The platform

One connected GRC system 
Depth for the team, Simplicity for everyone

Govern strategy and policies, manage the full risk lifecycle, and demonstrate compliance in one system. The GRC team works in Org View. Everyone else completes their assigned actions in Employee View.

AI drafts and recommends. Your team reviews and decides.

HAKTIV
Org ViewEmployee View
Profile
Executive overviewACME Holding · Riyadh, KSA
Strategy & initiatives
NCA ECC program72%
Policy refresh 202645%
BC exercise18%
Policy status
38policies
AcknowledgedApprovedUnder reviewDraft
Risk posture
15
Treated
6
In progress
2
Overdue
Next review: Third-party access
Controls & frameworks
NCA ECC
64%
SAMA CSF
51%
ISO 27001
78%
14 open actions · 3 due this week
The architecture

Two experiences, One connected GRC system

Specialist depth for the GRC team. Simple participation for everyone else.

Each audience gets a purpose-built experience in the same system, and every request, response, review, and decision returns to one auditable workflow.

Org View— for the GRC team
Plan strategy and roadmap
Author and publish policies
Run the full risk lifecycle
Map controls and evidence
Monitor ownership, status, and audit history
Employee View— for everyone else
See assigned actions and deadlines
Acknowledge policy versions
Answer risk questionnaires
Submit control evidence
Approve where required
Participate without navigating a specialist GRC interface.
Governance

Governance, from strategy to policy acknowledgment

Plan the roadmap, author and co-edit policies, publish approved versions, and prove acknowledgment without leaving HAKTIV.

A live operating workspace, not a folder of uploaded documents, author, co-edit, version, publish, and tie every acknowledgment to the exact version received.

GRC roadmap · 20264 initiatives
NCA ECC readiness72%
SAOwner: S. Alqahtani · Milestone: Q3 assessment
💬 “ECC 2-2 controls need owners before July.”
Policy refresh 202645%
Access Control Policy — approved
Data Classification — in review
BC & DR Policy — draft
Actions this month
Assign ECC 2-2 ownersReview Data Classification v2Plan BC tabletop
Risk

Your methodology, One risk lifecycle

Define the scoring model, collect input across the organization, assess and approve risks, and track treatment and evidence in one system.

Build the methodology, fields, values, formulas, ranges. Collect input through Employee View, assess with reviewer-controlled AI recommendations, route for approval, and track treatment and evidence in one register.

AI recommends. You decide.

Risk methodology · configurable
Factors
Likelihood1–5 · predefined
Impact1–5 · predefined
Control effectiveness0.2–1.0
Asset value1–4 · your scale
Your formulas
Inherent = L × I × AVI
Residual = Inherent × CER
Heat mapLikelihood × Impact
I
R
Inherent 20 · HighResidual 4 · Low
Fields, predefined values, formulas, and ranges are yours to define — not a preset matrix.
Compliance

One control Multiple frameworks

Map overlapping requirements to shared controls and reuse controls and evidence wherever they apply.

The Unified Control Library keeps a shared control's evidence, tasks, and status connected across the frameworks it is mapped to update once, reflected wherever it applies.

Worked example

One access-control evidence package can support NCA ECC, SAMA CSF, ISO/IEC 27001, and PCI DSS  where the mappings apply.

Unified Control Library · AC-01 Access ControlImplemented
access-logs-Q4.pdf · shared evidence
AC-01 · Access Control
NCA ECC
2-2-3 · mapped
SAMA CSF
3.3.5 · mapped
ISO/IEC 27001
A.9 · mapped
PCI DSS v4.0.1
Req 7 · mapped
Evidence, tasks, and status stay connected  where the mappings apply.
Evidence

Evidence collected from its owners
 reviewed in one place

Evidence requests go to the control owners who hold the proof. Owners upload and submit through Employee View, and the GRC team reviews it in Org View. Every file is versioned and moves through a clear lifecycle, with the same audit trail as the rest of the platform.

Employee View · submit
PAM evidence · NCA ECC 2-2-3-4
Requested from Khalid Alotaibi · control owner
↑ Upload privilege-access-logs-Q4.pdf
versioned on submit
Submit for review
LifecycleNo StatusUnder Review
ApprovedRequires Revision
Org View · review queue
privilege-access-logs-Q4.pdf · v2
K. Alotaibi · today 11:34
Under Review
backup-restore-test.pdf
F. Alharbi · yesterday
Approved
mfa-rollout-report.docx
S. Alqahtani · Jun 30
Requires Revision
Reporting and audit

Leadership sees the posture
The GRC team keeps the detail

An executive overview shows strategy and initiative progress, risk posture, compliance progress, and policy status. Beneath it, every state change is logged with the actor, the timestamp, and what changed, so the GRC team retains the full history behind any number, and an assessment or audit has a trail to follow.

Initiatives
72%
on track
Risk posture
8
open risks
Compliance
64%
controls done
Policies
38
142 acknowledged
Audit trailactor · timestamp · change
SAS. Alqahtani approved evidence access-logs-Q4.pdf v214:32:08
AZA. Alzahrani approved risk assessment PAM review gap13:07:51
NKN. Almutairi changed policy status Draft → Under Review11:48:19
KAK. Alotaibi uploaded evidence v2 · replaced v109:14:44
Holding Co · parent organization
Root admin · authorized switch
Digital Co
isolated portal
• Own views• Own progress• Own data
Capital Co
isolated portal
• Own views• Own progress• Own data
Real Estate Co
isolated portal
• Own views• Own progress• Own data
Each subsidiary walled to its own data — no cross-subsidiary visibility.
Multi-entity

Isolated for every entity, Accessible through one authorized root account

A holding company and its subsidiaries run as linked organizations. Each subsidiary gets its own isolated portal, with its own views, progress, and data, walled to itself. A root administrator has permission to switch between child and parent organizations from one authorized account.

Who it is for: holding groups and authorities with subsidiaries that need each entity separated, with one administrator scoped across the group.

AI assistance

AI drafts and recommends
Your team reviews and decides

AI assists across the platform: drafting risk questionnaires, recommending assessments and surfacing potential risks and gaps, generating tasks and subtasks, and summarizing policies. A framework-scoped assistant answers questions within the framework you are working in.
Responsible owners review, edit, approve, or reject each output, so accountability stays with your team.

Every output:AcceptEditReject
Where AI helps today
Questionnaire drafts
Assessment recommendations
Evidence accuracy checking
Task and subtask generation
Policy summarization
A framework-scoped assistant
Deployment and security

Deploy your way
Data stays in the Kingdom

Run HAKTIV as SaaS, a dedicated tenant, or on-premises. For cloud deployments, customer and compliance data is hosted, stored, and processed in the Google Cloud Dammam region, with no processing or transfer outside the Kingdom of Saudi Arabia.

SaaS
Dedicated tenant
On-premises
See security and data details
Saudi data residency
Google Cloud · Dammam region
Hosted, stored, processed in-Kingdom
Encrypted in transit and at rest
Tenant isolation enforced
Dammam, KSA

See the whole GRC program working in one demo

Book a 30-minute walkthrough across Org View and Employee View. We will show governance, risk, compliance, evidence, and the frameworks relevant to your organization.

Two experiences
Governance
Risk
Compliance
Your frameworks
Book a demo