Cloud vs On-Premise Video Conferencing for Regulated Saudi Industries
Saudi banks, government agencies, healthcare networks, and other regulated organisations face a specific question: can we use cloud video conferencing platforms (Microsoft Teams, Zoom, Webex) given our regulatory obligations? The answer depends on data classification, recording requirements, and specific industry context.
The regulatory landscape
Three Saudi regulatory frameworks shape VC platform decisions: NCA Cloud Cybersecurity Controls (CCC) cover cloud service provider assurance, data residency, encryption, identity management, monitoring, and exit/portability. SAMA Cyber Security Framework includes specific call-recording obligations for trader communications, customer service, and certain transaction flows. Healthcare data sovereignty effectively requires Saudi-region or on-premise hosting.
Cloud VC — the mainstream path
The major cloud VC platforms all offer Saudi-region data residency:
Microsoft Teams. Microsoft Saudi region (Azure Saudi) supports data-residency for Teams data including chats, meeting recordings, and shared files. Configurable per-tenant.
Cisco Webex. Cisco’s data centre footprint includes Middle East coverage with Saudi-region data residency improving over time.
Zoom. Zoom’s data residency is configurable but Saudi-region capability is less mature. For regulated organisations, this often pushes toward Teams or Webex over Zoom.
For most regulated organisations not at the most-restrictive end, cloud VC with Saudi-region configuration is acceptable.
On-premise VC — the high-restriction path
For organisations with the most-restrictive requirements (sovereign-aligned, certain SAMA-tier-1 banks, specific government workloads), on-premise VC remains the answer:
Cisco Meeting Server — Cisco’s on-premise VC infrastructure with full feature set, deployed in your data centres.
Pexip Infinity — self-hosted VC with strong interoperability across Teams/Zoom/Webex external participants.
Avaya Spaces self-hosted — available for on-premise deployment in regulated environments.
Microsoft Teams via Azure Stack — newer hybrid options blend cloud features with private infrastructure.
On-premise VC is more complex, more expensive to operate, but removes external-platform dependencies entirely.
Hybrid models
The pattern that’s increasingly common: cloud VC for general-purpose meetings; on-premise VC for specific regulated workflows. Example: a SAMA-regulated bank uses Microsoft Teams for internal collaboration. For trader desk calls and customer-service interactions requiring SAMA recording, calls flow through on-premise infrastructure that records to compliant storage. This delivers cloud convenience for the 90% while maintaining on-premise control for the 10% that requires it.
Recording compliance
SAMA recording obligations apply regardless of platform. Recording must capture every relevant call, retain for required period (5-7 years), make recordings searchable and producible to regulators, maintain audit trail, encrypt at rest and in transit. Cloud VC platforms integrate with recording solutions (Verint, NICE, RedBox) that handle these requirements. The recording infrastructure itself is often deployed on-premise even when the VC platform is cloud, providing necessary control.
Data classification driving decisions
Public/general data: cloud VC, default configuration.
Internal/operational data: cloud VC, Saudi-region residency configured.
Restricted/regulated data: cloud VC with enhanced controls (compliance recording, DLP, encryption, audit logging) OR on-premise VC for specific workflows.
Top-secret/national-security: on-premise VC, often air-gapped.
Most regulated organisations have a mix of classifications across their meeting workflows.
Get help with regulated VC decisions
For a written assessment of cloud vs on-premise VC for your specific regulatory profile, contact our team. Pair with unified communications, cyber security, and cloud computing.