A
AppLiaison
All stacks

stack

Internal Tools Stack

Enterprise SaaS skeleton: SSO, SAML, audit logs, procurement-ready defaults

The Internal Tools Stack is the one to pick when the customer is enterprise-IT-shaped — they will procure with a security questionnaire, they will require SSO/SAML on day one, they will want audit logs they can subpoena, and the data the app holds is the kind that absolutely must not leak. It is the Vertical SaaS Stack with the dial turned to eleven on identity, observability, and audit.

Architecture

Architecture variant: standard
Frontend
Next.js 14 (App Router)tRPC clientTailwind + headless primitives
Backend
Next.js Route HandlerstRPC serverPostgres 16 with row-level security
Data + infra
Vercel Enterprise or AWS (for VPC peering)AWS RDS Postgres or Neon EnterpriseAWS S3 with object-lock for audit archive
Integrations
WorkOS (SSO/SAML/SCIM directory sync)Stripe Billing (annual contracts)Vanta (continuous SOC 2 compliance signals)DataDog or Customer-provided SIEM

When to choose this stack

  • The buyer is a CISO or a procurement function, not a line-of-business head
  • SOC 2 Type II within 12 months is on the contract
  • SSO/SAML and SCIM directory sync are non-negotiable on day one
  • Audit logs must be immutable and exportable to a customer SIEM
  • Data residency matters (US-only, EU-only)

What's NOT included

  • On-prem deployment (available as a paid engagement, not a stack default)
  • FedRAMP authorization (12-month engagement, not in the box)
  • HIPAA BAA (use the Vertical SaaS Stack with the health add-on)
  • Mobile parity — internal tools are desktop-first by definition

How the pieces fit

Identity flows through WorkOS, so any combination of Okta, Azure AD, OneLogin, Google Workspace, and Ping is supported with the same integration code. SCIM provisioning means user offboarding in a customer’s IDP propagates to the app inside an hour, not the next quarterly access review.

Audit logs are written by Postgres triggers and shipped to an S3 bucket with object-lock retention, so they are tamper-evident by construction. Customers can pull the bucket via cross-account role assumption into their own SIEM.

Why these choices

WorkOS over Auth0/Okta/Clerk for enterprise: SCIM, SAML, SSO, and audit log forwarding are the four checkboxes a procurement security questionnaire actually asks about. WorkOS ships all four.

Object-lock S3 audit archive over an in-database log: a database can be tampered with by a privileged operator. A locked S3 bucket cannot.

OpenTelemetry to a customer collector over a vendor-locked observability stack: enterprise customers want their own DataDog / Splunk / Sumo to own the telemetry, not yet another vendor relationship.

Apps built on this stack

Loanpath

Lending and BNPL origination plus servicing with audit-grade compliance

Fintech & money · Internal Tools Stack
service + license · 28d
$24k license $4.5k/mo

Patientlink

A patient portal and EHR-lite for small clinics with HIPAA-grade audit trails

Health & wellness · Internal Tools Stack
service + license · 25d
$22k license $3.5k/mo