Thesmios

Implementation

Implementation runbook for regulated teams.

A B2B compliance product has to launch with roles, data, billing, support, and legal review aligned. This runbook gives buyers and operators the rollout shape before contract work starts.

Invoice-led launch path

Managed beta first, strict self-serve later.

The managed beta readiness pack lists the launch gates that let a design partner start under an order form or invoice, while keeping self-serve checkout and broad enterprise claims out of scope until strict proof exists.

ready

Public deployment and route protection

Production homepage, marketing surfaces, status, implementation, legal, trust, readiness, and public product evidence endpoints are deployed on the production domain.

ready

Strict proof plan is published

Production proof groups name the strict paid-readiness blockers, fixture inputs, vendor requirements, mutating boundaries, and if-missing decisions.

customer required

Customer order-form scope

Order-form template and customer launch room define modules, cohort, verifier audience, data boundaries, exclusions, and acceptance language.

manual fallback

Invoice or order-form billing route

Tenant billing profile and invoice setup request paths exist. Stripe checkout remains a separate self-serve proof gate.

Rollout phases

1. Scope the rollout

Customer and Thesmios

Confirm the worker cohort, compliance modules, verifier audiences, jurisdictions, data residency, retention, and pilot success criteria.

2. Configure the tenant

Thesmios

Set workspace roles, SSO or password policy, SCIM posture, HRIS connection plan, audit settings, issuer registry, and billing route.

3. Connect evidence flows

Customer operations

Map source systems, import initial worker records, select reusable credential scopes, and prepare employee communications.

4. Launch and measure

Joint team

Run access-control smoke checks, review sample passports, test verifier shares, approve support paths, and track documents avoided.

Order-form checklist

Commercial modelPilot, regulated, or enterprise plan; invoice or Stripe route; renewal and cancellation terms.
Tenant scopeWorkspace name, primary admin, region, data residency, domains, and intended worker cohorts.
ModulesCompliance areas, verifier scopes, monitoring cadence, review SLAs, and evidence retention.
IdentitySSO provider, SCIM requirement, admin MFA policy, invited roles, and emergency access owner.
IntegrationsHRIS, official issuers, sanctions sources, webhook targets, wallet exports, and verifier API use.
LegalDPA, subprocessors, SLA, security review, AI governance review, and customer notices.
Launch gatesSeeded tenant data, authenticated route checks, billing path, support channel, and rollback owner.
Success metricsDocuments avoided, time saved, refreshes completed, verifier reuse, and unresolved exception rate.

Customer launch pack

commercial

Attach to the signed pilot order form so roadmap claims stay out of contractual scope.

Order-form scope clause

The launch scope is limited to employer-verifiable worker compliance passports, evidence upload, credential review, scoped verifier shares, tenant KPI reporting, support intake, privacy requests, and audit exports for the named pilot cohort. Capabilities marked managed, credential-required, manual-required, demo, planned, or excluded are not production commitments unless separately written into this order form.

commercial

Use before moving a tenant from setup to live worker traffic.

Production acceptance clause

Production acceptance requires a named tenant owner, billing owner, support owner, approved worker cohort, approved data-retention schedule, completed production readiness check, authenticated owner/granted/denied access smoke evidence, and customer sign-off on initial compliance modules and verifier audiences.

employee

Send before importing or inviting the first worker cohort.

Employee launch note

Your employer is using Thesmios to keep reusable compliance evidence in one worker-owned passport. You will be asked to review or upload evidence once, and approved employers or verifiers can only see the sections shared for a specific purpose. Thesmios records access, supports correction requests, and lets you export your data package.

verifier

Send to external employers, auditors, or reviewers before they open a share.

Verifier instruction

You are receiving a scoped Thesmios worker passport share for the stated verification purpose only. Review the visible credential status, issuer, evidence summary, freshness date, and disclosure rules. Do not request withheld fields unless the worker or customer creates a new share with broader scope.

operator

Store with the customer implementation record after launch rehearsal.

Operator acceptance checklist

Capture the Vercel deployment URL, readiness summary, production seed evidence, authenticated smoke result, billing profile, support route, retention policy, sample evidence upload, sample credential lifecycle action, sample passport share, privacy export proof, and any scoped-out dependency notes.

Customer launch room

One acceptance record for every B2B tenant.

