What is the SAMA Cloud Computing Framework?

The Saudi Central Bank (SAMA) Cloud Computing Framework is the regulatory standard governing cloud usage by banks, insurers, and financial institutions operating under SAMA supervision in the Kingdom of Saudi Arabia. The framework covers data classification, residency, encryption, key management, exit strategy, provider due diligence, and risk governance.

It is binding for all SAMA-supervised entities and is treated as a baseline (not a ceiling) — institutions can apply additional controls.

Core SAMA Cloud Framework requirements for cloud providers

  • Data classification and residency: Customer data must be classified (public, confidential, restricted, etc.) and tier-1 sensitive data must remain in Kingdom.
  • Encryption: Data at rest and in transit must be encrypted with documented key management.
  • Customer-managed keys: Banks must retain control over encryption keys for sensitive workloads.
  • Provider/tenant separation: Strict isolation between cloud provider operations and customer workloads.
  • Exit strategy: Documented exit path that does not depend on provider goodwill.
  • Provider due diligence: Cloud providers must be assessed for financial, operational, and regulatory soundness.
  • Audit and reporting: Cloud providers must support SAMA-aware audit trails and provide reporting to customers and regulators.

SAMA-cloud-framework-aligned providers

Cloud providers serving SAMA-regulated banks fall into three categories:

  1. Hyperscaler cloud regions in Saudi Arabia. Microsoft, AWS, Oracle, Google — operating Saudi regions with documented SAMA alignment for some workload classes. Fast time-to-deploy but operations and control plane route through foreign jurisdictions, raising risk profile for tier-1 banking workloads.
  2. Regional telco cloud subsidiaries. stc Cloud, Mobily Cloud, and similar. Strong KSA presence, scaled by parent telcos, often hyperscaler partnership architectures.
  3. Independent sovereign cloud providers. MomentumX. Independent of hyperscalers and foreign control planes. Open-standards architecture. Founded 2018, MENA-built.

MomentumX as a SAMA-cloud-framework-aligned provider

MomentumX provides sovereign private cloud purpose-built for SAMA alignment:

  • In-Kingdom data residency. Customer data hosted in Riyadh facilities, contractually pinned at deal time, no cross-border default transfer.
  • Customer-managed keys. Hardware security module integration; customers retain key rotation and access control.
  • Provider/tenant separation. Dedicated tenant isolation with documented operational boundaries.
  • Documented exit path. Open-standards architecture means workloads are portable. No proprietary hypervisor or closed-API lock-in.
  • SAMA-aware audit trails. Full audit trails across customer and provider boundaries, supporting SAMA reporting requirements.
  • Hyperconverged platform. HyperEdge 500 on open standards, deployable on-premise or in Riyadh facilities.

What banks should ask cloud providers in the SAMA evaluation

  1. Where is customer data physically hosted, and what contractual terms pin the location?
  2. Does the control plane route through foreign jurisdictions?
  3. Do customers retain key custody (vs. provider-held keys with grant access)?
  4. What is the documented exit path, and what is the cost?
  5. How does the provider’s audit trail integrate with SAMA reporting?
  6. What is the provider’s operational due-diligence profile (financial soundness, regulatory standing, customer references)?
  7. What is the workload portability path between this provider and alternatives?

MomentumX answers each of these in writing during the SAMA-alignment assessment phase. Reach out via the contact-us page for a SAMA assessment for your specific banking workload.

Related sovereign cloud topics

private cloud KSAKSA sovereign cloud spoke pageKSA banks SAMA cloudSAMA Cloud Framework for banksNCA CCC-2 cloud KSANCA CCC-2 frameworksovereign cloud complianceSAMA, NCA, PDPL mapsVMware alternativePost-Broadcom HCI

Frequently Asked Questions

Answers on sovereign cloud, hyperconverged infrastructure, VMware alternatives, open standards, and avoiding vendor lock-in across MENA.

Which cloud providers are SAMA-aligned in KSA?
SAMA-aligned cloud providers in Saudi Arabia fall into three categories: (1) hyperscaler Saudi regions (Microsoft, AWS, Oracle, Google) with documented partial alignment for some workload classes; (2) regional telco cloud subsidiaries (stc Cloud, Mobily Cloud); (3) independent sovereign cloud providers (MomentumX), purpose-built for SAMA cloud framework alignment with in-Kingdom data residency, customer-managed keys, provider/tenant separation, and documented exit strategy.
What does the SAMA Cloud Computing Framework require?
The SAMA Cloud Framework requires regulated banks, insurers, and financial institutions to implement controls across: data classification and residency, encryption, customer-managed keys, provider/tenant separation, documented exit strategy, provider due diligence, audit trails, and risk governance. It is binding for all SAMA-supervised entities.
Can KSA banks use hyperscaler public cloud under SAMA?
SAMA permits hyperscaler cloud usage for specific workload classes with strict controls. However, for tier-1 banking workloads — core banking, payment processing, fraud — most KSA banks elect private or sovereign cloud to simplify SAMA compliance and reduce cross-border risk. The cross-border governance overhead of hyperscaler regions is significant for sensitive workloads.
What customer-managed key requirements does SAMA impose?
SAMA requires banks to retain control over encryption keys for sensitive workloads. This means customers must hold keys (with hardware security module integration), retain rotation control, and limit cloud-provider access. MomentumX supports customer-managed keys with HSM integration and documented operational controls.
What is the exit strategy requirement in SAMA Cloud Framework?
SAMA requires a documented exit path that does not depend on provider goodwill — covering workload portability, data extraction, configuration export, and the operational steps to migrate to an alternative provider. Open-standards architectures (like MomentumX HyperEdge 500) satisfy this requirement natively. Proprietary-stack providers face a harder time documenting realistic exit paths.
How should KSA banks compare SAMA-aligned cloud providers?
Evaluation criteria: (1) In-Kingdom data residency, contractually pinned; (2) Customer-managed key custody, not provider-held keys with grant access; (3) Documented and tested exit path; (4) SAMA-aware audit trail integration; (5) Operational due-diligence profile of the provider; (6) Workload portability validation. MomentumX answers each in writing during the SAMA assessment phase.