Governance · Risk · Compliance

Thubut

ثبوت
Compliance, Proven.
Scroll
The platform

One platform for Governance, Risk & Compliance.

Thubut turns the overlapping demands of many regulations — NCA ECC, SAMA CSF, ISO 27001, PDPL and more — into one continuous, audit-ready operating rhythm. In Arabic and English. On your network.

1
Unified control layer
72h
PDPL breach clock, governed
100%
Tamper-evident audit trail
2
Languages, RTL-native
Assessmentapplies one framework Assessment Controlone per control in the framework Control ImplementationONE persistent · status · maturity · evidence
Work flows down three layers · one implementation holds the truth
Thubut
The problemFour frameworks.
Endless duplication.
ConvergeEvery requirement,
mapped to one.
Test onceOne unified control.
Tested once.
Comply manyProof flows to
every framework.
Cross-framework coverage matrix
NCA ECC SAMA CSF ISO 27001 PDPL UNIFIEDCONTROL EVIDENCE ×1
Map many · test one · satisfy all
01 — The core idea

Test once,
comply many.

Behind every framework sits one persistent unified control. Map each regulation's requirement to it, test that control a single time, and the proof satisfies them all — at once.

  • One ControlImplementation holds the status, maturity and evidence.
  • Cross-framework mapping shows live coverage & gaps.
  • A scan result becomes audit evidence — automatically.
Workflow decision cockpit
Document Risk Incident Vendor …any record ONE POLYMORPHICENGINE Draft Review Approve
Every entity type · one engine · per-step owners
02 — Workflow engine

The decision
cockpit.

One polymorphic engine governs every record — documents, risks, incidents, findings, vendors. The approver sees the record being decided, right where they act. No approving blind.

  • A live progress stepper with each step's SLA.
  • A Decision Context that adapts to every entity type.
  • Approve · Reject · Return — with a full audit trail.
Obligation golden thread
Obligation Control Policy Risk
The golden thread — end to end
54321 12345 LIKELIHOOD → IMPACT → LowMediumHigh● a residualrisk, plotted
Inherent & residual — scored on a 5×5 matrix
03 — Traceability

The golden
thread.

Every regulatory obligation links to the control, policy and risk that prove you meet it — one unbroken chain an auditor can follow from clause to evidence.

  • Numeric risk: inherent & residual, L×I scored.
  • KRIs with red/amber/green early warning.
  • Risk appetite that gates over-appetite sign-off.
Tamper-evident audit trail
EACH BLOCK CARRIES THE PREVIOUS HASH Action N−1hash · prev↩ Action Nhash · prev↩ Action N+1hash · prev↩
Tamper anywhere · the whole chain breaks
04 — Integrity

Proof that
holds.

Every critical action is appended to a cryptographic hash-chain, so any tampering is detectable. A defensible record of who did what, when — with integrity verification and PDF export.

  • Nothing to switch on — it records itself.
  • Internal audit reuses the same evidence store.
  • Findings flow straight into tracked CAPA.
Risk-based audit plan
RISK POSTURE Critical unit Elevated vendor Stable domain AUDIT PLAN · REORDERED BY RISK 1 · Audit the critical unit first 2 · Then the elevated vendor 3 · Stable domain — later
Plan audits where the risk actually is
05 — Internal audit

Audit,
risk-first.

A risk-based plan that reorders itself as risk moves — real progress off assessed controls, PBC evidence requested once, workpapers, and findings that flow into the same CAPA engine.

  • Live risk posture from the same portfolio roll-up.
  • "Request evidence once" — covered controls never chased.
  • A failed control auto-raises a finding (AI-drafted).
On-prem connectors
LDAP / AD SIEM Scanner CSV import EVIDENCESTORE Control · auto-evidenced air-gapped · inside your network
Connectors → evidence → control, automatically
06 — Automation

Evidence,
on autopilot.

On-prem connectors — Active Directory, SIEM, vulnerability scanners, CSV — pull evidence and drop it straight onto the relevant control. A scan result becomes audit evidence, with nothing sent to the cloud.

  • Built for regulated, air-gapped environments.
  • A connector sync turns a scan into control evidence.
  • Automation without your data ever leaving.
Third-party vendor register
Vendor DD campaign Evidence Assessed
Due diligence via campaigns · off the one evidence store
07 — Third-party

Vendors,
governed.

Third-party risk without the fork — send due-diligence as a campaign off the single evidence store, so you never re-collect what a vendor already gave. And a weak vendor raises a tracked finding like everything else.

  • Due diligence runs as a campaign, not a spreadsheet.
  • SAMA-aligned third-party posture, scored.
  • Findings feed the same CAPA engine.
Security operations, in control
Always-on

Audit-ready.
Always.

Connectors pull evidence, deadlines schedule themselves, and the chain records every move — so you are ready the day the auditor arrives, not scrambling for it.

On-premise, air-gapped data center
Inside your walls

Your data
never leaves.

Deployed entirely on your own network — air-gapped, no cloud, no external calls. Built for regulated environments where data simply cannot cross the perimeter.

Built for the Kingdom

Made for Saudi regulation — and your network.

Purpose-built for the frameworks you actually answer to, fully bilingual, and deployable entirely inside your own environment — no cloud, no data leaving your walls.

PDPL · 72-hour breach NCA ECC / CSCC SAMA CSF ISO 27001 Arabic · English · RTL On-prem · air-gapped
Breach detected0h Assess · Art. 24reminder Filing checklistreminder Notify SDAIA72h deadline
The 72-hour clock — reminders scheduled automatically
Getting started

From day one to audit-ready.

01

Map

Bring your frameworks in and map each control to one shared unified control.

02

Test once

Assess each unified control a single time; evidence attaches where it lives.

03

Prove

Coverage lights up across every framework — and the chain records it all.

Thubut · ثبوت

Compliance,
Proven.

Turn scattered frameworks into one continuous, audit-ready rhythm. See Thubut on your own controls.

05 — One platform, six disciplines

Everything, connected.

Compliance

Frameworks, unified controls, assessments and cross-framework coverage — test once, comply many.

Risk

Numeric inherent & residual scoring, KRIs, risk appetite and a live portfolio roll-up.

Internal Audit

Risk-based plans, PBC evidence requests, workpapers and findings — no parallel silo.

Privacy · PDPL

Article 24 breach notifications with a governed 72-hour clock and automatic reminders.

Third-Party

Vendor due diligence via campaigns off the single evidence store — never chase what exists.

Governance

Policies, documents, roadmap initiatives and a polymorphic workflow engine behind it all.