The launch room turns scope, owners, fixture proof, provisioning, security review, billing, support, and continuity into one customer-specific go/no-go record.

No live worker traffic

Setup-only

Commercial scope and excluded claims are recorded; Tenant owner, implementation owner, support owner, and privacy/security owner are named; Initial worker cohort, modules, and data notice path are approved

Launch-room roles and commercial scope are complete.

Limited design-partner cohort

Private beta

Production seed or manual tenant setup evidence exists; Authenticated owner/granted/denied smoke proof passes; Issuer, evidence, audit export, and privacy fixture outputs are attached or explicitly scoped out; Support route and readiness warnings are visible to the customer

Launch proof bundle plus customer acceptance record.

Invoice or configured Stripe payment

Paid beta

Tenant billing profile, invoice request, or Stripe fixture proof is attached; Notification dry-run evidence and support escalation route exist; Operations evidence pack is attached with health/readiness output; KPI review cadence and success metrics are agreed

Signed order form or billing proof plus public and authenticated launch evidence.

Broader rollout under enterprise order form

Enterprise expansion

SCIM/IdP fixture proof exists for the selected provider; SSO broker, official issuer, HRIS, or screening connectors are proven with customer credentials when in scope; External uptime monitor, alert routing, rollback rehearsal, and restore rehearsal evidence are attached; Security/privacy owner approves external evidence boundaries such as pen-test, certifications, DPIA, and retention

Customer-specific launch room with provisioning, continuity, and security evidence complete.

Acceptance areaStatusOwnerProof neededIf missing
Commercial scopecustomer requiredCustomerCommercial owner can point to the exact paid scope, billing route, limits, and excluded claims before worker data is imported.Keep the rollout no-charge or setup-only until payment route and scope are recorded.
Tenant owners and contactscustomer requiredJointNo launch-room role is blank, and the tenant owner can show the saved member/invitation/support route.Hold tenant acceptance in setup because unresolved ownership creates support and privacy risk.
Worker cohort and evidence scopecustomer requiredCustomerCustomer signs off cohort, modules, notices, retention, and verifier audiences before import or employee invitation.Use demo data only until customer-approved data scope and employee notice are complete.
Access and provisioningoperator requiredJointAuthenticated route proof passes, and any SCIM/SSO work is either proven for the tenant or scoped as managed setup.Limit launch to named users and password/Magic Link until tenant provisioning proof exists.
Credential and evidence proofoperator requiredThesmiosLaunch proof bundle and configured fixture outputs are attached to the launch-room record.Do not accept paid production use for the tenant until production fixture evidence exists or the missing path is written out of scope.
Security, privacy, and procurementcustomer requiredJointSecurity/privacy owner signs off live controls, managed-beta controls, and external evidence still required for enterprise expansion.Scope the rollout to private beta or sandbox data until legal/security approval is recorded.
Operations and continuityexternal requiredExternalContinuity owner can show current readiness, alert route, rollback plan, and restore evidence or explicit private-beta boundary.Do not sell enterprise continuity claims until external monitor, alert route, rollback, and restore records are attached.
Acceptance sign-offoperator requiredJointThe room states the tenant can move to setup-only, private beta, paid beta, or enterprise expansion with evidence for that state.Keep the tenant in the previous stage and assign every missing proof item before live expansion.

Launch evidence pack

Proof required before a tenant is accepted as live.

Each production rollout needs a compact evidence record that can be shown to the buyer, security reviewer, finance owner, and operator. Items marked customer, operator, or external required stay out of the live acceptance record until proven.

live

Procurement pack

Thesmios

Published DPA, SLA, subprocessors, procurement evidence, privacy, terms, security, trust, pricing, implementation, and security assurance pages.

Buyer confirms the public documents match the order-form scope and excluded roadmap claims.

customer required

Tenant scope

Customer

Named tenant owner, billing owner, support owner, data-protection contact, worker cohort, and compliance modules.

All named owners and the pilot cohort are recorded before worker traffic starts.

operator required

Production seed

Thesmios

Production issuer record, DID document version, expiry monitor job, evidence retention job, and seeded tenant data.

The readiness endpoint reports production launch seed records as passing for the live deployment.

operator required

Authenticated access smoke

Joint

Owner, granted-employer/verifier, and denied-employer fixtures with route and RLS results.

