Summary
- The strongest public link between Everest Data Centres and Saudi infrastructure is an alternate label attached to AS48204. RIPE assigns that network number to Etihad Salam Telecom CJSC, while the visible address and routing records point back to Salam's main network rather than proving a distinct Everest estate.
- Salam publishes a credible-looking service surface: six Saudi data centres, colocation, cloud, local monitoring and round-the-clock engineering. Those claims matter, but they belong to Salam unless a contract or corporate record explicitly establishes another role for Everest.
- A buyer should convert locality, automation and support promises into testable records: the legal counterparty, facility schedule, data-flow map, network paths, access log, incident clock, recovery result, staffing roster and exit procedure. Without those records, a reassuring name remains a weak control.
A name is not yet an operating boundary
The first fact about Everest Data Centres is how little the name settles. The BTW directory entry identifies it as a private company, but it does not present a Saudi commercial registration number, a parent, a website, a facility address, an executive team, a list of services or a certification. Its geography is not established on the page. That is enough to start an inquiry, not enough to conclude which company would sign a contract, admit an engineer through a security gate or answer when a rack loses power.
A second public clue is more technical. Cloudflare Radar's page for AS48204 calls the autonomous system ITC-INT-POPS, places it in Saudi Arabia and displays Everest Data Centres as an alternate name. It also lists AS35753, called ITC, as belonging to the same organisation. This is meaningful. It connects the directory name to an observable piece of Internet routing infrastructure and to the former Integrated Telecom identity. It is still not the same thing as establishing a separate company called Everest Data Centres.
The distinction matters because infrastructure identities are layered. A legal entity can own a brand; a brand can sell a service delivered by an affiliate; a network number can be registered to a telecom company and used for a particular access product; a building can be owned by one party, operated by another and staffed partly by contractors. Monitoring software may attach a convenient label gathered from any of those layers. Search results then repeat the label until it looks like an organisation in its own right. None of that is necessarily deceptive. It is simply limited public evidence for assigning responsibility.
The name itself carries collision risk. A British Companies House record shows that a company now called Amito Ltd used the name Everest Data Centres Ltd between 2016 and 2018. A separate industry listing describes an Indian Everest Data Centers backed by Everstone and focused on Mumbai and Chennai. Neither establishes the identity of the Saudi label. Their existence demonstrates why matching words is a poor substitute for matching registration numbers, domains, officers, addresses and network-resource holders.
For a customer, the practical question is not whether the words "Everest Data Centres" can be found near Saudi Arabia. It is which attributable organisation controls each part of the proposed service. That means asking five separate questions. Who is the legal counterparty? Who operates the named facility? Who controls the network and address resources? Who administers the customer portal and support queue? Who carries the obligation to restore service and return data? A provider may answer all five with the same name. If it does not, the contract should show the chain plainly.
This is why the thin public identity should not be inflated into a negative verdict either. Absence of a polished public footprint does not prove absence of operations. Private wholesale arrangements, legacy labels and network engineering names often leave uneven traces. The correct response is calibrated: do not assume a facility or service outcome from the label, and do not assume wrongdoing from the gap. Treat identity resolution as the first control in procurement. Until the parties and assets are mapped, every later claim about uptime, locality, security or support floats without an accountable owner.
The Saudi route leads to Salam
The registry trail is clearer than the brand trail. The RIPE Database entity for AS48204 names the resource ITC-INT-POPS, gives it assigned status, associates it with organisation ORG-ITCL1-RIPE and shows it maintained by ITC account holders. The entity was created in April 2018. It does not mention Everest Data Centres. RIPE's current organisation entity names the holder as Etihad Salam Telecom CJSC, gives Saudi Arabia as its country, includes registration number 1010206051 and a Riyadh address, and identifies it as a local Internet registry.
Those two records provide a strong attribution for administration of the number resource: AS48204 belongs within Salam's registry perimeter. They do not explain where Cloudflare obtained its alternate label, whether Everest was an old engineering label, a site label, a customer-facing name, a data contribution from another registry, or simply a classification that persisted after the underlying context changed. That unresolved provenance is the central limit. Cloudflare's label and RIPE's holder can both be accurately reported without pretending they say the same thing.
