Implementation
Implementation runbook for regulated teams.
A B2B compliance product has to launch with roles, data, billing, support, and legal review aligned. This runbook gives buyers and operators the rollout shape before contract work starts.
Invoice-led launch path
Managed beta first, strict self-serve later.
The managed beta readiness pack lists the launch gates that let a design partner start under an order form or invoice, while keeping self-serve checkout and broad enterprise claims out of scope until strict proof exists.
Public deployment and route protection
Production homepage, marketing surfaces, status, implementation, legal, trust, readiness, and public product evidence endpoints are deployed on the production domain.
Strict proof plan is published
Production proof groups name the strict paid-readiness blockers, fixture inputs, vendor requirements, mutating boundaries, and if-missing decisions.
Customer order-form scope
Order-form template and customer launch room define modules, cohort, verifier audience, data boundaries, exclusions, and acceptance language.
Invoice or order-form billing route
Tenant billing profile and invoice setup request paths exist. Stripe checkout remains a separate self-serve proof gate.
Rollout phases
1. Scope the rollout
Customer and Thesmios
Confirm the worker cohort, compliance modules, verifier audiences, jurisdictions, data residency, retention, and pilot success criteria.
2. Configure the tenant
Thesmios
Set workspace roles, SSO or password policy, SCIM posture, HRIS connection plan, audit settings, issuer registry, and billing route.
3. Connect evidence flows
Customer operations
Map source systems, import initial worker records, select reusable credential scopes, and prepare employee communications.
4. Launch and measure
Joint team
Run access-control smoke checks, review sample passports, test verifier shares, approve support paths, and track documents avoided.
Order-form checklist
| Commercial model | Pilot, regulated, or enterprise plan; invoice or Stripe route; renewal and cancellation terms. |
|---|---|
| Tenant scope | Workspace name, primary admin, region, data residency, domains, and intended worker cohorts. |
| Modules | Compliance areas, verifier scopes, monitoring cadence, review SLAs, and evidence retention. |
| Identity | SSO provider, SCIM requirement, admin MFA policy, invited roles, and emergency access owner. |
| Integrations | HRIS, official issuers, sanctions sources, webhook targets, wallet exports, and verifier API use. |
| Legal | DPA, subprocessors, SLA, security review, AI governance review, and customer notices. |
| Launch gates | Seeded tenant data, authenticated route checks, billing path, support channel, and rollback owner. |
| Success metrics | Documents avoided, time saved, refreshes completed, verifier reuse, and unresolved exception rate. |
Customer launch pack
Attach to the signed pilot order form so roadmap claims stay out of contractual scope.
Order-form scope clause
The launch scope is limited to employer-verifiable worker compliance passports, evidence upload, credential review, scoped verifier shares, tenant KPI reporting, support intake, privacy requests, and audit exports for the named pilot cohort. Capabilities marked managed, credential-required, manual-required, demo, planned, or excluded are not production commitments unless separately written into this order form.
Use before moving a tenant from setup to live worker traffic.
Production acceptance clause
Production acceptance requires a named tenant owner, billing owner, support owner, approved worker cohort, approved data-retention schedule, completed production readiness check, authenticated owner/granted/denied access smoke evidence, and customer sign-off on initial compliance modules and verifier audiences.
Send before importing or inviting the first worker cohort.
Employee launch note
Your employer is using Thesmios to keep reusable compliance evidence in one worker-owned passport. You will be asked to review or upload evidence once, and approved employers or verifiers can only see the sections shared for a specific purpose. Thesmios records access, supports correction requests, and lets you export your data package.
Send to external employers, auditors, or reviewers before they open a share.
Verifier instruction
You are receiving a scoped Thesmios worker passport share for the stated verification purpose only. Review the visible credential status, issuer, evidence summary, freshness date, and disclosure rules. Do not request withheld fields unless the worker or customer creates a new share with broader scope.
Store with the customer implementation record after launch rehearsal.
Operator acceptance checklist
Capture the Vercel deployment URL, readiness summary, production seed evidence, authenticated smoke result, billing profile, support route, retention policy, sample evidence upload, sample credential lifecycle action, sample passport share, privacy export proof, and any scoped-out dependency notes.
