Castle reference architectures/SaaS

Auditor ready access logging

Every enrollment, request, approval, and code display lands in an immutable, append only log with user, device, geolocation, and timestamp. Compliance sees everything; secrets stay sealed.

Append only logGeolocationAdmin consoleEvent APISOC 2 controls
Members
Devices
Admins
Every actor
CastleImmutable trail
Seed eventsLOGGED
Requests + approvalsLOGGED
Code displaysLOGGED
Policy changesDIFFED
Admin consoleComplianceForensicsCustomer visible
Immutable at the application layerPagination + filters via APIIn flight requests visible

Dataflow

01

Every major event emits a structured log message into a shared ingestion pipeline: invitations, approvals, device enrollments and revocations, policy changes, seed enrollments, access requests, and code displays.

02

Client devices log every display of a TOTP code, with device, resource, timestamp, and location, and report it to the logging service.

03

Policy changes are logged with the actor and the diff, so an auditor can reconstruct exactly what changed and who changed it.

04

Log entries are immutable and append only at the application layer. No updates, no deletes.

05

The admin console exposes the full history with pagination and filters by user, resource, or event type, including in flight requests that have not completed.

06

Compliance and security teams inspect the trail in real time or retroactively; the log supports post incident analysis, forensic audit, and SOC 2 controls.

Components

Ingestion pipeline

All internal producers (access service, code distribution, clients) emit structured events into one durable stream.

Event catalog

A defined schema per event type with key metadata: who, what, when, from which device, and where.

Client display logging

The moment a code renders on a screen is itself an audit event, closing the last visibility gap.

Admin console views

Real time and historical access, filterable per user, resource, and event type.

Log API

Programmatic retrieval for compliance exports and downstream tooling.

Security considerations

The log answers the auditor’s actual question, who saw a working credential and when, not just who requested one.

Immutability is structural: the application layer supports no update or delete on log entries.

Geolocation on requests, approvals, and displays gives forensics a physical dimension without tracking anything else.

Secrets never appear in the log; it records access to codes, not the codes themselves.

Deploy this architecture

Walk through the trust model, policy design, and rollout with our security and solutions team.

Learn moreAll architectures