The route itself is narrow in the selected observation. A RIPE Stat query for prefixes announced by AS48204 showed 46.143.172.0/24 during the fortnight ending July 14, 2026. The response explicitly says it omits routes with very low visibility, so the result is not a complete inventory. Even with that caution, one visible /24 is a modest routing signal. It cannot support claims about the number of buildings, customers, racks, servers or cloud regions behind the name.
The address context makes over-interpretation still less appropriate. RIPE Stat's registry view of that /24 places it inside 46.143.160.0/19, whose network name and description identify ITC fibre-to-the-home customers. The maintained route objects for the covering and more-specific ranges name AS35753, Salam's principal autonomous system, as origin. A live collector can observe a more-specific route from AS48204 while registry entities retain AS35753 for the aggregate. That is ordinary evidence of routing configuration and change, not proof that the /24 serves a data centre.
There are several plausible technical explanations. AS48204 may have been used to segment traffic at international points of presence. It may originate a more-specific route for traffic engineering, migration, mitigation or operational separation. The address block may carry access subscribers even if some infrastructure supporting it sits in a data centre. Public BGP data cannot choose among those explanations. It shows reachability policy at the network edge; it does not show which applications run on the addresses or which building contains the routers.
The parent network has a much broader public profile. PeeringDB's entry for AS35753 identifies Integrated Telecom, also known as Salam Telecom, links to Salam's website and reports exchange and facility presence in Saudi Arabia and abroad. PeeringDB is entity-maintained, so it should be checked against contracts and measurements, but it is consistent with the RIPE organisation chain. It supports the conclusion that the observable operating surface belongs to a substantial Saudi telecom network. It does not turn the Everest alternate label into a separate operator.
This distinction changes how network evidence should be used in procurement. An autonomous-system number can anchor questions about route origin, upstream dependence, RPKI, exchange presence and incident visibility. It should not be treated as a certificate of ownership, resilience or locality. A buyer that needs diverse paths should ask for actual circuit suppliers, entry points, route advertisements, failure domains and test results. A buyer that needs in-country processing should ask where compute, backups, logs and administrators are located. The number on a route is one coordinate in that map, never the whole map.
Public routing is evidence, but not service proof
The attraction of routing data is that it is observable. Marketing language can stay unchanged for years, while a route appears, disappears or changes origin in minutes. That makes BGP useful for checking whether a provider's network story has a visible technical counterpart. It also makes it easy to ask the data to answer questions it was not designed to answer.
For Everest Data Centres, the route answers three limited questions. A Saudi-associated autonomous system with the number AS48204 exists. It has the registry name ITC-INT-POPS and is administered within Salam's organisation. At the time examined, RIPE collectors saw one qualifying IPv4 announcement from it. The route does not answer whether a customer can buy colocation under the Everest name, whether that service is delivered in Riyadh or Jeddah, whether the path is physically diverse, or whether an engineer will meet a replacement drive inside a promised interval.
Country-level interconnection data supplies context but not attribution. The Internet Society Pulse tracker reported five active Saudi Internet exchanges and 52 members in April 2026. It estimated that 82 per cent of active Saudi networks could exchange traffic through an IXP member or its customers, and that 73 per cent of a sample of popular content was available from an in-country server or cache. The figures suggest a materially developed local interconnection environment. They say nothing about the private links, exchange ports or traffic engineering attached to an Everest-labelled service.
A serious network review therefore works from customer traffic backwards. Which prefixes will carry the service? Which ASN will originate them in normal operation and during mitigation? Where are the hand-offs? Which paths share ducts, landing stations, providers or power? Does the provider announce customer space directly, or does a customer bring its own number resources? How quickly are route objects and RPKI authorisations changed during migration? What evidence is available after a leak or hijack? These questions translate a visible route into an operating model.
