Skip to main content
Sovereign Deployment

Your data, your infrastructure, your jurisdiction.

CISGuard is the only continuous CIS benchmark compliance platform built for environments where data sovereignty is non-negotiable. Deploy on-premises or fully air-gapped, with no SaaS dependency, no data egress, and no cross-border transfer.

Request Sovereign Briefing →See deployment options
Quick Facts
Deployment models
On-premises, air-gapped, private cloud, hybrid
Internet connectivity
None required for air-gapped mode
Data egress
Zero. All scan data stays within the customer perimeter
SaaS dependency
None
Telemetry / phone-home
None. No analytics, no usage data, no vendor backchannel
Per-jurisdiction isolation
Supported. UAE data stays in UAE, Saudi in Saudi, per-country residency enforced
Sovereign clouds supported
Azure UAE North, Azure Saudi Arabia Central, AWS GovCloud, AWS Middle East, Oracle Sovereign Cloud
Regulatory coverage
UAE PDPL · IAS · ADHICS · NCA ECC · SAMA · FedRAMP High · IL4/IL5 · CMMC L2 · CJIS · NIS2 · DORA · GDPR Article 32
Standard deployment time
One business day for environments under 200 endpoints
Four Operating Principles

No data egress

No scan results, configuration data, or asset metadata ever leaves your infrastructure. Period.

No SaaS dependency

CISGuard runs on your hardware or your cloud tenant. We have no operational visibility into your environment.

No telemetry

No analytics phone-home, no anonymized usage data collection, no vendor backchannel.

Per-jurisdiction isolation

Multi-site deployments support per-country data residency. Saudi data stays in Saudi infrastructure. UAE data stays in UAE infrastructure.

Deployment Options

Four ways to deploy. All sovereign.

Choose the deployment topology that matches your regulatory boundaries and operational reality.

On-Premises

Single-file installer on your server. Agents deployed to Windows, Linux, and container hosts. All scan data is processed and stored within your data center.

Components
  • CISGuard Server
  • Windows Agents
  • Linux Agents
  • Cloud API Scanner
  • Your Database

Air-Gapped

Fully offline operation for classified networks. Zero internet connectivity required at any stage of install, scan, or report generation. Agent updates via secure media.

Components
  • Isolated Server
  • Classified Endpoints
  • Offline Agent Updates
  • Local Reports
  • No External Egress

Private Cloud

Run inside your own Azure, AWS, or GCP tenant. Scan results stay in your cloud account. Compatible with sovereign cloud regions (Azure UAE, AWS GovCloud).

Components
  • Tenant-Hosted Server
  • Cloud-Native Agents
  • VPC-Isolated Storage
  • Sovereign Region
  • No Cross-Tenant Egress

Hybrid

Central server on-premises with agents scanning across multiple sites, cloud accounts, and Kubernetes clusters. Unified dashboard, jurisdictional data isolation.

Components
  • Central HQ Server
  • Site Relay Agents
  • Cross-Cloud API Scanners
  • Per-Site Data Isolation
  • Unified Dashboard
Regulatory Coverage

Where sovereign deployment isn't optional.

The regulations that demand data residency, operational isolation, or air-gapped environments, and how CISGuard satisfies each.

UAE

  • UAE PDPL (Federal Decree-Law 45/2021)
    Personal data must stay within UAE territorial jurisdiction. On-premises deployment satisfies storage requirement.
  • UAE IAS (Information Assurance Standards)
    SIA-mandated controls for classified federal networks. Air-gapped deployment with NIST 800-53 mapping.
  • ADHICS (Abu Dhabi Healthcare)
    Sector-specific data handling for Abu Dhabi healthcare. Per-facility isolation supported.

Saudi Arabia

  • NCA ECC (Essential Cybersecurity Controls)
    Saudi National Cybersecurity Authority. CISGuard maps controls to ECC-1 through ECC-5 domains.
  • SAMA Cybersecurity Framework
    Saudi Arabian Monetary Authority requirements for financial entities. On-prem deployment required for tier-1 data.

United States

  • FedRAMP High / IL4 / IL5
    Air-gapped deployment satisfies network isolation for federal high-impact systems.
  • CMMC Level 2 / Level 3
    Defense contractor handling of CUI. NIST 800-171 mapping with on-prem CUI boundary.
  • CJIS (Criminal Justice)
    Law enforcement data handling. Full on-prem deployment with role-based audit trail.

European Union

  • GDPR Article 32
    Technical and organizational measures. EU-region deployment with no cross-border transfer.
  • NIS2 Directive
    Essential and important entities. Continuous monitoring satisfies Article 21.
  • DORA (Financial Sector)
    EU financial entity ICT risk management. Sovereign deployment for tier-1 financial infrastructure.

Sovereign by design. Briefing on request.

Walk through the deployment architecture for your specific jurisdictional and regulatory boundaries with our compliance engineering team.

Request Sovereign Briefingsales@cisguard.ae →