Authenticated API smoke passes against the launch tenant and fixture IDs are stored outside git.

operator required

Evidence and credential controls

Joint

Issuer signing fixture, clean upload, suspicious upload, EICAR/quarantine proof, credential lifecycle action, workflow task, and audit trail.

Sample credentials and evidence produce expected signing, scan, quarantine, retention, credential, task, and audit outcomes.

operator required

Sharing and privacy proof

Joint

Sample passport share, denied access attempt, privacy export, data-rights request, and audit export package.

Worker-visible and verifier-visible data match the scoped share and privacy package expectations.

customer required

Billing and support route

Joint

Signed order form or tenant billing profile, invoice request or Stripe proof, support owner, SLA priority, and escalation route.

The tenant has a recorded payment route and support path before paid use.

external required

Operational monitoring

External

Health/readiness monitor, status subscriber dry run, incident broadcast dry run, rollback rehearsal, and deployment URL.

The operator can show current health, degraded readiness reasons, and a tested rollback/status procedure.

Evidence bundles

BundleAudienceArtifactsIf missing
Buyer acceptance recordbuyerSigned order-form scope and excluded-capability language; Approved worker cohort and compliance modules; Launch readiness summary from the production deployment; Authenticated tenant launch dossier JSON or download; Customer sign-off on initial passport, evidence, and verifier-share samplesIf this bundle is missing, keep the tenant in setup and avoid live worker traffic.
Operator run evidenceoperatorVercel deployment ID and alias confirmation; Production seed result or manual tenant setup record; Tenant launch dossier export with missing evidence and next actions; Authenticated smoke output for owner, granted, and denied roles; Issuer signing, evidence scan, quarantine, retention, workflow, and audit export proofIf a command fails, record the blocker in the customer request and rerun before acceptance.
Security and privacy evidencesecurityDPA, subprocessors, SLA, security, trust, and privacy links; Security assurance pack with vendor-risk, technical-security, continuity, privacy, and AI-governance boundaries; Procurement evidence pack with subprocessor notice process and DPIA/AI governance questionnaire; Privacy export and data-rights request proof; Evidence retention schedule and legal hold decision; Incident notification scope and status subscription proofIf legal or privacy owners have not approved these artifacts, scope the rollout to demo or sandbox data.
Commercial evidencefinanceInvoice profile or Stripe configuration proof; Purchase-order requirement and billing contact; Plan limits for passports, shares, audit exports, seats, and integrations; Renewal, cancellation, pause, and overage treatmentIf billing is not recorded, sell only a no-charge design-partner pilot or delay paid launch.

Customer inputs

What the customer needs to provide.

Thesmios can keep the first rollout light, but every production tenant still needs named owners for legal, security, data, billing, and operational decisions.

Primary commercial, privacy, security, and operational contacts.
Approved worker cohort and required compliance modules.
Source-system owner for HRIS, official issuer, screening, and evidence data.
Employee notice or communications owner.
Data residency, retention, and deletion preferences.
IdP metadata, SCIM bearer-token plan, or password-only beta decision.
Billing owner and purchase-order or card payment route.

Launch gates

live

Procurement pack

DPA, SLA, subprocessors, security, privacy, and trust pages are published for review.

required

Tenant access model

Customer signs off roles, admin owners, invite policy, emergency access, and employee profile ownership.

required

Authenticated smoke

Owner, granted employer, and denied employer fixtures must pass route and RLS access checks before production rollout.

live

Evidence controls

Uploaded files are screened, risky objects are quarantined, and retention cleanup is bootstrapped through the background runner.

required

Billing route

Stripe products/webhook or invoice terms must be configured before self-serve paid checkout is enabled.

live

Support route

Severity targets and escalation expectations are documented on the SLA page and refined in the order form.

Typical timeline

StageWorkstreamOutcome
Week 0Procurement reviewSecurity, DPA, SLA, subprocessors, pricing, modules, and order-form checklist.
Week 1Tenant setupWorkspace, roles, data residency, SSO or password policy, billing route, and pilot cohort.
Week 2Evidence mappingHRIS fields, official issuer checks, verifier scopes, credential refresh cadence, and employee comms.
Week 3Pilot launchSeed records, run access smoke, test shares, review exceptions, and approve support handoff.
Week 4+ScaleMeasure documents avoided, expand cohorts, add integrations, and prepare enterprise controls.