Thesmios Platform
Worker compliance passports employers can verify once and reuse.
Thesmios launches as a managed B2B product for employer-verifiable worker compliance passports: right-to-work, identity, credential refresh, evidence rooms, audit trail, tenant controls, and KPI proof.
Launch wedge
One launchable product, not every compliance workflow.
Right-to-work and identity passport
Capture owner-held identity, eligibility, and right-to-work evidence once, then reuse scoped proof with the next verifier.
Credential refresh queue
Expiry policies and workflow tasks keep credentials from becoming stale after the first upload or issuer check.
Purpose-bound evidence rooms
Employees and authorised tenant users share only the sections and credentials needed for a verifier purpose.
Audit exports
JSON, CSV, and ZIP export packages collect audit events, access grants, and evidence inventory for a tenant review.
Tenant KPI proof
Dashboards track documents avoided, reuse rate, verification coverage, refreshes, stale credentials, exceptions, and reviewer SLA.
Enterprise setup controls
Tenant admins can save billing, support, retention, SSO, SCIM, API key, and webhook setup state before production proof.
Who uses it
Employee owner
Owns the passport, uploads evidence, reviews share scope, and can carry verified proof to the next employer or verifier.
Employer compliance team
Configures the tenant, imports the launch cohort, requests refreshes, tracks exceptions, and measures reuse.
Verifier or reviewer
Receives a scoped evidence room or API result instead of asking the worker to rebuild documents from zero.
Operating loop
From order form to measurable reuse.
A design partner should not need a custom story for every rollout. The product now has tenant controls, billing state, support route, KPI proof, and launch gates that match the managed beta model.
| 1. Import cohort | Create or grant access to a small worker cohort with named customer owners. |
|---|---|
| 2. Attach evidence | Add right-to-work, identity, qualification, refresh, and supporting evidence records. |
| 3. Share proof | Send purpose-bound passport shares to employers, reviewers, or verifiers. |
| 4. Refresh and review | Use workflow tasks, expiry rules, and support requests to resolve exceptions. |
| 5. Prove ROI | Track documents avoided, reuse rate, stale credentials, reviewer SLA, and unresolved exceptions. |
Commercial scope
| Capability | Launch status | Buyer treatment |
|---|---|---|
| Employee-owned compliance passport | included | Worker records, credentials, evidence, shares, and audit events are the primary paid-beta product. |
| Right-to-work, identity, credential refresh, evidence room, and audit trail | included | This is the first wedge for design partners and paid beta customers. |
| Tenant KPI proof | included | Dashboard and protected API expose documents avoided, reuse rate, verification coverage, stale credentials, exceptions, and reviewer SLA. |
| Invoice/order-form billing | included | Tenant billing profile and invoice setup request flow support paid managed rollouts. |
| SAML/OIDC SSO and SCIM | managed | Tenant setup controls exist; sell as managed enterprise setup until broker and fixture proof are completed. |
| Official issuer, HRIS, and sanctions connectors | credential required | Routes and adapters exist, but live claims require customer credentials or approval evidence. |
| Self-serve Stripe checkout | credential required | Checkout and webhook routes exist; enable only after Stripe secrets, prices, and signed webhook fixture pass. |
| Broad travel, tax, counterparty diligence, and reviewer marketplace workflows | excluded | Roadmap or customer-specific scope only. Not part of the standard private-beta wedge. |
Positioning guardrail
What we sell now versus what stays roadmap.
| Question | Private-beta answer | Not the launch claim |
|---|---|---|
| Primary product | Worker compliance passport | Broad travel, tax, or counterparty platform |
| Launch buyer | Regulated employer running a managed cohort | Everyone across every diligence workflow |
| Paid-beta proof | Tenant data, access checks, KPI dashboard, support route | Marketing claims or static screenshots |
| Billing route | Invoice or Stripe after configured webhook proof | Self-serve checkout before setup |
| Enterprise identity | SSO and SCIM as managed setup | Automatic enterprise SSO claim |
| Integrations | Credential-labelled, maturity-labelled, customer-keyed | All connectors sold as live by default |
Private-beta packages
Invoice-only private beta, from GBP 500/month.
First regulated teams proving the worker compliance passport with a small cohort.
Production seed, authenticated smoke users, billing profile, and support owner must be recorded.
Invoice or Stripe once production Stripe secrets and webhook proof are configured.
Regulated employers rolling out across a department or compliance function.
Customer credential proof and authenticated access checks must pass before expanding beyond pilot cohort.
Custom order form with implementation fee and mutually agreed production acceptance gates.
Larger buyers needing SSO broker work, SCIM fixture proof, custom retention, and procurement pack evidence.
Strict readiness, authenticated fixture, SSO/SCIM proof, and customer acceptance sign-off.
Trust posture
Built for regulated buyers, labelled by actual maturity.
Security evidence
Security, DPA, SLA, subprocessors, trust, and implementation pages are available for buyer review.
SOC 2 and ISO
Controls are mapped, but certification claims stay readiness-only until independent audit evidence exists.
Production gates
Production seed, authenticated smoke users, VC issuer keys, job secrets, and support email must pass before broad paid launch.
Design partner intake
Start with one worker cohort.
We are prioritising regulated employers that can provide a named admin owner, a launch worker cohort, a billing owner, and a clear first verifier workflow.