B2B SaaS — multi-tenant workspace

Tier-2 RBAC + seat billing + SOC2 evidence pipeline + SSO/SAML

SOC2 bundle auto-emitted

Entities (3)

These are the persistent business objects. Field-level annotations (`phi`, `pci_scope`, `eu_pii`) drive the compliance overlay decisions.

Customer

id : uuid
name : string
email : string
tier : enum
workspace_id : integer

InternalUser

id : uuid
email : string
role : enum
last_access_review_at : datetime
workspace_id : integer

Subscription

id : uuid
customer_id : uuid
plan : string
seats : integer
status : enum
workspace_id : integer

Process flows (2)

change_request

business_process

open_pr (integration)
code_review (decision)
change_approval (decision)
deploy (integration)

subscription_lifecycle

business_process

checkout (integration)
provision_workspace (save)
send_welcome_email (notify)

Capabilities + integrations

auth.universalproduction
rbac.tier-2production
audit.append_onlyproduction
audit.siem_exportproduction
payment.orchestrationproduction
security.policiesproduction
incident_responseproduction

Integrations: Stripe · Auth0 · GitHub · PagerDuty

Architecture brief

# B2B SaaS reference architecture — multi-tenant workspace + SOC2

## Who this is for

Mid-market B2B SaaS products with a Type II SOC2 deadline, customer
RFPs that ask "what's your access review cadence", or sales motions
that require a vendor security questionnaire response.

## What's in scope

- **Multi-tenant workspace** — every entity carries `workspace_id`;
  the RBAC tier-2 capability + Query.all() linter prevent cross-
  tenant leaks.
- **Subscription + seat billing** — Stripe checkout flow with seat
  counts.
- **Internal user RBAC** — admin / operator / contributor / viewer
  roles. `last_access_review_at` field drives the C03 SOC2 quarterly
  access review SOP.
- **Change management** — `change_request` process flow with
  `change_approval` step. The SOC2 overlay reads this and emits
  the CC8.1 evidence trail (PR review + alembic migrations + CI
  gates).
- **SIEM export** — audit chain ships to Splunk / Datadog / CloudWatch
  via the audit.siem_export capability.
- **PagerDuty** — incident_response capability + PagerDuty
  integration; the C03 incident response policy auto-fills with
  PagerDuty as the paging tool.

## Compliance bundles produced

- **SOC2**: Type I + Type II control matrices, 4 policies (InfoSec,
  AUP, Change Management, Incident Response — the IR policy
  auto-references PagerDuty since it's in vendor_integrations),
  access review runbook with `quarter_label()` helper, vendor
  management register classifying GitHub as high-risk (source code),
  evidence collection calendar.

## Build-time savings

| Build path | Time |
|---|---|
| Manual senior-eng team + SOC2 readiness consultant | 16-32 weeks |
| Replit / Lovable | "TODO scope" |
| Archiet from this reference architecture | 5-15 minutes |

## How to use

1. Clone to your workspace.
2. Adjust the `change_request` flow if your team has additional
   gates (security review, design review, etc.) — every step you
   add becomes additional CC8.1 evidence.
3. Generate. The C03 SOC2 overlay produces all 4 policies + the
   access review SOP + the vendor management register populated
   from your vendor list.
4. Run the access review quarterly; sign the CSV + commit it back
   to the bundle as your CC6.2 evidence.

## What's NOT in this reference

- ISO 27001 / SOC2 + ISO joint audit support — extend the matrix in
  C03's overlay if your buyer needs both.
- HIPAA add-on — if you're a B2B SaaS that handles PHI for a
  covered-entity customer, set `compliance_flags=["soc2", "hipaa"]`
  and tag the relevant entities; both overlays fire and combine.

Use this reference

Sign in, click the button, and the genome above lands in your workspace as a new blueprint. From there, edit the entities, adjust the capabilities, regenerate the codebase.

Clone to my workspace →

B2B SaaS — multi-tenant workspace — Archiet reference architecture