Measurements must also be tied to a service interval. A route table taken today cannot prove last year's availability or next year's capacity. A traceroute cannot prove physical separation, because logical paths can converge in the same duct or building. A looking glass can reveal reachability from selected vantage points, but not the quality of the customer's private cross-connect. Even RPKI validity, valuable as it is, says that an origin is authorised for a prefix; it does not say that the origin is secure or the service resilient.
The useful conclusion is neither "the network proves Everest" nor "the network proves nothing." It proves an attributable relationship among AS48204, ITC nomenclature and Salam's registry organisation. It also exposes a question: why does a major aggregation service carry Everest Data Centres as the alternate name? A supplier that wants the label to carry commercial weight should be able to answer with dated corporate or service documentation. Until then, the route should be cited as a clue and monitored as a network resource, not promoted into a facility certificate.
Salam supplies the clearest service surface
Once the legal and network chain reaches Salam, the public service description becomes much richer. Salam's colocation page says it has six carrier-grade data centres in Riyadh, Jeddah and Al Khobar. It advertises caged and uncaged space, managed and unmanaged options, redundant power and cooling, biometric access, a redundant 10 Gbps backbone and continuous supervision by data-centre engineers and a network operations centre. It also publishes business and wholesale contact points.
That is the first source in the chain that describes facilities, places, people and an operating offer together. It is therefore the relevant comparison surface for any proposition associated with AS48204. But the grammar of attribution must remain exact: Salam says Salam has those facilities. Neither the RIPE records nor the Cloudflare alternate label shows that a separate Everest company owns them, operates them or resells them. A buyer should ask whether Everest is a former label, an internal designation, a product, an affiliate, a tenant or an erroneous alias.
Salam's web-hosting page expands the advertised support model. It describes monitoring and management through a Saudi security operations facility, Arabic and English support, backups, domain and DNS administration, database support and Azure Stack connectivity within Salam data centres. Its infrastructure and storage catalogue lists virtual private servers, backup as a service, Microsoft Azure, Azure Stack, Huawei Cloud and managed cloud services. Together, these pages show that Salam markets more than powered space. It presents an integrated stack spanning connectivity, hosting, platform operations and cloud products.
Integration can be valuable. A single operator may be able to coordinate carrier access, a cage, virtual infrastructure, monitoring and local hands faster than a customer assembling five vendors. It can also concentrate failure and bargaining power. If the same organisation supplies the primary circuit, backup circuit, facility, managed platform and support desk, apparent simplification may conceal common dependencies. The buyer needs a component map showing which elements are genuinely independent and which ultimately rely on the same power room, backbone, identity system or escalation team.
Public product pages cannot settle that map. "Redundant" should be decomposed into the equipment or paths duplicated, their physical separation, their shared control systems and the last date a failover was demonstrated. "Round-the-clock" should become a roster, response clock, severity model and evidence of decision authority at night. "Local" should identify the city and facility for primary data, replicas, backups, logs, keys and support access. "Managed" should specify the tasks performed, approval boundaries, retained logs and customer rights to export state.
This is where the identity gap becomes commercially important. If a proposal uses the Everest name while delivery depends on Salam, the contract should not leave the relationship implicit. The facility schedule should name Salam's site. The network schedule should name the originating ASN and circuit providers. The support schedule should identify the desk and escalation owner. The data-processing terms should list each operator with access. The exit terms should bind the party that actually controls the data and equipment. A familiar-sounding data-centre label cannot substitute for that allocation of responsibility.
Data locality is a chain of decisions
In Saudi technology procurement, "local data centre" can sound like a complete answer. It is not. A server may sit in Riyadh while its management console is operated from another country. A production database may remain in the Kingdom while backups, telemetry or support attachments cross a border. Encryption keys may be local while an overseas administrator can still decrypt through a privileged service. Conversely, a cross-border component may be lawful and appropriately controlled for a particular data class. Locality is therefore a property of each data flow and control point, not a badge attached to a building.
Saudi guidance makes that decomposition explicit. The Digital Government Authority's cloud-adoption guidance tells government buyers to select providers according to data classification, workload characteristics and applicable regulation. It treats migration support, continuity and measurement as part of adoption. That is a useful discipline beyond government: classify the workload before selecting the location, then test whether the proposed service can meet the resulting constraints.
