NCA ECC · SAMA CSF · SDAIA/PDPL · CBAHI

From audit panicto audit readiness.من الفزع إلى الجاهزية

ArabAudit replaces the spreadsheet-and-email loop with an AI-native workspace built for every major KSA framework — with every finding grounded, every evidence hash anchored, and every report regulator-grade in English and Arabic.

Get your framework Book working session

KSA frameworks · native

1,847

Controls mapped

Instant

to regulator-ready report

me-central-2

Data residency · KSA

AI · grounded

"IC.2 hand-hygiene audit meets CBAHI — missing the Q1 compliance trend log."

Session · King Fahad Medical City · Q1 2026

LIVE

CBAHI · Hospital Edition

Accreditation readiness

SURVEY #02 · 2026

74%

+11 vs Q4

Leadership

Patient Care

Medication

Infection Ctrl

Emergency

1,093 standards · ledger anchoreda3c2·f81d·5b90·22ee

Regulator export

Signed PDF + JSON manifest — one click, 87s to generate.

Try it nowTwo live demos.

Framework Browser

NCA ECC tree · domains · cross-framework overlap

→

End-to-end Audit

Plan → Findings → Streaming AI report

→

What we unlock

Designed to transform how KSA enterprises run compliance.

Every number below reflects a measurable outcome our AI capabilities are engineered to produce — across preparation, execution, and reporting.

70%

Audit prep time reduction

Instant

Regulator export — NCA · SAMA · SDAIA · CBAHI

100%

Framework overlap eliminated

Instant

Evidence retrieval (was 2+ hrs)

Zero

Expired doc incidents (30-day AI alerts)

83%

Faster audit cycles

~2,000

Controls mapped across frameworks

Saudi frameworks supported

Capabilities · cycle

AI that works across the entire audit lifecycle

Every capability is orchestrated around a single AI Core — shared memory, shared framework context, shared ledger. Evidence enters the cycle once and emerges as a regulator-ready report.

01AI Auto-Link

02Readiness Check

03Evidence Validation

04Audit Copilot

05Finding Draft

06AI Summary Report

Read the full product tour →

AI Core

One ledger

Signed · me-central-2

01 · Preparation

AI Auto-Link

Evidence → criterion. Confidence-scored, bulk-approvable.

02 · Prep

Readiness Check

Coverage score · bilingual narrative · expiring doc flags.

03 · Exec

Evidence Validation

Per-criterion compliance signal · rating suggestion.

04 · Exec

Audit Copilot

Grounded chat · EN/AR · framework-only scope.

05 · Find

Finding Draft

Root-cause · impact · severity · provenance.

06 · Reporting

ISO/IEC 27001:2022 – Information security, cybersecurity and privacy protection. Specifies the requirements for establishing, implementing, maintaining and continually improving an ISMS. Includes mandatory Clauses 4–10 and 93 Annex A controls across four themes: Organizational (5.1–5.37), People (6.1–6.8), Physical (7.1–7.14), Technological (8.1–8.34).

Domains

Controls

118

ISO 27001:2022

Use this framework Preview framework

CBAHI-CLINIC

CBAHI National Standards for Ambulatory Care Centers

CBAHI National Standards for Ambulatory Care Centers – First Edition 2019, Effective 1 January 2020. 11 chapters, 133 standards, 594 sub-standards (7 core).

Domains

Controls

133

CBAHI National Standards for Ambulatory Care Centers

Use this framework Preview framework

Browse all eight frameworks →

Why ArabAudit

Saudi-native from day one. Not a US tool with an Arabic toggle.

Feature	Other audit platforms	ArabAudit
Data residency	US/EU servers — conflicts with SAMA Art. 6 & PDPL Art. 23.	100% AWS me-central-2 (Riyadh). Sovereign by design. Why it matters: Avoids regulator findings before the audit even starts.
Arabic document AI	English-only OCR; Arabic Commercial Registries fail silently.	Dual-routing OCR reads Arabic CRs, GOSI, Iqama — bilingual evidence supported natively. Why it matters: Most KSA evidence is Arabic or mixed.
Framework overlap	Built for SOC 2 / ISO 27001; manual cross-mapping.	NCA ↔ SAMA ↔ PDPL ↔ CBAHI overlap rules ship in the box. Why it matters: Upload once, satisfy 3+ frameworks.
Regulator export	Generic PDF reports.	One-click NCA / SAMA / SDAIA / CBAHI templates · signed · ready for portal upload. Why it matters: No copy-paste into government templates.
Evidence integrity	Mutable spreadsheets; trust the auditor's word.	SHA-256 evidence ledger; locked sessions are tamper-evident. Why it matters: Defensible if a finding is disputed.
Reporting AI	Static templates; you write the narrative.	Streaming AI summary in EN/AR with charts and stored history; framework-specific prompts. Why it matters: Audit-completed, narrative-ready.