Customer launch room
One acceptance record for every B2B tenant.
The launch room turns scope, owners, fixture proof, provisioning, security review, billing, support, and continuity into one customer-specific go/no-go record.
Setup-only
Commercial scope and excluded claims are recorded; Tenant owner, implementation owner, support owner, and privacy/security owner are named; Initial worker cohort, modules, and data notice path are approved
Launch-room roles and commercial scope are complete.
Private beta
Production seed or manual tenant setup evidence exists; Authenticated owner/granted/denied smoke proof passes; Issuer, evidence, audit export, and privacy fixture outputs are attached or explicitly scoped out; Support route and readiness warnings are visible to the customer
Launch proof bundle plus customer acceptance record.
Paid beta
Tenant billing profile, invoice request, or Stripe fixture proof is attached; Notification dry-run evidence and support escalation route exist; Operations evidence pack is attached with health/readiness output; KPI review cadence and success metrics are agreed
Signed order form or billing proof plus public and authenticated launch evidence.
Enterprise expansion
SCIM/IdP fixture proof exists for the selected provider; SSO broker, official issuer, HRIS, or screening connectors are proven with customer credentials when in scope; External uptime monitor, alert routing, rollback rehearsal, and restore rehearsal evidence are attached; Security/privacy owner approves external evidence boundaries such as pen-test, certifications, DPIA, and retention
Customer-specific launch room with provisioning, continuity, and security evidence complete.
| Acceptance area | Status | Owner | Proof needed | If missing |
|---|---|---|---|---|
| Commercial scope | customer required | Customer | Commercial owner can point to the exact paid scope, billing route, limits, and excluded claims before worker data is imported. | Keep the rollout no-charge or setup-only until payment route and scope are recorded. |
| Tenant owners and contacts | customer required | Joint | No launch-room role is blank, and the tenant owner can show the saved member/invitation/support route. | Hold tenant acceptance in setup because unresolved ownership creates support and privacy risk. |
| Worker cohort and evidence scope | customer required | Customer | Customer signs off cohort, modules, notices, retention, and verifier audiences before import or employee invitation. | Use demo data only until customer-approved data scope and employee notice are complete. |
| Access and provisioning | operator required | Joint | Authenticated route proof passes, and any SCIM/SSO work is either proven for the tenant or scoped as managed setup. | Limit launch to named users and password/Magic Link until tenant provisioning proof exists. |
| Credential and evidence proof | operator required | Thesmios | Launch proof bundle and configured fixture outputs are attached to the launch-room record. | Do not accept paid production use for the tenant until production fixture evidence exists or the missing path is written out of scope. |
| Security, privacy, and procurement | customer required | Joint | Security/privacy owner signs off live controls, managed-beta controls, and external evidence still required for enterprise expansion. | Scope the rollout to private beta or sandbox data until legal/security approval is recorded. |
| Operations and continuity | external required | External | Continuity owner can show current readiness, alert route, rollback plan, and restore evidence or explicit private-beta boundary. | Do not sell enterprise continuity claims until external monitor, alert route, rollback, and restore records are attached. |
| Acceptance sign-off | operator required | Joint | The room states the tenant can move to setup-only, private beta, paid beta, or enterprise expansion with evidence for that state. | Keep the tenant in the previous stage and assign every missing proof item before live expansion. |
Launch evidence pack
Proof required before a tenant is accepted as live.
Each production rollout needs a compact evidence record that can be shown to the buyer, security reviewer, finance owner, and operator. Items marked customer, operator, or external required stay out of the live acceptance record until proven.
Procurement pack
Thesmios
Published DPA, SLA, subprocessors, procurement evidence, privacy, terms, security, trust, pricing, implementation, and security assurance pages.
Buyer confirms the public documents match the order-form scope and excluded roadmap claims.
Tenant scope
Customer
Named tenant owner, billing owner, support owner, data-protection contact, worker cohort, and compliance modules.
All named owners and the pilot cohort are recorded before worker traffic starts.
Production seed
Thesmios
Production issuer record, DID document version, expiry monitor job, evidence retention job, and seeded tenant data.
The readiness endpoint reports production launch seed records as passing for the live deployment.
