peering, route reachability, and operational diversity. It does not prove that Arupa’s compute clusters are in the same facility, that the DCI-IX port is the sole path to those clusters, that Arupa has rack space in every DCI facility attached to the exchange, or that OpenIXP and DCI-IX serve distinct production failure domains. The records prove that Arupa is visible on specific exchange fabrics; they do not publish the topology between those fabrics and customer workloads.
Hosted capacity is not the same as installed hardware
Arupa’s commercial pages repeatedly emphasise flexibility. Virtual servers can be provisioned quickly; virtual data centre capacity can scale without investment in physical servers; private cloud offers dedicated infrastructure; managed cloud reduces operational complexity. Those claims are normal for cloud services. The missing public information is the physical pool that underpins the promise.
For compute, the important distinction is between installed capacity and usable capacity. Installed capacity is the sum of servers, storage shelves, switch ports, hypervisor licences, and power available at a site. Usable capacity is what remains after reserving headroom for failures, maintenance, noisy neighbour control, backup windows, snapshots, replication, management systems, and already-sold growth commitments. A provider can have CPU available under normal conditions and still lack sufficient resilient capacity after losing a host, a storage node, a rack PDU, or an upstream path.
Public pages do not show Arupa’s rack count, server generation, storage architecture, oversubscription policy, spare host ratio, maintenance isolation, management plane redundancy, or hardware replacement targets. That does not mean the company lacks them. It means buyers cannot verify the capacity model from public evidence. The same holds for GPU-AI and Kubernetes claims. A GPU service is constrained by card inventory, power density, cooling, the driver stack, the cluster scheduler, the image registry, storage throughput, and spare parts provisioning.
A Kubernetes service is constrained by control plane redundancy, node pool design, load balancer capacity, etcd backup, image pulls, CNI behaviour, and upgrade procedures.
The economics of hosting create tension here. The customer wants cloud elasticity. The provider earns its margin by sharing infrastructure efficiently. Resilience consumes margin because it leaves capacity unused until something fails. That is why the evidence cannot just be “scalable.” The evidence is a capacity report showing normal utilisation, degraded-mode headroom, and the largest component whose loss has been tested. Arupa’s public pages give the offer. The evidence needed for a serious buyer is the engineering schedule.
Locality is a sales argument, not a complete compliance answer
Data sovereignty is central to Arupa’s current narrative. The object storage page states that data resides in an Indonesian Tier III data centre. The Civo partnership says the sovereign cloud gives Indonesian organisations local infrastructure aligned with regulatory needs. Civo’s Indonesia page says the region is hosted in Jakarta, keeps data under Indonesian jurisdiction, and aligns with theIndonesian personal data protection law. The Indonesian electronic systems framework is also anchored byPP 71 Tahun 2019, which is the regulation cited in the Indonesian electronic systems provider rule set.
Locality is valuable, especially for regulated customers. It can reduce jurisdictional uncertainty, improve latency, simplify data access governance, and give customers a local support path. But locality is not a complete control. Customers still need to know which data is stored locally, which telemetry or support metadata leaves Indonesia, which vendor support teams can access systems, how encryption keys are managed, where backups are replicated, and what happens during a cross-border incident response.
The same point applies to “sovereign cloud.” Sovereignty is not just the country named on a region page. It is contractual language, operational control, support access, legal process, key custody, auditability, subcontractor disclosure, disaster recovery design, and exit rights. A local cloud can be a strong sovereign option if those controls are explicit. It can also be a local front end to a complex international stack if the controls are not defined.
Arupa’s advantage is that it can combine an Indonesian office presence, local engineers, Indonesian network resources, and local partner support. The open question is whether the service contracts turn that local presence into enforceable controls. A buyer should ask for data localisation schedules, processor/subcontractor lists, backup location maps, key management options, breach notification procedures, audit evidence, and a tested data export path.
