App Security & Compliance for SaaS Companies in Saudi Arabian market


In this session, Sangmesh Hiremath (Founder Marmin.AI) talks to Venky about how cybersecurity is a crucial driver for their business to expand and grow in Saudi Arabia, the Middle East, and European markets.

He also details how meeting cybersecurity compliance enables them to stay on top of customer needs and serve them in the long run.

Key highlights from the discussion :
  • Understanding cybersecurity compliance in the Saudi Arabia & the Middle East market
  • What is National Cybersecurity Authority?
  • Building cyber defense, governance, and cyber resilience
  • Adhering to the security checklist of the customers
  • Why is cybersecurity + error & omission insurance expected to be done?
  • Why a third-party cybersecurity provider is beneficial in compliance
  • How does virtual patching help in case of any open vulnerabilities?


I am the founder of We founded Marmin in 2020. When we started, we were trying to build an application for exchanging documents over the internet between all accounting systems and ERPs.We saw an opportunity in 2020 when Saudi Arabia developed a guideline for National Tax Authority. It says that all invoices generated should be electronic invoices.

The electronic invoice is not one which we send as a PDF. It has embedded XML, which goes to the Tax Authority. Tax Authority approves or rejects it. Based on that business will issue invoices to customers.

We immediately pivoted on it, and we built an application. We are an approved solution provider by Saudi Tax Authority.

Our main business area is electronic invoicing for businesses. We have a parallel product that is used as a document exchange platform. Both are cloud-based.

When the Saudi Arabian Tax Authority listed all the approved solution providers, there were around 800 listed companies. There are ERPs, accounting systems, cloud accounting systems, and consultants who provide advisory roles in these areas.We have differentiated ourselves in a way; for example, if a business has its existing investment in its ERP or accounting system, they don’t need to switch to a compliant solution.

If their main service provider of the solution is not ready for compliance, these companies can simply integrate with us and remain compliant.

We give these businesses a great value proposition: “You retain your existing investment and do not lose on your CapEx and OpEx”.

SOC 2 is a security standard written and maintained by AICPA. It’s an American body, and CPAs write this.

SOC 2 is a 3rd party audit framework. When you want to get SOC 2 compliant, you need a third-party auditor to come in and review your environment to issue a SOC 2 report.

CPAs go through a lot of training on how to do audits. The auditing procedure is rigorous, which lends credibility to SOC2.

SOC 2 is a holistic framework covering your people, processes, and how you change your organization, infrastructure, and technical aspects.

So, it’s an all-encompassing framework that looks at security from all angles.

Being in the tech space for the last 15 years, we have understood that cyber security is very much required for each application.

Saudi Arabia has come up with National Cyber Security Authority which releases guidelines on how and what cyber security controls should be for each company and product. Based on the scenario, they are laying out the basic rules.

The main agenda of this National Cyber Security Authority is to build governance, defense, and cyber resilience mechanisms related to cyber security.

When building applications, we always follow basic protocols, like multi-factor authentication, complex passwords, and compliance with national regulations.

On the other side, when we are trying to be a supplier to some customers, the customers also are made aware enough by the National Cyber Security Authority.

When we are trying to register as a supplier for such companies, they have their cyber security checklist, which we must fulfill.

This way, we keep up, and it’s a gradual process of growing and strengthening our processes internally.

This is on the front where customers are from Saudi Arabia. Many Saudi Arabian customers are from the UK, the US, and Australia.

These companies also take their local guideline into the picture. In such a situation, one point has influenced and impacted us.

A company says, “We need Cyber Security Insurance plus Error and Omission Insurance.”

Depending upon the size of the company, deal, and proposition we’re giving, the customer says, “I need minimum insurance of this much.”

You have to get into the market and look for insurance providers to insure you. They also have their checks on what you are doing internally for cyber security.

This is well-connected, so you must comply with cybersecurity-related activities.

Venky: I’m just surprised to expect you to have cyber insurance instead of the customer already having their own cyber insurance policy.


Sangmesh: They have their cyber insurance policy, but we own SaaS products, so we must comply. If there is any gap in those compliances, they want to ensure that someone else, like an insurance company, is backing us in case of a claim of damages.

So, when this happens insurance company also tries to ensure that as a customer of the insurance company, and having our own SaaS application, we are making our internal governance and defense mechanisms strong so that there is no such claim by the customer.

Exactly! It is like that. Another part is that the National Cyber Security Authority also has a guideline that says that third-party testing and pen testing should be involved in the cyber security mechanisms to send them the internal cyber security controls

Cyber security is internally embedded into our application development pipeline. We ensure all these checks are covered, and third parties like Indusface help us identify those vulnerabilities and fix them.

We do a vulnerability scan every week. Usually, what happens is that the threats are not so frequent if your scans are regular and you keep taking action on them.

Over time, a threat becomes critical if it has remained for a longer time or is known but not fixed.

We do not let anything go to that stage. Whenever it is identified as low or medium; we do not delay those things to reach a critical stage. Even if there is a medium threat, we just fix that.

Internally we have processors and policies where we manage who will control what. There is proper access authorization. Need basis access is only provided, which are some internal things we control so that no one has direct access to databases or the products.

In that case, we would prefer virtual patching. We do it immediately if there is a known patching mechanism available. Eventually, we’ll fix it over time in our programming pipeline.

As a new SaaS firm, make application security / cyber security an integral part of your offering. So that you get a head start on building your application.

Because cybersecurity-related guidelines and compliances in different markets will expect you to have a minimum threshold, you still cannot sell without meeting those thresholds.

Regarding compliance and security specific to Saudi Arabia, the National Cyber Security Authority checklist is the most authoritative document you will have to look at.

Because the consumers and the customers are well aware of this and enforce this as a minimum compliance requirement that their supplier should provide.