Sovereignty by design

Built for the regulations that matter in MENA.

SAMA. NCA CCC‑2. Egypt PDPL. ISO 27001. MomentumX private cloud and HCI are architected to keep your data inside your jurisdiction and inside your control — without trading away the performance you’d get from a hyperscaler.

Why sovereignty isn’t a marketing word

CIOs in MENA are being asked harder questions every quarter: where does our data live, who can access it, what happens if a cross‑border legal framework changes mid‑contract.

“We use a regional zone of a global cloud” is no longer a sufficient answer for regulated workloads. Sovereignty means the legal entity, the operations team, and the physical infrastructure all live under the jurisdiction your auditor recognizes.

MomentumX is structured for that answer.

The four frameworks we’re built for

Each framework with: what it requires, how MomentumX maps to it, and where to read more.

SAMA Cloud Framework

KSA — Financial services
What it requires

Data residency in KSA, controlled access, documented incident response, audit trail of every privileged action, demonstrable separation between cloud provider and tenant, and exit clauses that don’t leave the bank stranded.

How MomentumX maps

Hyper Private Cloud and HyperEdge 500 deployments in KSA‑hosted facilities. OpenStack‑based, no hyperscaler lock‑in. Full tenant isolation. SAMA‑aligned logging. Documented exit and data return procedures.

Read the SAMA framework explainer →

NCA CCC‑2

KSA — Cloud cybersecurity controls
What it requires

Five control domains across governance, defence, resilience, third‑party risk, and compliance — 23 mandatory controls for cloud service providers serving KSA government and regulated sectors.

How MomentumX maps

Documented control mapping for all 23 controls. Gap remediation in active execution. Certification roadmap targeting Q3–Q4 2026.

Download the NCA Compliance Checklist →

Egypt PDPL

Egypt — Personal data protection
What it requires

Lawful basis for processing, data subject rights, data residency for sensitive categories, breach notification, DPO appointment, and restrictions on cross‑border transfers without explicit safeguards.

How MomentumX maps

Egypt‑hosted deployments keep PDPL‑scope data inside Egypt. Infrastructure built for the five PDPL infrastructure requirements: residency, access control, retention, breach response, lawful transfer documentation.

Read the PDPL compliance guide →

ISO 27001

International — Information security
What it requires

Information Security Management System covering 93 Annex A controls — risk assessment, asset management, access control, cryptography, supplier relationships, incident management, business continuity, compliance.

How MomentumX maps

ISMS in place. Controls documented. Recertification on the operating roadmap.

The architecture decisions that make this possible

Three product‑level commitments behind the compliance posture.

No hyperscaler lock‑in

OpenStack‑based control plane. Workloads can leave the way they came in — through OpenStack APIs, not proprietary services. Exit risk is materially lower than international hyperscalers.

Regional infrastructure, regional team

Deployment, support, and incident response from teams based in Egypt and KSA. 24/7 multilingual support in Arabic, English, and French.

On‑prem option for the strictest workloads

HyperEdge 500 lets data never leave your physical premises — relevant for sovereign AI workloads where even a regional cloud zone is too much exposure.

What our compliance posture is not

We do not claim certifications we have not earned.

Our current posture: SAMA‑aligned architecture, NCA CCC‑2 documentation complete with certification roadmap Q3–Q4 2026, Egypt PDPL infrastructure requirements met, and ISO 27001 ISMS in operation.

If you’re an auditor or compliance lead and you’d like to see the full control mapping or our remediation timeline, ask — we’ll send the artifacts under NDA.

Frequently asked

Where does my data physically live?

Inside the country you select at provisioning — Egypt, KSA, UAE, or our European jurisdictions for non‑MENA‑scope workloads. We will tell you the exact data centre on request.

What happens if a cross‑border legal framework changes mid‑contract?

Your data is in MENA, on infrastructure operated by a MENA‑registered legal entity. Cross‑border requests have no operative reach. Our exit clause guarantees data return in OpenStack‑native format within 30 days.

Are you SAMA‑certified?

We are SAMA‑aligned, not SAMA‑certified — SAMA does not issue cloud provider certifications directly. What we offer is full architectural and operational alignment with the SAMA Cloud Computing Framework, documented and reviewable by your compliance team.

Do you have an NCA CCC‑2 certificate?

Not yet. We have completed control mapping for all 23 controls and have a documented certification roadmap targeting Q3–Q4 2026.

Can we audit you?

Yes. Our enterprise contracts include audit rights with reasonable notice.

Bring your auditor’s checklist. We’ll go control by control.

Schedule a 30‑minute compliance walkthrough with our team. We’ll map your specific regulatory obligations to our architecture and tell you — honestly — where we’re a fit and where we’re not yet there.

Book a compliance walkthrough
Download the NCA Compliance Checklist