First failure path: the rack or facility contract yields first
The risk for Arupa starts at the rack level. A customer buys a virtual data centre, a backup repository, or a Kubernetes node pool. Beneath that, a set of cabinets, power feeds, cooling units, switches, and storage arrays must keep working. If Arupa owns the hardware but leases data centre space, the service depends on the facility operator’s performance on power, cooling, access, and remote hands. If Arupa consumes a partner platform, the service depends on that provider’s capacity, maintenance, and escalation path.
If Arupa hosts across multiple sites, the customer needs to know which products are genuinely multi-site and which only have backup or disaster recovery options available at extra cost.
Public data does not identify the production facility for each service. DCI-IX visibility does not prove the production rack location. Civo’s page mentions hosting in Jakarta, but not the facility name or detailed topology. The object storage page mentions an Indonesian Tier III data centre, but not whether the storage platform is single-site, replicated across sites, or protected by erasure coding within a single site. Arupa’s contact page gives an office, not a data hall.
The rack failure test should be explicit. What happens if a hypervisor host fails? What happens if a storage shelf fails? What happens if a rack PDU fails? What happens if the facility needs an emergency maintenance window? How many customer workloads can be restarted elsewhere without over-subscribing the remaining cluster? How long can a data centre access restriction delay a disk replacement? What service credits apply, and which recovery steps fall under best-effort support?
Customers should ask for a service-by-service dependency schedule. It should show the number of production sites, the data centre operator, the facility tier or certification if claimed, rack and power responsibility split, remote hands SLA, the hardware inventory controlled by Arupa, vendor support coverage, and planned maintenance notice. Without that, the word “cloud” masks the first failure domain instead of removing it.
Second failure path: transit and IX diversity is useful but incomplete
Routing registration gives Arupa diversity at the logical level. AS136102 is visible with iForte and Biznet paths in BGP.tools, while AS137286 is visible with Biznet and PGAS paths. PeeringDB places the two ASNs at different exchanges: OpenIXP / NiCE for AS136102 and DCI-IX for AS137286. That is better than a single isolated transit flow.
The remaining question is physical diversity. Two ASNs can still share a building, an interconnection room, a metropolitan fibre duct, an optical provider, an upstream maintenance window, a route object maintainer, or a customer firewall. A customer examining Arupa’s route diversity needs three maps. The first is logical: the upstream ASNs, the IX peers, the BGP policies, the accepted prefixes, and the failover preferences. The second is optical: the carrier names, the hand-off types, the wavelength or Ethernet circuits, and the first repair provider.
The third is physical: the building entrances, the risers, the ducts, the first diverse meet-me point, and the shared utilities.
The separation between AS136102 and AS137286 could be operationally useful. It may give Arupa distinct routing planes for different services, regions, customer groups, or partner platforms. It may also reflect historical transitions and different upstream economics. Public data does not let us decide which interpretation is correct. The practical test is whether a customer workload can remain reachable if one ASN, one IX port, one upstream, or one facility path is taken out of service.
The lack of public IPv6 is also a customer concern. It may not matter for many Indonesian workloads today, but some regulated, enterprise, or cloud-native environments increasingly require dual stack. RIPEstat and BGP.tools did not show visible IPv6 origin for either ASN at the check. If Arupa sells IPv6 customer connectivity, buyers should ask whether it is delivered via other ASNs, tunnels, partner platforms, private addressing, or is not currently part of the service.
Third failure path: backup is only as good as restore bandwidth and authority
Backup products can fail silently. A backup can exist but restore too slowly. A replica can be current but inconsistent. A disaster recovery plan can depend on a firewall, a licence key, a DNS change, an identity provider, or a storage mount that is not included in the recovery test. Arupa’s backup and DR pages are commercially clear: they emphasise hybrid backup, cloud backup, managed service, ransomware protection, real-time replication, a second-scale RPO, and a minute-scale RTO. Public evidence does not show restoration tests.
For Arupa Backup, the hard questions are restoration scope and authority. If customer data is on-premises and in Arupa’s cloud, who decides when to fail over? If ransomware is suspected, who validates the recovery point? If local hardware is part of the offer, who owns the replacement stock and support? If the customer wants to leave Arupa after an incident, can they export full backups in a standard format without waiting for a managed service ticket? If a backup repository is hosted in a single Indonesian data centre, what protects it from a facility-wide outage?
