Holding groups

Run the whole group's compliance from one platform

Give every subsidiary its own isolated portal, with its own views, progress, and data. A root administrator switches between the parent and child organizations from one authorized account.

Parent organization
Root admin · switches organizations
Subsidiary A
isolated portal
own data
Subsidiary B
isolated portal
own data
Subsidiary C
isolated portal
own data
Each portal walled to itself · one authorized crossing point
The problem

Every subsidiary is an island
 The accountability sits with the group

The parent is accountable for GRC across its subsidiaries, while each subsidiary works in its own tools, files, and regulatory scope. So the group-level program runs on correspondence, meetings, and manually assembled spreadsheets.

Scopes differ

One subsidiary is SAMA-supervised, another is in NCA scope. Each has its own frameworks, depending on its sector and activities.

SAMA · NCA · ISO
a different scope in every entity
Tools are scattered

A different tool or spreadsheet in every subsidiary means a different program in every subsidiary, with no consistent way of working.

group-rollup-v12.xlsx
assembled by hand, out of date on arrival
No clean separation

When subsidiaries are managed out of shared files, what belongs to one entity mixes with what belongs to another.

shared-drive/all-entities/
whose evidence is this?
The model

Isolated for every entity Accessible through one authorized root account

A holding company and its subsidiaries run in HAKTIV as linked organizations. Each subsidiary gets its own isolated portal, with its own views, progress, and data, walled to itself. A root administrator has permission to switch between the parent and child organizations from one authorized account, running the program in each entity from one place, without one entity's data mixing with another's.

HAKTIVRoot admin
Switch organization
Holding · parent
group program
Current
Subsidiary A · finance
isolated · own views, progress, data
Switch →
Subsidiary B · technology
isolated · own views, progress, data
Switch →
Subsidiary C · services
isolated · own views, progress, data
Switch →
One authorized crossing point · no entity's data mixes with another's
Frameworks per entity

Every subsidiary has its own scope and its own frameworks

Each subsidiary activates the frameworks in its own scope: NCA frameworks, SAMA frameworks, PDPL, ISO/IEC 27001, or PCI DSS v4.0.1, depending on its sector and activities. And inside each entity, the Unified Control Library maps overlapping requirements to shared controls, so work is reused wherever the mapping applies.

Subsidiary A · finance
SAMA-supervised
SAMA CSFSAMA BCPCI DSS v4.0.1
UCL reuse across this entity's frameworks
Subsidiary B · technology
in NCA scope
NCA ECCNCA CCCPDPL
UCL reuse across this entity's frameworks
Subsidiary C · services
pursuing certification
ISO/IEC 27001PDPL
UCL reuse across this entity's frameworks
Participation in every entity

One way of working, with every subsidiary's people taking part

Inside each entity, the GRC team runs its program in Org View, and employees take part through Employee View: acknowledging policy versions, answering questionnaires, and submitting evidence, in one auditable workflow per subsidiary. The group gets one consistent way of working, while each entity keeps its own data and its own record.

Subsidiary A · financeisolated environment
Org View
SAMA CSF · status per control
Evidence review queue · 4
Employee View
Policy v3.2 · acknowledge
Access review · upload
Subsidiary B · technologyisolated environment
Org View
NCA ECC · status per control
Remediation tasks · 7
Employee View
Risk questionnaire · 6 of 9
Evidence · submit
The same working model in every entity · each with its own data and its own record
Security and data

Isolation at the entity level, and data in the Kingdom

Each entity is isolated with its own data, with role-based access, segregation of duties, and full audit logging. For cloud deployments, customer and compliance data is hosted, stored, and processed in the Google Cloud Dammam region, with no processing or transfer outside the Kingdom of Saudi Arabia. A dedicated tenant or on-premises deployment is available depending on the group's requirements.

Entity isolation
Role-based access
Audit logging
See security and data details
Saudi data residency
Google Cloud · Dammam region
Hosted, stored, processed in-Kingdom
Each entity walled to itself
One authorized root account
Dammam, KSA

Book a demo for your group

A 30-minute walkthrough covering the parent and subsidiary model, isolation between entities, root-admin switching, and the frameworks in scope for each of your group's entities.

Book a demo
Isolated per subsidiary · one authorized root account · Arabic and English