The Saudi Data and AI Authority's transfer-risk guidance asks organisations to identify the exact country and place of storage, the retention period, remote access, processing, disclosures, downstream parties and destruction. The important word is exact. "Saudi hosted" cannot answer which site holds the primary copy, which site holds backups or where support personnel connect from.
A usable locality schedule should follow a piece of information through its life. At collection, it identifies the application, user and endpoint. At processing, it names the compute region, database and temporary storage. At protection, it locates keys, snapshots and replicas. At operation, it records who can access logs, consoles and support bundles. At disposal, it gives deletion methods and verification periods. Each step has an owner and a country. Each cross-border step has a stated basis and control.
The schedule should include metadata because logs, IP addresses, account names and incident attachments can be sensitive even when primary content stays local.
Facility geography is still important. Salam's claim of sites in Riyadh, Jeddah and Al Khobar could support in-country placement and geographic separation. Yet three city names do not prove that a chosen service has replicas in two cities, that the sites avoid shared utilities, or that failover preserves the same security and access policy. A proposal must identify the actual facility codes and service zones. Recovery exercises should show that applications, identity, DNS, network policy and keys can all move or be restored, not merely that a second room exists.
The legal counterparty and the technical operator must align with this map. If the Everest name appears in a proposal but Salam operates the facilities and network, the data-processing terms should use the names and registration numbers of the parties with actual access. Subcontractors, cloud partners and overseas support centres should be listed by function. A controller cannot assess transfer risk from an alias whose corporate scope is unclear. Identity resolution is therefore part of data governance, not administrative tidying.
The right buyer question is not "Is the service sovereign?" It is "Which data and control actions remain in which jurisdiction, under whose authority, during normal operation, support, recovery and exit?" A supplier able to answer at that resolution has turned locality into an operating control. A supplier that responds only with a Saudi flag, a city name or the word sovereign has left the material decisions unstated.
Automation is valuable only when state is attributable
Modern hosting depends on automation. Customers expect to create accounts, assign access, provision capacity, change DNS, open a support case, schedule a visit, restore a backup and view consumption without waiting for a chain of emails. Salam's hosting page advertises control over DNS, domains, databases, backups and common server functions, while its colocation offer says capacity can scale and daily management can be handled by a qualified team. Those capabilities can reduce delay and error. They also create a new requirement: every automated change must produce trustworthy state and an attributable decision.
Consider physical access. A self-service portal may let a customer book a visit, nominate an engineer and request entry to a cage. The convenient action hides several controls. The account must be bound to an authorised person. Approval must reflect the customer's current access list. The facility must receive the same state. A denied or expired request must not remain valid in a cached system. Entry and exit events must be retained, reconciled and available after an incident. Emergency access must be possible without turning the exception into a permanent bypass.
The same logic applies to virtual infrastructure. A request for more capacity can trigger compute, storage, network and billing changes. If one step fails, the system needs a defined rollback or a visible partial state. An operator must know whether a resource exists, whether it is protected, whether it is billable and whether it is reachable. The customer needs an immutable event history showing who requested the change, which policy approved it, what was created and how exceptions were handled. An attractive portal without that history transfers reconciliation work to finance, security and support teams.
Saudi cloud-security controls provide a concrete baseline. The National Cybersecurity Authority's current controls page says the cloud controls set minimum requirements for providers and tenants and reflect localisation requirements. The detailed Cloud Cybersecurity Controls require, among other things, protected audit trails, login histories, tenant-level activity records, continuous security-event monitoring and automated logging of remote-access sessions. They also address secure tenant data export, protected backups, vulnerability remediation and network isolation.
These controls reveal the difference between automation and assurance. Automation performs a change; assurance preserves enough evidence to reconstruct the change and test whether policy was followed. A provider claiming automated operations should be able to demonstrate retention periods, clock synchronisation, privileged-session recording, separation of duties and export access for relevant customer events. It should explain how event records are protected from the administrators whose actions they document.
