Government and semi-government

NCA readiness on a platform your whole entity uses

Manage policies, risk, NCA controls, evidence, and remediation in one connected system. The GRC team runs the program; departments respond to their assigned actions. Built in Saudi Arabia, with data resident in the Kingdom and on-premises deployment available.

HAKTIVOrg View
NCA readinessAuthority · Riyadh
NCA ECC
64% implemented
1. Cybersecurity Governancedone
2. Cybersecurity Defencepartial
3. Cybersecurity Resiliencedone
4. Third-Party & Cloud Computing Cybersecuritypartial
Policy status
21
Acknowledged
4
In review
Risk posture
2 high5 medium11 treated
12 open actions across IT, HR, and OperationsEmployee View
The problem

The mandate is clear
The evidence is everywhere

The obligations are real and time-bound but the work still lives in shared drives, email, and spreadsheets, with much of the evidence held outside the GRC team.

Policies depend on many hands

Authors, reviewers, approvers, and the employees who must acknowledge them are rarely in one system.

Policy-v2-FINAL(3).docx
forwarded over email
Evidence lives with the departments

IT, HR, and Finance hold the proof, while the GRC team is accountable for collecting it.

\\shared\audit\2026\evidence\…
four drives, no owner
Assessments repeat the same work

Overlapping requirements lead teams to gather and review the same evidence more than once.

access-logs-Q4.pdf
requested ×3 this year
NCA readiness

Start with the NCA frameworks pre-mapped

 Activate what is in scope, assign ownership, and track implementation, evidence, and remediation in one place, reusing shared controls wherever mappings apply.

See the NCA frameworks we support
NCA — National Cybersecurity Authority
NCA framework family
activate the ones in scope for your entity
ECC
Essential Cybersecurity Controls
Active
DCC
Data Cybersecurity Controls
Activate
CSCC
Critical Systems Controls
Activate
TCC
Telework Cybersecurity Controls
Activate
Whole-entity participation

The GRC team owns the program The entity does the work with them

The GRC team runs the program in Org View. Departments acknowledge, answer, and submit evidence in Employee View,  and every response returns to one auditable workflow.

Org View— Cybersecurity & GRC team
NCA ECC · 2-2-3-4
Privileged Access Management
Awaiting evidenceOwner: IT · Due Dec 31
Data Classification Policy v2
approval routed to CISO
In review
Employee View— departments
Access Control Policy v3.1
read and confirm
I Acknowledge and Accept
Risk questionnaire · HR systems
5 of 8 answered
Continue
PAM evidence upload
access-logs-Q4.pdf
Upload ↑
Evidence and audit

An audit trail that is ready before the auditor is

Evidence is requested from the departments that hold it, versioned, and reviewed in one place. Every state change is logged with the actor, the timestamp, and what changed. The person who uploads evidence cannot approve it, and the control owner is not the reviewer, so separation of duties is enforced by the system, not by a spreadsheet. Downloaded documents are watermarked with the platform logo, the user, the date, and the timestamp.

No StatusUnder ReviewApprovedRequires Revision
Evidence review queue
access-logs-Q4.pdf · v2
IT · K. Alotaibi
Under Review
hr-awareness-records.xlsx
HR · N. Almutairi
Approved
Audit logactor · timestamp · change
S. Alqahtani approved access-logs-Q4.pdf v214:32:08
K. Alotaibi uploaded v2 · replaced v109:14:44
System watermark applied logo · user · date · timestamp09:15:02
Bilingual by design

Designed in Arabic and English

HAKTIV is designed in Arabic and English from the ground up, not translated after the fact, including full right-to-left support. Your team works in the language it operates in, and bilingual policies, controls, and evidence stay consistent across both.

ENعربي
ENGLISH · LTR
Access Control Policy
Acknowledge by Dec 31
Version 3.1 · approved
I Acknowledge and Accept
العربية · RTL
سياسة التحكم في الوصول
الإقرار قبل ٣١ ديسمبر
الإصدار ٣٫١ · معتمد
أقرّ بالاطلاع وأوافق
Deployment and residency

SaaS, dedicated tenant, or on-premises. Data stays in the Kingdom

Public-sector requirements differ by entity, so HAKTIV offers three deployment options: SaaS, a dedicated tenant, or on-premises. For cloud deployments, customer and compliance data is hosted, stored, and processed in the Google Cloud Dammam region, with no processing or transfer outside the Kingdom of Saudi Arabia. On-premises deployment is available today for entities that require it.

SaaS
Dedicated tenant
On-premises · available today
See security and data details
Saudi data residency
Google Cloud · Dammam region
Hosted, stored, processed in-Kingdom
Encrypted in transit and at rest
Tenant isolation enforced
Dammam, KSA
Built for procurement

The information your security and procurement teams will ask for

Built in Saudi Arabia
In-Kingdom data residency for cloud deployments
Tenant isolation
Across SaaS and dedicated-tenant deployments
Encryption
In transit and at rest
Audit logging
Infrastructure and application level
Backup & recovery
Daily automated backups with point-in-time recovery
24/7 monitoring
With incident response
No support access
Support personnel have no access to customer data
RBAC & SoD
Role-based access and segregation of duties, enforced platform-wide

Run a structured pilot with your own framework and data

Book a 30-minute walkthrough tailored to your entity. We will scope a pilot around the NCA frameworks in your scope, your deployment requirements, and the departments that need to participate.

Book a demo
Arabic and English · in-Kingdom data · on-premises available