What “edge” and “cloud” actually mean here
Three layers matter:
- Camera-edge inference — model runs on a Hailo-8 or Jetson Orin at or beside the camera.
- Site-server inference — model runs on a DGX Spark or A30 partition in a cabinet on the site.
- Cloud inference — model runs in a CST-licensed KSA-resident region or, in the worst-case, in a non-resident region.
A defensible architecture combines layers, with the boundary anchored by where raw video is allowed to flow. See the edge inference glossary for the underlying term.
Why this is a compliance question now
Three regulatory pressures push KSA designs to edge or KSA-resident:
- PDPL Article 29 — cross-border transfer of personal data (which includes faces and identifiable bodies) is bound by adequacy, consent or specific safeguards.
- NCA Essential Cybersecurity Controls — for sites that overlap with critical infrastructure, ECC requirements add hardening and residency expectations.
- Operating organisation rules — Aramco contractor sites, MoI-adjacent sites and several MoMRAH programmes have explicit residency clauses in their tenders.
The combination means that “raw video to a non-resident cloud” is not a defensible 2026 design.
The four architectural patterns
Four patterns dominate KSA deployments:
| Pattern | Where raw video sits | Where inference runs | Compliance posture |
|---|---|---|---|
| All-edge | Camera-edge only | Camera-edge | Strongest |
| Edge + KSA cloud | Camera-edge + KSA region | Both | Strong |
| Site-server + KSA cloud | Site server + KSA region | Both | Strong |
| Cloud-first | Non-resident cloud | Cloud | Fails 2026 KSA |
The first three are all defensible; the fourth fails by default unless an explicit Article 29 mechanism is in place.
Pattern 1 — All-edge
Best for sites where bandwidth is poor and security is paramount. Detection runs at the camera; only metadata leaves the device. No central dashboard.
Trade-offs:
- Strongest compliance posture.
- Limited cross-camera intelligence — re-identification across cameras is harder.
- Operations complexity — model updates pushed to dozens of devices.
Common in: Aramco contractor gates, NORM-adjacent areas, military-adjacent sites.
Pattern 2 — Edge + KSA-resident cloud
Detection at the camera; aggregated metadata and signed clip pointers in a CST-licensed KSA cloud region. The default 2026 design for most KSA industrial sites.
Trade-offs:
- Strong compliance posture.
- Good cross-camera intelligence via the KSA region.
- Bandwidth-friendly — only events flow up.
Common in: NEOM construction packages, Diriyah, large MoMRAH programmes.
Pattern 3 — Site-server + KSA-resident cloud
Detection at a site server with raw video stored locally. Aggregated metadata flows to KSA cloud.
Trade-offs:
- Strong compliance posture.
- Better cross-camera intelligence than all-edge — Re-ID, multi-camera tracking, BoT-SORT work natively.
- Higher CapEx for the on-site server cluster.
Common in: large industrial yards, brownfield CCTV retrofit sites.
Pattern 4 — Cloud-first
Raw video to a non-resident cloud. Fails PDPL by default unless an explicit Article 29 mechanism is in place. Avoid in 2026 unless legal counsel has signed off explicitly.
Latency comparison
For real-time use cases (vehicle-pedestrian safety, fall detection, hot-work zone), latency matters as much as compliance:
| Path | End-to-end latency |
|---|---|
| Camera-edge inference + on-device alert | 100–400 ms |
| Camera-edge + site-server alert | 200–600 ms |
| Camera-edge + KSA cloud dashboard | 500 ms – 2 s |
| Cloud-first inference | 1–5 s |
For vehicle-pedestrian safety and fall detection, pattern 1 or 2 is required. For PPE detection and progress tracking, pattern 2 or 3 is sufficient.
Bandwidth and TCO comparison
A 200-camera site at 5 fps and 720p produces roughly 30–50 Mbps of raw video. Sending all of it to cloud means:
- 400 GB per day per site uplink.
- SAR 80,000–180,000 per year in connectivity for a single site [VERIFY-SME].
- Additional cloud storage and compute cost.
Edge-first patterns push only metadata (a few KB per event), reducing connectivity cost by 90%+ while strengthening the compliance posture.
NCA-ECC alignment
For sites under NCA-ECC jurisdiction, additional architectural requirements:
- Network segmentation — analytics traffic on a separate VLAN.
- Identity and access management with MFA on all admin paths.
- Logging and monitoring with retention aligned to NCA expectations.
- Vulnerability management with documented patch cycle.
- Incident response plan including breach notification timelines.
Edge-first patterns make all five easier because the attack surface for raw video is smaller. See the trust / security overview and trust / data residency.
How to score a vendor on this
Five questions every 2026 vendor proposal must answer:
- Where is raw video stored — explicitly, with the CST licence number?
- Where is inference run — camera-edge, site-server, cloud?
- What metadata leaves the Kingdom, if any?
- What is the Article 29 mechanism, if cross-border transfer is required?
- What is the model-update path, and where is the training data hosted?
If any answer is vague, the proposal is not 2026-ready. Cross-reference the top 10 platforms shortlist and the comparisons hub.
Decision tree
| If your site is… | Pattern |
|---|---|
| Aramco contractor or MoI-adjacent | 1 (all-edge) |
| NEOM construction, Diriyah, RSG | 2 (edge + KSA cloud) |
| Large industrial yard, brownfield | 3 (site-server + KSA cloud) |
| Anything in 2026 KSA | not 4 |
Common architectural mistakes
- Treating cloud as the default. The default in 2026 KSA is edge.
- Skipping the PDPL DPO sign-off on the architecture.
- No NCA-ECC alignment for sites overlapping critical infrastructure.
- Vendor-locked update paths that ship raw video out of the Kingdom for retraining.
- Single layer — most sites benefit from a hybrid pattern.
Field deployment checklist
- Architecture pattern picked and signed off.
- PDPL DPO sign-off on the architecture.
- NCA-ECC controls mapped to the architecture, where applicable.
- Article 29 mechanism documented if any cross-border transfer is required.
- Vendor has confirmed CST licence number for the KSA region in writing.
- Model-update path documented, with training-data residency confirmed.
Next steps
If you are scoping vision inference architecture for a Saudi site, start with the edge inference glossary, the CCTV vs edge AI piece, and the edge AI vs server-side processing answer. Cross-reference the PDPL compliance checklist, the data residency posture and the NCA-ECC glossary entry.
Book an architecture scoping session and we will produce a defensible edge-vs-cloud design with documented compliance posture within 10 working days.