Built for these roles

Three roles. One source of truth.

CISO · IT Manager

Stop the manual mapping madness.

Drowning in Excel chaos and duplicate evidence. AI auto-link drops 70% of manual mapping; one upload satisfies NCA + SAMA + PDPL.

Auto-linkOverlap engineCloud baselines

Compliance Officer

Always audit-ready.

Pre-mapped templates for 800+ controls. Continuous readiness check, expiring-doc alerts 30 days out, regulator export at a click.

Readiness checkBilingual reportsSigned exports

External Auditor · Big 4

Run more clients per year.

Multi-tenant auditor portal · evidence reuse across engagements · AI finding drafts cut report writing by 60%.

Multi-tenantFinding draftsPartner economics

Trust signal · regulator-ready

A report your regulator will accept.

Every signed audit produces a regulator-grade PDF: bilingual narrative, per-domain compliance heatmap, evidence appendix with SHA-256 hashes, auditor signatures, and regulator-template tables.

Download sample (PDF)Generate one in the demo →

· NCA ECC-2024 control matrix · all 114 controls covered
· Bilingual executive summary (English + Arabic)
· Evidence appendix with cryptographic hashes
· Findings with severity + remediation timeline

CONFIDENTIAL · NCA ECC-2024 ASSESSMENT

Cybersecurity Readiness Report

Najm Insurance · Q1 2026

Controls assessed

114 / 114

Compliance score

87%

Findings

Critical gaps

Domain heatmap

D1 GovD2 DefD3 ResD4 3PD5 ICS

SHA-256 · ledger anchor

b8f4·a912·77d3·3e02…

SIGNED

L. Al-Sulaiman, CISA

Frequently asked

CBAHI, NCA, SAMA and PDPL — answered.

It is a Saudi-native compliance platform: a structured library of NCA / SAMA / PDPL / CBAHI / CCHI / NPHIES / SFDA controls, an evidence vault with bilingual OCR, six AI assistants that prepare and validate evidence, signed audit sessions, and one-click regulator export. The two demos on this page show both surfaces in your browser, with no signup.

Frameworks live in a global catalog. Your organization requests access (Org Admin or Super Admin can submit), a Super Admin reviews and approves, and the framework appears in your tenant. Audits can only be created against frameworks your org has been granted. Try the request flow in the framework demo.

100% in AWS Middle East (me-central-2, Riyadh). Backups, embeddings, OCR and inference all run in-Kingdom. We do not call US/EU services for primary processing — relevant for SAMA Art. 6 and PDPL Art. 23.

Every AI surface (validation, copilot chat, finding draft, summary report) is RAG-grounded in the actual framework text and your uploaded evidence. The copilot has a knowledge boundary: if it isn't in the framework or the evidence, it says so. Outputs include confidence scores and provenance metadata.

Yes — the CBAHI program-specific packs (hospital, polyclinic, lab, primary care) are available as separate frameworks; chunked AI summaries are supported for the larger CBAHI editions. PDPL stacks alongside CBAHI for clinical data.

Each audit session runs against one framework, but the overlap engine maps a single uploaded document across NCA / SAMA / PDPL / CBAHI automatically — so the second and third audit sessions reuse evidence with one click.

When you finalize an audit session, ArabAudit computes a SHA-256 hash over all evidence, responses, and timestamps, then signs the manifest with your tenant key. Any subsequent edit to a locked session is detectable; the signed report PDF carries the hash for regulators to verify.

Get started

Turn a 12-week audit into an instant digital review.

Schedule a walkthrough with the founders, or try the live in-browser demo right now.

Try the live audit demo Schedule a walkthrough