Authenticated access smoke
Joint
Owner, granted-employer/verifier, and denied-employer fixtures with route and RLS results.
Authenticated API smoke passes against the launch tenant and fixture IDs are stored outside git.
Evidence and credential controls
Joint
Issuer signing fixture, clean upload, suspicious upload, EICAR/quarantine proof, credential lifecycle action, workflow task, and audit trail.
Sample credentials and evidence produce expected signing, scan, quarantine, retention, credential, task, and audit outcomes.
Sharing and privacy proof
Joint
Sample passport share, denied access attempt, privacy export, data-rights request, and audit export package.
Worker-visible and verifier-visible data match the scoped share and privacy package expectations.
Billing and support route
Joint
Signed order form or tenant billing profile, invoice request or Stripe proof, support owner, SLA priority, and escalation route.
The tenant has a recorded payment route and support path before paid use.
Operational monitoring
External
Health/readiness monitor, status subscriber dry run, incident broadcast dry run, rollback rehearsal, and deployment URL.
The operator can show current health, degraded readiness reasons, and a tested rollback/status procedure.
Evidence bundles
| Bundle | Audience | Artifacts | If missing |
|---|---|---|---|
| Buyer acceptance record | buyer | Signed order-form scope and excluded-capability language; Approved worker cohort and compliance modules; Launch readiness summary from the production deployment; Authenticated tenant launch dossier JSON or download; Customer sign-off on initial passport, evidence, and verifier-share samples | If this bundle is missing, keep the tenant in setup and avoid live worker traffic. |
| Operator run evidence | operator | Vercel deployment ID and alias confirmation; Production seed result or manual tenant setup record; Tenant launch dossier export with missing evidence and next actions; Authenticated smoke output for owner, granted, and denied roles; Issuer signing, evidence scan, quarantine, retention, workflow, and audit export proof | If a command fails, record the blocker in the customer request and rerun before acceptance. |
| Security and privacy evidence | security | DPA, subprocessors, SLA, security, trust, and privacy links; Security assurance pack with vendor-risk, technical-security, continuity, privacy, and AI-governance boundaries; Procurement evidence pack with subprocessor notice process and DPIA/AI governance questionnaire; Privacy export and data-rights request proof; Evidence retention schedule and legal hold decision; Incident notification scope and status subscription proof | If legal or privacy owners have not approved these artifacts, scope the rollout to demo or sandbox data. |
| Commercial evidence | finance | Invoice profile or Stripe configuration proof; Purchase-order requirement and billing contact; Plan limits for passports, shares, audit exports, seats, and integrations; Renewal, cancellation, pause, and overage treatment | If billing is not recorded, sell only a no-charge design-partner pilot or delay paid launch. |
Customer inputs
What the customer needs to provide.
Thesmios can keep the first rollout light, but every production tenant still needs named owners for legal, security, data, billing, and operational decisions.
Launch gates
Procurement pack
DPA, SLA, subprocessors, security, privacy, and trust pages are published for review.
Tenant access model
Customer signs off roles, admin owners, invite policy, emergency access, and employee profile ownership.
Authenticated smoke
Owner, granted employer, and denied employer fixtures must pass route and RLS access checks before production rollout.
Evidence controls
Uploaded files are screened, risky objects are quarantined, and retention cleanup is bootstrapped through the background runner.
Billing route
Stripe products/webhook or invoice terms must be configured before self-serve paid checkout is enabled.
Support route
Severity targets and escalation expectations are documented on the SLA page and refined in the order form.
Typical timeline
| Stage | Workstream | Outcome |
|---|---|---|
| Week 0 | Procurement review | Security, DPA, SLA, subprocessors, pricing, modules, and order-form checklist. |
| Week 1 | Tenant setup | Workspace, roles, data residency, SSO or password policy, billing route, and pilot cohort. |
| Week 2 | Evidence mapping | HRIS fields, official issuer checks, verifier scopes, credential refresh cadence, and employee comms. |
| Week 3 | Pilot launch | Seed records, run access smoke, test shares, review exceptions, and approve support handoff. |
| Week 4+ | Scale | Measure documents avoided, expand cohorts, add integrations, and prepare enterprise controls. |