It should show how customer identifiers survive hand-offs between the portal, network operations, facility access, billing and incident systems.
False confidence can grow when status pages simplify complex states. "Backup successful" may mean that a job wrote bytes, not that a clean restore completed within the required time. "Circuit up" may mean that an interface has carrier, not that the application is reachable through a diverse path. "Ticket resolved" may mean that an operator closed a case, not that the customer confirmed recovery.
Useful metrics should be anchored to outcomes: restore success, measured recovery time, repeat-incident rate, unauthorised-access attempts blocked, time to acknowledge, time to qualified diagnosis and customer-accepted closure.
This is particularly relevant to a label whose operating owner is unclear. If Everest is only an alternate network name, then it cannot itself be the accountable actor in access logs or incident reports. If it is a product or business unit, its records should still resolve to the Salam entity, facility and team that performed the action. Good automation narrows ambiguity. It should not produce a polished layer that obscures which organisation changed the underlying service.
Local support is an authority question, not a phone-number claim
Data-centre services become most visible when something physical happens: a failed drive, a damaged cable, an access denial, a power alarm or a device that no longer responds remotely. In those moments, local support is not a soft benefit. It is the mechanism that converts a remote diagnosis into action at a particular rack. Salam advertises continuous oversight by data-centre engineers and its network operations centre, a Saudi security operations facility for managed hosting, Arabic and English support, and round-the-clock technical assistance.
The claims are relevant, but buyers should test four dimensions separately: presence, competence, authority and evidence. Presence asks whether qualified staff are actually on site or on call at the contracted facility for every shift. Competence asks which tasks they can perform on the customer's equipment and under which certifications. Authority asks who may approve a risky action, declare an incident, engage a carrier or invoke disaster recovery. Evidence asks whether actions, parts, times and outcomes are recorded in a form the customer can audit.
A 24-hour desk can meet the presence test and still fail the authority test. An overnight analyst may acknowledge a case immediately but lack permission to dispatch local hands, move traffic or contact a third-party carrier. The clock then stops in a ticketing sense while the outage continues in a business sense. Service terms should distinguish acknowledgement from triage, qualified diagnosis, dispatch, arrival, workaround and restoration. Each interval needs a severity definition and an escalation owner.
Local labour also has policy significance. Saudi Arabia's Ministry of Human Resources and Social Development describes an effort to Saudiise 15,600 technical and technician positions in communications and information technology. That sector target does not prove the composition or skill of any provider's staff. It does show why local capability should be measured as an operating asset rather than represented by a support telephone number.
The strongest support model develops people who can close the loop between customer context and physical infrastructure. They understand the facility's power and cooling topology, the provider's network, the customer's access policy and the evidence needed for regulated incident handling. They can communicate in the customer's working language, but language alone is not enough. They need defined authority, supervised access, training records and regular exercises. Contractors can be part of this model if their responsibilities, vetting and escalation paths are explicit.
Buyers should ask for an anonymised shift model for each contracted site: roles on site, roles on call, dispatch assumptions, language coverage, subcontracted functions and the seniority available outside business hours. They should sample closed incidents and compare the recorded times with the promised intervals. A tabletop exercise can test whether the provider knows who may authorise emergency access when the named customer approver is unreachable. A physical drill can test whether a spare part reaches the right rack with chain-of-custody records intact.
Support data should reveal supervision cost, not hide it. If every routine change requires repeated clarification, if alarms generate low-value cases or if customer engineers must chase multiple desks, the managed service has shifted labour rather than removed it. Useful indicators include cases reopened, hand-offs per incident, engineer minutes per accepted action, dispatches avoided through remote resolution and changes rejected because authorisation was incomplete. These measures turn "local support" into a service that can improve over time.
For Everest Data Centres, support accountability is also the most direct identity test. Ask the sales contact to name the organisation on the engineer's employment or subcontract, the organisation controlling facility access and the organisation issuing the incident report. If those answers point to Salam, the service documents should say so. If they point elsewhere, that party's legal identity and obligations should be produced. The person at the rack is where brand ambiguity becomes operational fact.
