Most facility owners pick an access control platform the same way they pick a copier: a demo, three quotes, and a decision. The vendors all show the same dashboard with the same green-bordered “granted” events scrolling past, and the price differences are small enough that the comparison comes down to which sales engineer was more responsive.

Ten years later, when the platform decision needs to change, the real cost shows up. The badges don't read on the new system. The controllers are proprietary. The historical events live in a database the new vendor can't import. The cost to leave is higher than the cost to stay, which is exactly what the original platform's pricing model assumed.

This article is the comparison most sales engineers won't walk you through — the lock-in mechanics, the actual TCO over a 10-year window, and the questions that separate a platform you can leave from one you can't.

What “cloud access control” actually means

The term has been stretched to cover three different architectures, and the differences matter:

  • Pure cloud (SaaS) — Brivo, Openpath, Kisi. The control plane lives in the vendor's cloud. Door controllers at the building are thin and largely just relay events upstream. If your internet is down, basic credentials still work via cached authorization, but everything else stops.
  • Hybrid cloud — Verkada Access, Avigilon Alta, Genetec Synergis Cloud Edition. The control plane is in the cloud, but local controllers retain enough state and decision logic to operate independently for hours or days. Configuration and events sync up when connectivity returns.
  • Cloud-managed on-prem — Genetec Security Center, Lenel S2 NetBox, AMAG Symmetry Connect. The application server runs at the customer site. The cloud is a remote management portal, not the system of record. Useful for facilities that need to keep all data on-prem for regulatory or contractual reasons.

When a vendor says “we're cloud,” ask which of the three. The supportability story, the offline behavior, and the data-residency answer are all different.

TCO over 10 years

Cloud platforms charge per door per month. On-prem platforms charge a one-time license plus annual maintenance. The headline numbers favor cloud at the start and on-prem in the long run, but the more interesting question is what's not in the comparison.

Below is a rough 10-year TCO for a 50-door facility, assuming hardware refresh at year 7 and one full software major-version upgrade. Numbers are illustrative; actual quotes vary by region and vendor:

Cost line Cloud (50 doors) On-prem (50 doors)
Hardware (controllers, readers)$45,000$55,000
Software licensing (yr 1)included$22,000
Installation labor$28,000$35,000
SaaS / SMA over 10 years$120,000$44,000
On-prem server / VM hosting$24,000
IT admin time (yr 1–10)lowmoderate–high
Hardware refresh (yr 7)$15,000$20,000
10-year approximate total$208,000$200,000

The headline answer: at the 10-year mark, the totals converge. Cloud is cheaper to start and more expensive to keep. On-prem is the inverse. The real differences are not in the totals; they are in the lock-in.

Lock-in — the badge format question

Almost every access control platform supports multiple credential formats: 26-bit Wiegand, 35-bit HID Corporate 1000, MIFARE DESFire EV2 / EV3, HID Seos, iCLASS SE, Apple Wallet keys, mobile NFC, BLE. The platform you pick decides which formats your readers can issue and read — and the cards in your employees' wallets are the most expensive thing to change.

If you issue 1,200 DESFire EV2 badges through Brivo and decide three years later to move to Genetec, you have to either: (a) buy 1,200 new credentials in a format the new platform supports, or (b) re-encode the existing credentials, which works only if you own the cryptographic keys (you usually don't — the original vendor does). Option (a) is real money. Option (b) is often a phone call to the original vendor's support team that begins with you asking nicely for keys they have no contractual obligation to release.

Question for the sales engineer: “If we leave you in five years, will the credentials we've issued under your platform read on someone else's? In writing, please.” The answer separates platforms that compete on product from platforms that compete on lock-in.

Lock-in — the controller question

Door controllers come in two flavors: open (Mercury Security boards: MR50, MR52, EP4502, MP4502 — the same boards multiple vendors OEM) and proprietary (Verkada AC41, Brivo ACS-300 series, Avigilon HID-OEMed boards). Mercury controllers can be repurposed across most major head-end systems with a board-level firmware change. Proprietary controllers are landfill the day you change platforms.

For a 50-door facility, that is a $25,000–$45,000 difference at the next platform decision. For a 500-door enterprise facility, it's an order of magnitude bigger. If you're picking a cloud platform that runs on Mercury (Genetec, Lenel S2, AMAG, Honeywell Pro-Watch, Software House, RS2, Open Options, Galaxy), you're keeping the door-by-door switching cost low. If you're picking a platform that requires its own boards, you're committing to that vendor for the life of the boards.

When cloud makes sense

  • Multi-site portfolios where centralized management saves real admin time across many small facilities.
  • Tenants in leased buildings where the property manager shouldn't be running infrastructure.
  • IT-light organizations where keeping a Windows Server, SQL database, and the access control software patched is not a fit.
  • Facilities where the average administrative event is “add a new hire to a group” and the management can be delegated to HR or office managers without giving them server access.

When on-prem still wins

  • Facilities with strict data-residency requirements (government, defense contractors, certain healthcare contracts) where event data physically cannot leave the building.
  • Single large campuses (corporate HQ, hospitals, universities) where the per-door SaaS math gets expensive at scale and an on-site IT team is already running adjacent systems.
  • Highly customized integrations — HR systems, visitor management, intrusion detection, video, building automation — where deep API access and on-prem data are easier to wire together than the SaaS equivalent.
  • Long-lived facilities (40+ year buildings) where SaaS-vendor failure or acquisition risk is a real concern.

The questions that decide

Before signing any access-control contract, get written answers to these:

  1. Are the door controllers Mercury-based or proprietary? (If proprietary, what's the credential-portability story?)
  2. Who owns the cryptographic keys for the credentials you'll issue? Will you release them to us if we leave?
  3. Can we export historical events in a usable format (CSV, SQL dump) at any time, including after contract termination?
  4. What is the offline behavior of the system if internet is lost for 24 hours? 7 days?
  5. What integrations are supported with our HR system / SSO provider / video platform — and are they native or via Zapier-style middleware?
  6. What does an early-termination clause look like? Are there per-door fees if we leave before the term?

Bottom line

The platform you can leave is worth more than the platform that's slightly cheaper to enter. Most access-control buyers compare features in the demo and price in the quote, then discover the real cost — switching cost — only when it's time to switch. The buyers who treat lock-in as a first-class evaluation criterion end up with smaller decisions to make in year 10, even when the year-1 price is a few percent higher.

Picking a new access control platform — or trying to leave one?

We design open-architecture access control on Mercury hardware so you keep the door investment when the head-end decision changes. Happy to walk through your specific situation before you sign anything.

Start a conversation → Access control services