The standard modules of an enterprise SaaS: what doesn't depend on the business

Why cross-cutting modules matter

When we talk about a SaaS "for freight forwarders", "for law firms" or "for manufacturing", the spotlight naturally goes to the business domain. Yet, under the hood, the business layer typically accounts for just 20–30% of the code. The overwhelming majority comes from cross-cutting modules: authentication, permissions, configuration, notifications, audit, backups, integrations…

This has two practical consequences:

• A SaaS vendor who neglects this foundation ships a fragile product, no matter how refined the business layer is.
• A customer who can't evaluate this foundation discovers, six months into production, blockers in administration, configuration or security they never anticipated.

To clarify the landscape, we distinguish four families: Administration (who governs the platform), Management (what end users handle every day), Configuration (what you tune without coding), and a final group "other cross-cutting modules" covering integration, automation, support, BI and advanced security.

Administration Module

Reserved for platform administrators. It governs who can do what and provides technical governance. Without it, there is no serious multi-user SaaS.

• User management — creation, invitations, deactivation, account lifecycle, delegation.
• Roles & permissions (RBAC / ABAC) — profiles, granular rights per entity and action, hierarchies, inheritance.
• Multi-tenant / multi-company — managing organizations, subsidiaries, departments, strict data isolation.
• Authentication & SSO — SAML, OAuth2, OIDC, MFA / 2FA, password policies, IP whitelisting.
• Audit & logging — full traceability: who did what, when, from which IP, with which before / after values.
• Licenses & subscriptions — plans, seats, quotas, internal billing, renewal management.
• Technical supervision — system health, metrics, alerts, storage and compute quotas.
• Backup & restore — scheduled backups, full tenant export, disaster recovery plan.
• GDPR / INPDP compliance — right to erasure, personal data export, processing registry, retention durations.
• APIs & technical integrations — API keys, webhooks, tokens, scopes, rotation.

Maturity check: a good administration module lets a customer admin manage their tenant without ever opening a support ticket.

Management Module

This is what business users handle every day. It doesn't depend on the business itself, but it shapes how people work on any business entity (case, contract, customer, order, claim…).

• Contacts & directory — customers, suppliers, partners, internal users, with deduplication and merging.
• Document management (DMS) — upload, versioning, classification, preview, full-text search.
• Tasks & workflows — assignment, deadlines, reminders, multi-level validation, custom statuses.
• Messaging & notifications — in-app alerts, email, SMS, mobile push, per-user preferences.
• Dashboards & reporting — KPIs, configurable widgets, Excel / PDF exports, shared views.
• Files & media — central library, thumbnails, internal sharing, access control.
• Global search — cross-entity search engine, filters, suggestions, history.
• History & trash — versions, soft delete, restore, legal archival.
• Import / Export — CSV, Excel, API, configurable mapping, dry runs, error logs.
• Calendar & shared agenda — bookings, team planning, iCal / Google / Outlook sync.

Maturity check: you must be able to retrieve any past action in fewer than three clicks, on any entity.

Configuration Module

The configuration module is the SaaS's flexibility contract. It lets you adapt the platform to each customer's rules, brand and vocabulary — without a single line of code.

• General settings — logo, name, timezone, currency, number and date formats.
• Localization (i18n) — enabled languages, customizable translations, RTL support for Arabic and Hebrew.
• Visual customization (theme) — colors, dark mode, fonts, white-label, dedicated subdomain.
• Templates — transactional emails, PDF documents, invoices, contracts, signatures.
• Reference data & dropdowns — categories, statuses, taxonomies, picklists, default values.
• Numbering rules — sequences, prefixes, formats (invoices, quotes, cases, tickets).
• Configurable workflows — steps, conditions, multi-level validation, automatic alerts.
• Custom fields — adding attributes on entities without engineering work.
• Notification settings — who receives what, on which channel, under which conditions.
• Security policies — session duration, password complexity, mandatory MFA, IP whitelisting.

Maturity check: 80% of customer change requests should be solvable by configuration, not by development.

The other cross-cutting modules

Four families aren't enough to describe a serious enterprise SaaS. Here are the complementary modules found in every mature product:

🔌 Integration Module

The connection with the external ecosystem. At OCEAN SOFT, third-party integrations (SINDA, COTUNACE, ERP, accounting…) are delivered on demand, not as standard — every customer has its own ecosystem.

• Connectors for ERP / CRM / accounting / email / SMS / payment / cloud storage.
• Extension or plugin marketplace.
• Documented public API + outbound webhooks.

🤖 Automation & AI Module

• Conditional automations (no-code logic, internal Zapier-style).
• Contextual AI assistant, suggestions, semantic search.
• OCR, automatic document classification, data extraction.

🆘 Support & Help Module

• In-platform help center / knowledge base.
• Support chat, internal customer ticketing.
• Interactive onboarding (guided tour, contextual tooltips, checklist).

📈 Analytics Module (BI)

Distinct from operational reporting: cross-cutting analytics, BI exports, Power BI / Metabase / Tableau connectors, internal data warehouse.

🔐 Advanced Security Module

Often separated from administration: encryption at rest and in transit, secret management, antivirus scanning of uploads, intrusion detection, ISO 27001 compliance.

💬 Collaboration Module

• Comments, @mentions, discussion threads attached to entities.
• External sharing via public links with expiration and password.
• Shared workspaces / projects.

📱 Mobile & Offline Module

PWA, native mobile apps, offline synchronization for field users.

Our approach at OCEAN SOFT

At OCEAN SOFT we treat these cross-cutting modules as the backbone of all our products, even before the business layer. Concretely:

• Shared foundation — administration, management and configuration are mutualised across our platforms (DEEP4SHIP, DOUSSI…) for consistency and robustness.
• Native compliance — GDPR and INPDP built into the foundation (audit, right to erasure, export, retention), not bolted on later.
• On-demand integrations — every customer ecosystem is unique. We build the necessary connectors (SINDA, COTUNACE, ERP, accounting…) on demand, not from a catalogue.
• Configuration over development — business rules, workflows, labels, templates: everything is configurable. Evolutions don't systematically require a release.

If you're evaluating a SaaS — ours or a competitor's — ask these questions before the business ones: who manages permissions? what can be configured without dev? where is the data stored? how do you export? what happens if you leave?

The business layer impresses in the demo. The foundation decides in production.