The evidence schedule a buyer should demand
The public record is strong enough to design due diligence, even though it is not strong enough to certify Everest as an operator. The goal is not to ask for every document a provider owns. It is to obtain a compact set of records that joins identity, facilities, network resources, data handling, support and recovery. Each item should have a date, an owner and a scope tied to the proposed service.
Start with identity. The supplier should provide the full legal name, Saudi registration number, registered address and authorised signatory of the counterparty. If Everest Data Centres is a trading name, product, facility or business unit, provide the document establishing that status and the legal entity behind it. List every affiliate or subcontractor that will operate a facility, network, cloud platform, service desk or security function. The registration number should match invoices, data terms, insurance and escalation notices.
Next, bind the service to physical assets. A facility schedule should identify the site or sites by an unambiguous code and street-level location under appropriate confidentiality. It should name the operator, owner if different, power and cooling design relevant to the purchased space, fire protection, access controls and the specific certification reports offered as assurance. Certification scope and expiry matter more than a logo. A report for one building or management system should not be allowed to imply coverage of every service.
The network schedule should list customer hand-offs, circuits, providers, autonomous systems, prefixes and normal and emergency origin policy. It should explain whether AS48204 has any role in the customer's traffic, why Cloudflare associates the Everest label with it, and how that role relates to AS35753. Physical-diversity claims should include routes or attestations sufficient to expose shared ducts, entrances and equipment. Recent failover results are more useful than design adjectives.
The regulatory schedule should show the exact cloud registration class and current status for any regulated cloud service. The Communications, Space and Technology Commission's registration page describes certification thresholds for different classes, including a Tier 2 facility certificate or ISO/IEC 27001 for Class A and higher facility and operational-sustainability thresholds for Classes B and C. Its provider guide explains that registration requirements apply to cloud providers operating in the Kingdom. A buyer should verify the named legal entity and service against the current register rather than infer status from a product page.
The data schedule should map primary data, replicas, backups, event records, keys, support attachments and administrator access. It should state countries, facilities, retention, deletion and transfer mechanisms. It should identify cloud partners and downstream processors by function. The map should cover normal service, incident response, recovery and exit because those are the moments when data often moves differently.
The operating schedule should capture the automated and human controls that keep state reliable. Ask for representative access records, privileged-session records, change approvals, backup and restore results, vulnerability handling, incident notices and root-cause reports, with customer data redacted. Verify clock sources and retention periods. Confirm that exports are usable without the provider's proprietary console. A sample should follow one change from request through approval, execution, billing and closure so mismatched identifiers become visible.
The support schedule should name severity levels, service hours, languages, locations, roles, dispatch terms and escalation authorities. It should identify which promises are measured and what stops each clock. It should state exclusions without making every likely incident an exclusion. For remote hands, include task boundaries, rates, minimum charges, parts handling, photographs where permitted and chain of custody. For managed hosting, separate platform administration from application responsibility.
Finally, require an exit schedule before entry. It should specify data and configuration export formats, address and domain transition, cross-connect removal, equipment collection, secure deletion, outstanding incident evidence and final access revocation. Test a small export during the contract. A service that is easy to enter but impossible to leave gives the provider leverage precisely when trust has weakened.
These records can be scored without creating false precision. Mark each claim as verified for the proposed scope, supported but incomplete, or unsupported. Record the next evidence needed and the person responsible. The key is consistency: the same legal name, facility code, customer identifier and service boundary should recur across contracts, portals, logs and incident reports. Where the names change, the relationship should be explained rather than guessed.
The commercial decision is about supervision as much as capacity
A buyer may be tempted to treat the identity ambiguity as a reason to walk away immediately. That can be rational for a highly regulated workload if the supplier cannot resolve it quickly. It can also discard a potentially useful service delivered by an established telecom operator under an old or poorly propagated label. The better decision compares the value of the service with the continuing cost of supervising its boundaries.