For Zerto-type replication, the key variables are journal history, bandwidth, write-order fidelity, test network isolation, failback, and application dependency mapping. A single VM can recover quickly. A business service made up of database, application server, file storage, identity, VPN, and third-party API dependencies may not recover. The public page does not distinguish product capability from customer-specific recovery validation.
The best evidence would be anonymised test evidence. Arupa could publish restore benchmarks for common data sizes, measured failover exercises, the maximum supported replication lag under congestion, backup immutability options, customer-run recovery test procedures, and a schedule showing who can approve a production failover. These disclosures would not reveal customer secrets. They would show that the recovery promise is more than a brochure.
Fourth failure path: support labour and migration are also capacities
Arupa sells local expertise as part of the product. The about page emphasises local engineers. TheManaged Cloud Servicesays Arupa handles implementation, maintenance, and security so partners can focus on their business. TheCloud Migrationservice says it moves workloads from public cloud, private cloud, or hybrid environments with a structured, low-risk approach, local compliance, and transparent costs. TheImplementation Supportemphasises professional execution, risk reduction, and local technical support.
This is a genuine service advantage in a market where many customers do not want to operate cloud infrastructure themselves. But support labour is also a finite resource. During a normal migration, the same expert team can guide discovery, cutover, optimisation, and documentation. During a regional incident, that same team may be stretched by many customers at once. If the product depends on high-touch support, customers should ask how Arupa prioritises incidents, how many engineers cover out-of-hours escalation, which tasks are automated, and what happens if a key vendor also needs to join the conference bridge.
Migration creates another form of lock-in. Arupa can help customers migrate into its environment; that does not automatically prove that customers can leave quickly. Exit depends on data formats, VM export, network re-addressing, DNS, object storage compatibility, backup retrieval, licence portability, dependency documentation, and egress bandwidth. If a customer’s only current backup sits in Arupa’s managed service, leaving the provider during a dispute or outage may be harder than entering.
Public pages should therefore be read as service invitations, not as exit guarantees. A serious customer should ask for migration and reverse-migration runbooks before signing. The request is not adversarial. It is how a cloud provider proves confidence in its own operations: it can help a customer get in because it also knows how the customer could recover or get out.
The affected customer is often a partner’s customer
Arupa’s positioning as a partner changes the impact radius. A direct enterprise customer may know it is buying Arupa compute, backup, or managed service. A downstream customer of an MSP, system integrator, or reseller may only experience Arupa indirectly, through a managed application, a backup portal, a disaster recovery clause, or a private cloud bundle sold under another company’s relationship. Thepartner programme pageis explicit that Arupa wants MSPs, system integrators, resellers, and ISV partners in the ecosystem. That model makes commercial sense. It also means incident communication must travel through more than one organisation.
In a simple hosting outage, the service owner and the infrastructure provider are the same company. In a partner-driven cloud stack, the affected end customer may call the reseller, the reseller may call Arupa, Arupa may need a data centre operator, a telecom operator, Civo, MinIO, VMware/Broadcom, Veeam, Zerto, or another vendor to act, and the customer may not know which dependency is binding. That is not a criticism of channel sales. It is a reminder that support sequencing is a capacity constraint.
When many partners call during the same incident, Arupa’s engineering bench, ticket triage, vendor escalation rights, and customer communication templates become part of the infrastructure.
Billing can also be part of the failure path. Cloud providers often treat compute, storage, backup retention, IP addresses, managed support, and data egress as separate chargeable items. Civo’s Indonesia page emphasises predictable pricing for managed Kubernetes and compares monthly resource costs with global hyperscalers. Arupa’s migration page says customers enjoy cost transparency. Those are positive signals. But customers still need to know how charges behave during disaster recovery tests, prolonged recovery, emergency restoration, data export, migration failure, billing suspension, licence rights expiration, or contract termination.
A backup service that is technically available but financially expensive to recover can still be a poor recovery tool.
