Compliance
Frameworks, unified controls, assessments and cross-framework coverage — test once, comply many.
Thubut turns the overlapping demands of many regulations — NCA ECC, SAMA CSF, ISO 27001, PDPL and more — into one continuous, audit-ready operating rhythm. In Arabic and English. On your network.

Behind every framework sits one persistent unified control. Map each regulation's requirement to it, test that control a single time, and the proof satisfies them all — at once.

One polymorphic engine governs every record — documents, risks, incidents, findings, vendors. The approver sees the record being decided, right where they act. No approving blind.

Every regulatory obligation links to the control, policy and risk that prove you meet it — one unbroken chain an auditor can follow from clause to evidence.

Every critical action is appended to a cryptographic hash-chain, so any tampering is detectable. A defensible record of who did what, when — with integrity verification and PDF export.

A risk-based plan that reorders itself as risk moves — real progress off assessed controls, PBC evidence requested once, workpapers, and findings that flow into the same CAPA engine.

On-prem connectors — Active Directory, SIEM, vulnerability scanners, CSV — pull evidence and drop it straight onto the relevant control. A scan result becomes audit evidence, with nothing sent to the cloud.

Third-party risk without the fork — send due-diligence as a campaign off the single evidence store, so you never re-collect what a vendor already gave. And a weak vendor raises a tracked finding like everything else.
Connectors pull evidence, deadlines schedule themselves, and the chain records every move — so you are ready the day the auditor arrives, not scrambling for it.
Deployed entirely on your own network — air-gapped, no cloud, no external calls. Built for regulated environments where data simply cannot cross the perimeter.
Purpose-built for the frameworks you actually answer to, fully bilingual, and deployable entirely inside your own environment — no cloud, no data leaving your walls.
Bring your frameworks in and map each control to one shared unified control.
Assess each unified control a single time; evidence attaches where it lives.
Coverage lights up across every framework — and the chain records it all.
Turn scattered frameworks into one continuous, audit-ready rhythm. See Thubut on your own controls.
Frameworks, unified controls, assessments and cross-framework coverage — test once, comply many.
Numeric inherent & residual scoring, KRIs, risk appetite and a live portfolio roll-up.
Risk-based plans, PBC evidence requests, workpapers and findings — no parallel silo.
Article 24 breach notifications with a governed 72-hour clock and automatic reminders.
Vendor due diligence via campaigns off the single evidence store — never chase what exists.
Policies, documents, roadmap initiatives and a polymorphic workflow engine behind it all.