The platform KSA banks, insurers and fintechs use to map the full SAMA BCM Framework and ISO 22301 to one workspace. Schema-per-tenant data residency. Native §8.4.4 plans. Audit-ready PDFs in one click.
We don’t chase volume. We work with a focused group of SAMA-regulated organisations who want a platform built around their regulator, not retrofitted.
Tier-1 KSA bank
Replace the 2015-era platform that can’t produce ISO 22301 §8.4.4-shaped plans without three weeks of consulting time. Stand up the SAMA annual programme in days, not quarters.
Mid-market insurer / fintech
Move BCM out of SharePoint + Excel before the next SAMA examination. Want a platform with serious data isolation and a schema your information security committee will actually approve.
Group internal audit
Need a platform that proves continuity capability across multiple business units, integrates with your existing audit and governance systems, and produces evidence trails an external auditor can sample.
These are the differentiators that come up in every demo with a SAMA-regulated buyer. Not slideware — verified in our integration test suite.
Every customer gets their own Postgres schema, accessed via SET LOCAL search_path inside transactions. Cross-tenant access is impossible by construction — different schemas, not row-level filters. Castellan, Fusion, Origami, LogicManager, Quantivate and 6clicks all use row-level. For an information security committee that wants to see the schema list, this is the difference between a yes and a no.
Purpose, scope, activation criteria, activation authority, deactivation criteria, classification, target RTO and target RPO are discrete columns on the BCP record. An auditor can diff them across versions, search across plans, filter by classification. Peer platforms store them as free-text in a single description box.
Every BCP invocation is captured as a structured row: activatedAt, activatedBy, triggerSummary, crisisEventId linkage, outcome, improvement-action count. Deactivation updates the same row in place. SAMA auditors specifically sample whether plans have been invoked rather than just authored. We make that evidence searchable.
The annual exercise programme tracks SAMA's mandatory coverage themes — IT system loss, cyber, critical vendor unavailability, staff unavailability, workspace disruption. Each passing or partial exercise contributes its theme tags to the programme’s union. Failing exercises don’t. The view shows what’s covered vs what’s required, in real time.
Honest comparison on the dimensions that decide a SAMA-regulated deal. We update this when peer pricing or capabilities change.
| Feature | BCMStack | Castellan | Fusion | Origami |
|---|---|---|---|---|
| Schema-per-tenant data isolation | Yes | Row-level | Salesforce org | Row-level |
| ISO 22301 §8.4.4 native fields | Yes | Free-text | Free-text | Free-text |
| §8.4.5 phased recovery (respond/recover/restore) | Yes | Flat list | Flat list | Flat list |
| §8.5 activation log as first-class | Yes | — | Via crisis | — |
| SAMA coverage rollup | Yes | — | — | — |
| Modern stack (RSC / Next.js / Drizzle) | Yes | — | Salesforce | — |
| Transparent pricing | Yes | Hidden | Hidden | Hidden |
| Native iOS/Android crisis app | Roadmap | Yes | SFDC mobile | — |
| SOC 2 / ISO 27001 attestation | In progress | Yes | Yes | Yes |
See the full feature-by-feature comparison: BCMStack vs Castellan →
Mid-market SAMA-regulated organisations typically land here. Final pricing depends on user count, regulator scope and data-residency requirements.
For a typical 100-500-employee SAMA-regulated organisation, all modules included.
Why we publish it
Most peers gate pricing behind a sales call. Many smaller customers walk away rather than start that conversation.
What’s included
All six modules, schema-per-tenant tenancy, audit log, PDF export, RBAC, support during business hours.
What’s extra
KSA-region data residency, custom integrations, dedicated implementation services, after-hours support.
Same-day workspace provisioning. Two weeks of focused work to a live BCMS and a tabletop in the calendar.
Day 1 – 3
Day 4 – 7
Day 8 – 10
Day 11 – 14
Each customer gets a dedicated Postgres schema on Neon (EU jurisdiction by default; KSA-region pinning is on the roadmap for customers with strict residency requirements). File storage uses Cloudflare R2 with EU jurisdiction. Cross-tenant access is impossible by construction — different schemas, not row-level filters.
Schema-per-tenant is the architectural foundation. EU jurisdiction is the default for the GCC region. For customers with explicit KSA-residency contractual obligations, we provision a dedicated Neon project in a KSA-adjacent region — talk to us before you sign.
English UI is shipping today. Arabic UI with RTL layout, Hijri-calendar support and SAMA-Arabic terminology is on the roadmap — typically 2-3 weeks of work to enable across the top 8 pages once a customer specifically requires it.
BCMStack targets $30-60K annual contract value for mid-market. Castellan and Fusion typically land at $80-250K including required platform seats and implementation services. Our pricing is published — theirs requires a sales call.
Yes — most customers are migrating from Castellan, Fusion or a 2015-era platform, or from a SharePoint + Excel setup. Migration takes 4-8 weeks: we import process and vendor lists via CSV, recreate BCPs in our §8.4.4 native shape, and run the first exercise on the new platform within the first month.
Tell us your organisation, your regulator, and where your BCM workflow lives today. We’ll show you the platform working against a representative SAMA dataset and answer the questions your information security committee will ask.
Request a demoWe aim to respond within one business day.