Implementation

Implementation runbook for regulated teams.

A B2B compliance product has to launch with roles, data, billing, support, and legal review aligned. This runbook gives buyers and operators the rollout shape before contract work starts.

Plan rollout Review SLA

Rollout phases

1. Scope the rollout

Customer and Thesmios

Confirm the worker cohort, compliance modules, verifier audiences, jurisdictions, data residency, retention, and pilot success criteria.

2. Configure the tenant

Thesmios

Set workspace roles, SSO or password policy, SCIM posture, HRIS connection plan, audit settings, issuer registry, and billing route.

3. Connect evidence flows

Customer operations

Map source systems, import initial worker records, select reusable credential scopes, and prepare employee communications.

4. Launch and measure

Joint team

Run access-control smoke checks, review sample passports, test verifier shares, approve support paths, and track documents avoided.

Order-form checklist

Commercial model	Pilot, regulated, or enterprise plan; invoice or Stripe route; renewal and cancellation terms.
Tenant scope	Workspace name, primary admin, region, data residency, domains, and intended worker cohorts.
Modules	Compliance areas, verifier scopes, monitoring cadence, review SLAs, and evidence retention.
Identity	SSO provider, SCIM requirement, admin MFA policy, invited roles, and emergency access owner.
Integrations	HRIS, official issuers, sanctions sources, webhook targets, wallet exports, and verifier API use.
Legal	DPA, subprocessors, SLA, security review, AI governance review, and customer notices.
Launch gates	Seeded tenant data, authenticated route checks, billing path, support channel, and rollback owner.
Success metrics	Documents avoided, time saved, refreshes completed, verifier reuse, and unresolved exception rate.

Customer inputs

What the customer needs to provide.

Thesmios can keep the first rollout light, but every production tenant still needs named owners for legal, security, data, billing, and operational decisions.

Primary commercial, privacy, security, and operational contacts.

Approved worker cohort and required compliance modules.

Source-system owner for HRIS, official issuer, screening, and evidence data.

Employee notice or communications owner.

Data residency, retention, and deletion preferences.

IdP metadata, SCIM bearer-token plan, or password-only beta decision.

Billing owner and purchase-order or card payment route.

Launch gates

live

Procurement pack

DPA, SLA, subprocessors, security, privacy, and trust pages are published for review.

required

Tenant access model

Customer signs off roles, admin owners, invite policy, emergency access, and employee profile ownership.

required

Authenticated smoke

Owner, granted employer, and denied employer fixtures must pass route and RLS access checks before production rollout.

live

Evidence controls

Uploaded files are screened, risky objects are quarantined, and retention cleanup is bootstrapped through the background runner.

required

Billing route

Stripe products/webhook or invoice terms must be configured before self-serve paid checkout is enabled.

live

Support route

Severity targets and escalation expectations are documented on the SLA page and refined in the order form.

Typical timeline

Stage	Workstream	Outcome
Week 0	Procurement review	Security, DPA, SLA, subprocessors, pricing, modules, and order-form checklist.
Week 1	Tenant setup	Workspace, roles, data residency, SSO or password policy, billing route, and pilot cohort.
Week 2	Evidence mapping	HRIS fields, official issuer checks, verifier scopes, credential refresh cadence, and employee comms.
Week 3	Pilot launch	Seed records, run access smoke, test shares, review exceptions, and approve support handoff.
Week 4+	Scale	Measure documents avoided, expand cohorts, add integrations, and prepare enterprise controls.