Hardware sparing is the third silent constraint. Arupa’s pages describe local expertise and managed implementation, but do not disclose spare servers, disks, controllers, optics, firewalls, backup appliances, or GPU cards. A provider can have excellent engineers and still wait for a vendor RMA, a customs process, a partner authorisation, or a facility access slot. Customers buying private cloud or on-premises backup hardware should ask whether spare parts are held in Indonesia, whether Arupa owns them, whether the customer owns them, and whether the SLA changes when the failure is a vendor supply problem rather than a support ticket issue.
The practical due diligence question is therefore not just “does Arupa answer tickets?” It is “who else must act before my service is restored, and what happens if the business relationship is strained while the technical incident is still open?” A channel-friendly provider earns trust by making these hand-offs visible. It should define severity levels, customer versus partner notification obligations, vendor escalation authority, out-of-hours contacts, restore cost rules, data export charges, spare stock assumptions, and exit assistance before the incident.
For Arupa, whose public thesis leans heavily on local support and partner success, these operational details are not secondary. They are the part of the cloud that customers will feel first when capacity fails.
What evidence would improve the assessment
Arupa could significantly strengthen the public operational picture without revealing sensitive customer data. First, it could publish a high-level service location matrix: which products run in which Indonesian region or facility class, which are single-site, which are replicated, which have optional disaster recovery, and which use partner platforms. The matrix does not need to show rack counts. It should separate office, registry, exchange, production compute, and backup locations.
Second, it could publish a capacity and resilience summary for each product family. For compute, that means hypervisor cluster redundancy, storage protection method, normal headroom, degraded-mode headroom, and maintenance policy. For backup, that means repository location, retention options, immutability, restore bandwidth, and tested restore times. For object storage, that means data placement policy, durability model, S3 compatibility limits, key management, and export procedure. For Kubernetes, that means control plane design, node pool failure domain, load balancer model, upgrade window, and cluster backup.
Third, it could reconcile the network narrative in customer-friendly terms. Why are AS136102 and AS137286 separate? Which services use which ASN? Does either provide customer IPv6? Are OpenIXP and DCI-IX used for production traffic, management traffic, peering optimisation, or backup paths? Which prefixes belong to Arupa, which are customer or downstream prefixes, and how does RPKI/route object maintenance work?
Fourth, it could publish sample incident and migration procedures. This should include support escalation, customer notification, maintenance notice, data export options, billing continuity during an outage, and the conditions under which Arupa or the customer can initiate a failover. The most credible cloud providers make the boring procedures visible, because that is where trust lives.
The current evidence score is therefore mixed rather than negative. Arupa’s public product breadth, network visibility, and local positioning are stronger than those of many small hosting providers. The disclosure of physical capacity is weaker than the service breadth. That gap is precisely where customer diligence should focus.
A useful local cloud depends on visible constraints
Indonesia needs more credible local infrastructure options. Not every workload should be forced into a global hyperscale model, and not every enterprise wants to assemble backup, Kubernetes, storage, migration, and compliance support on its own. Arupa’s public profile addresses that demand. It combines local sales and support, cloud compute, backup, object storage, disaster recovery, MinIO distribution, Broadcom/VMware ecosystem signals, and Civo sovereign cloud positioning. It also has active Indonesian routing resources that show the company is not a shell with only a product brochure.
The next threshold is not more product names. It is visibility of constraints. Customers buying hosted capacity need to know where the capacity sits, which rack it occupies, which upstreams carry it, what headroom survives a failure, who holds spare parts, who can enter the facility, what recovery tests have been passed, and how data can be moved if the relationship or platform fails. Those questions do not weaken Arupa’s business case. They make it investable for customers whose workloads matter.
Arupa’s best public thesis is that Indonesian enterprises can buy local cloud capacity with local support. Its public evidence supports that thesis at the company, product, and routing levels. It does not yet fully support an independently verifiable claim of multi-site resilience. Until more facility and recovery evidence is published, PT. Arupa Cloud Nusantara should be treated as an operational Indonesian cloud and technology services provider whose customer value depends on the private schedules behind its public cloud promises: racks, transit, hardware spare stock, support labour, backup testing, and migration rights.