Salam's published offer suggests possible economies from combining Saudi facilities, backbone connectivity, managed hosting, security monitoring and local engineering. Consolidation could shorten incident coordination and reduce the number of commercial relationships a customer manages. Its value depends on whether the provider can expose enough state for the customer to govern the combined service. Integration that removes duplicate effort is valuable; integration that makes failures harder to attribute is expensive.
Price comparisons should therefore include more than rack rent, compute or bandwidth. Add migration engineering, cross-connects, security review, compliance evidence, support retainers, remote-hands charges, backup capacity, recovery tests, exit work and the internal staff needed to reconcile incidents and bills. If identity or scope remains unclear, add the recurring time spent verifying who owns each action. That supervision burden is a real operating cost even when it does not appear on the supplier invoice.
Concentration risk also deserves a price. A single provider may control the facility, primary network, cloud layer and support desk. The customer should identify which failure modes remain independent and price mitigations such as a second carrier, customer-controlled encryption keys, off-provider backups or a tested alternate site. Conversely, splitting every component among vendors creates hand-off risk. The optimum is not maximum fragmentation; it is an architecture in which dependencies are deliberate, visible and recoverable.
The commercial test can be framed in three stages. First, can the supplier resolve identity and service ownership without ambiguity? Second, can it provide current evidence for locality, security, network diversity, staffing and recovery at the purchased scope? Third, does measured performance justify the full cost, including customer supervision and switching? Failure at the first stage makes later comparisons unreliable. Passing the first stage does not guarantee the second or third.
Contract design should reward evidence quality. Service credits alone rarely compensate for business loss and can turn availability into a narrow billing argument. Include obligations to deliver timely incident data, retain relevant events, support forensics, report material changes in subcontractors or locations and participate in exercises. Link renewal and expansion to recovery results, unresolved repeat incidents and the completeness of service records. A provider that performs well should find these terms easier to meet over time.
The smallest sensible engagement may be a controlled proof period using non-critical data and a representative network path. Test provisioning, access, support, backup restoration, event export, billing reconciliation and exit. Do not test only speed. The aim is to discover how the organisation behaves when state disagrees across systems and when a request needs human judgement. That is where the advertised combination of automation and local expertise either becomes credible or begins to consume the customer's own staff.
What would change the assessment
Everest Data Centres should currently be treated as an unresolved label attached to a traceable Saudi network context, not as a publicly verified standalone operator. That assessment would change with ordinary, concrete evidence: a Saudi corporate record, a Salam document defining Everest as a brand or unit, a facility or service page using the name, a contract showing its role, or an explanation from the registered network holder for Cloudflare's alternate label. The evidence need not be dramatic. It needs to join the name to an accountable organisation and service boundary.
Network developments would also matter. A sustained expansion in AS48204's announced resources, route objects specifically naming a data-centre function, customer-visible peering, or facility-linked network documentation could strengthen the case that the autonomous system has a distinct infrastructure role. It still would not prove power resilience or support quality, but it would narrow the gap between label and technical function. Conversely, disappearance of the route or removal of the alternate name would suggest that the current association was transitional or stale.
Service assurance should be watched through slower signals: changes in Salam's legal registry entity, cloud registration, named facility estate, certification scope, support contacts and data-location terms. Buyers already under contract should watch their own evidence first. Repeat incidents, restore performance, privileged access, unresolved billing state and changes in traffic origin are more relevant than a search-result count.
The broader lesson is that infrastructure confidence should accumulate from joined records. A name identifies what to investigate. A corporate number identifies the party. A facility schedule identifies the place. Routing data identifies an Internet control surface. Access and change records identify actions. Recovery results identify whether the service survives failure. Incident evidence identifies whether the operator learns. No single layer can carry the weight of all the others.
On the present public record, Salam is the attributable Saudi operator with facilities, cloud products, network resources and local support claims. Everest Data Centres is a name that appears in the BTW directory and as Cloudflare's alternate label for AS48204. The responsible conclusion is to preserve both facts and refuse to bridge them with assumption. For a buyer, that restraint is not academic. It is the first step toward knowing who has the keys, where the data goes, which path carries it, who answers at night and who is obliged to put the service back together.

