Enterprises evaluate on governance first
In an enterprise evaluation, governance is rarely the headline feature but it is the gate. Security wants SSO and immutable audit. Compliance wants retention, exports, and read-access tracking. Procurement wants no "Enterprise+" multiplier on line items that should have been included.
SaaS commerce suites put SSO behind a tier upgrade, treat audit as a third-party integration, and call role checkboxes "access control". Vendure ships SSO, audit, row-level access, and content versioning as first-class plugins on the same platform that runs the catalogue, orders, and pricing.
Four plugins on the same platform
Each plugin targets one governance problem. They share identity, events, and the dashboard, so the governance posture stays coherent across all four. All four ship in the Platform bundle: no per-IdP fees, no per-user multipliers, no add-on tier.
Enterprise SSO
SAML 2.0 and OIDC, no custom code. Named providers across Okta, Microsoft Entra ID, Google Workspace, Auth0, Keycloak, OneLogin, Ping Identity, Microsoft ADFS. Auto-provision admin accounts on first login, map IdP roles to Vendure roles. Included in the Platform bundle, no tier upgrade.
Audit logging
Entity changes, login events, optional read-access tracking. Sensitive fields like passwords and API keys are redacted before they hit the log. Configurable retention, scheduled exports, dashboard browse and filter. Audit entries are produced by the platform, not a SIEM bolt-on.
Row-level access control
Policy-based filtering at the query layer for orders, customers, and your custom entities. Applied across the admin API and any custom resolver that builds through TypeORM. Conditions read the active administrator, including custom fields, so policies adapt per request.
One platform, one admin API, one event bus
Every governance plugin on this page attaches to the same NestJS application that runs your commerce. SSO sessions emit login events the audit-trail plugin captures. Row-level access control reads the same RequestContext the rest of the platform uses, including the administrator identity supplied by SSO. Content versioning snapshots ride the TypeORM entity layer your custom entities already live in.
Configure each plugin in vendure-config.ts, ship it with the rest of your application, and version it in Git. Sessions, events, identity, and entity history flow through one runtime, so the governance surface stays coherent without bolt-on glue.
What this combination unlocks in practice
The plugins compose. Audit pulls actor identity from SSO. Row-level policies scope what those identities can read. Content versioning gives you the "what did this record look like six months ago" answer audit logs do not.
Trusted by complex B2B commerce and enterprise retail.
What security, compliance, and procurement teams ask
The questions that come up in evaluations led by CISOs, compliance officers, and procurement.
One category in a wider plugin library
Governance and compliance is one of five plugin categories on Vendure Platform, alongside B2B workflows, pricing and promotions, search and discovery, and operations and extensibility. See the full plugin overview.
