Sovereign cloud for KSA government & government‑adjacent

Cloud, HCI, and AI for the workloads NCA is auditing now.

Saudi government and government‑adjacent enterprises operate under NCA CCC‑2 and CST cloud guidance. MomentumX is architected for those controls — KSA‑hosted, MENA‑registered, with the audit trails and exit clauses your inspector expects. Etimad‑ready commercial structure for tender participation.

Why government workloads are different

NCA CCC‑2 is now enforced for cloud service providers serving KSA government and regulated sectors. Five domains, 23 mandatory controls, and a clear residency requirement: data classified at sensitive levels does not leave national jurisdiction. Add CST cloud classification rules, Etimad procurement gates, and the practical reality that government inspectors require direct audit access — and “regional cloud zone” answers stop working.

The compounding problem: AI is now mandatory for every digital ministry initiative under Vision 2030 — fraud, citizen analytics, document AI, language models for public services. All of those workloads run on the same data the NCA is restricting. Sending it to OpenAI or Azure OpenAI through a regional zone is not a sufficient compliance posture.

NCA CCC‑2, mapped to MomentumX

All 23 controls. Reviewable by your inspector under NDA.

NCA CCC-2 Control Domains Mapped to MomentumX DeliveryFive National Cybersecurity Authority cloud control domains shown on the left, with MomentumX’s corresponding architectural and operational delivery on the right.NCA CCC-2 — Control Domains Mapped to MomentumXAll 23 mandatory controls reviewable by your inspector under NDANCA CONTROL DOMAINHOW MOMENTUMX DELIVERS1Cloud governanceDocumented governance, RACI,change management, board oversightDefined RACI · service-level governanceContracted change management with audit trail.Quarterly governance review with customer.2Cybersecurity defenceHardened control plane, encryption,network segmentation, key managementHardened OpenStack · customer-managed KMSNetwork microsegmentation. Encryption at rest +in transit. BYOK + Vault. TPM-backed attestation.3Cybersecurity resilienceIncident response, DR, BCM,recovery time objectives, runbooks24/7 IR · MENA-based ops · multi-region DRDocumented RPO/RTO. Failover runbooks acrossCairo · Riyadh · Frankfurt regions.4Third-party cybersecurity riskVendor inventory, supply-chain audits,contractual security obligationsVendor inventory · hardware supply-chain auditContractual security obligations on every vendor.Annual third-party penetration testing.5Cloud cybersecurity complianceMapped 23 controls, gap remediation,certification roadmap, audit reporting23 controls mapped · certification on roadmapActive gap remediation. Certification targetQ3–Q4 2026. Inspector-ready documentation.
NCA control domainHow MomentumX delivers
1. Cloud governanceDefined RACI, documented service-level governance, contracted change-management with audit trail.
2. Cybersecurity defenceHardened OpenStack control plane. Network segmentation. Encryption at rest + in transit. Customer‑managed KMS.
3. Cybersecurity resilience24/7 incident response, MENA‑based ops team, documented DR runbooks across Cairo/Riyadh/Frankfurt.
4. Third‑party cybersecurity riskVendor inventory, contractual security obligations, supply‑chain audit on hardware suppliers.
5. Cloud cybersecurity complianceDocumented control mapping for all 23 controls, gap remediation in active execution, certification roadmap targeting Q3–Q4 2026.
Liability: NCA CCC‑2 certification is on our roadmap (Q3–Q4 2026); we are not currently NCA‑certified. The control mapping above is reviewable by your inspector under NDA.

Reference architecture for a KSA ministry

Three layers, integrated through OpenStack APIs. Configurable for sensitive / restricted / top secret data classifications.

1

Production workloads on Hyper Private Cloud

Citizen‑facing portals, case management, financial systems, regulatory reporting. KSA‑resident VDC, OpenStack‑native, customer‑managed KMS.

2

On‑prem extension on HyperEdge 500

For workloads requiring physical air‑gap — classified archives, cryptographic operations, audit servers, defence‑adjacent. HyperEdge 500 deployed at the ministry’s primary or DR facility.

3

AI workloads on HyperAI

Sovereign LLM deployment — Arabic language models, document understanding, fraud and benefit verification, citizen analytics. 24‑GPU cluster with H100/H200, deployed in KSA. Data never leaves national jurisdiction.

Use cases, named

Four real government AI workloads.

Sovereign Arabic LLM deployment

Run open‑source Arabic models (Jais, Falcon, AceGPT, Llama variants) on the ministry’s own GPU cluster. Pretrain or fine‑tune on national corpora. The model never sees data outside KSA.

Document understanding for citizen services

OCR + LLM pipelines for ID verification, civil records, benefit applications, and licensing. Inputs and outputs stay inside the ministry’s jurisdiction.

Fraud and benefit verification

GPU‑accelerated anomaly detection on benefit claim streams, customs declarations, tax filings. Real‑time scoring with full audit trail.

Public‑sector analytics + planning

Population analytics, infrastructure planning, public‑health predictive modelling. Sensitive demographic data stays in‑country.

Etimad procurement, ready

MomentumX is structured for KSA government tender participation.

MISA‑registered entity status (foreign investment in service)
CST cloud classification on the certification roadmap
Etimad bid template in‑house, includes compliance matrix, sizing tables, SLAs, references
Saudization plan documented for sustained delivery
SI partner channel available — established KSA system integrators for joint Etimad bids

Bring your NCA matrix. We'll go control by control.

A 30‑minute call with a MomentumX architect, focused on your specific NCA control set, your data classification levels, and your tender timeline. We'll map your obligations to our architecture and tell you — honestly — where we're a fit and where we're not yet there.

Book an NCA architecture walkthrough
Apply for a 14‑day HyperAI POC