Customer Onboarding & Deployment
From contract signature to live with your team in 2–4 weeks. The standard AscendCore playbook, broken into six phases.
In one paragraph
Most customers go live in 2–4 weeks. Week 1 is contracting and kickoff. Week 2 is integration setup and tenant provisioning. Week 3 is hands-on testing in Sandbox Mode against in-process mocks (no real systems touched). Week 4 is production cutover and staff rollout. We're hands-on the entire time and you have a named technical contact and a shared Slack channel from day one.
At a glance — typical 2-to-4 week timeline
Contracting
MSA, Order Form, and DPA signed. Welcome packet + shared Slack channel + named technical contact provisioned the same day.
Kickoff call
60-minute video call. Confirm scope, integrations, success criteria, security review path. Output: project plan with owner mapping.
Custom request form
Captures: which runbooks you want enabled, integration scope, branding preferences, authorized approver list. We respond with feasibility + effort estimate within 48 hours.
Deployment
You stand up service accounts in each system (Okta, Entra, M365, Intune, Jira, Confluence). We provision your tenant in AscendCore. Integrations connected, audit chain initialized.
Sandbox testing
Your team flips to Sandbox Mode and runs every enabled runbook end-to-end against in-process mocks. Real Slack/Teams cards, no real system mutations. We're on-call the entire week.
Production cutover + staff rollout
Flip to Live Mode. First few real runbooks run with extra scrutiny. Internal training session. Customer-specific cheat sheet handed off. Daily check-ins for the first week.
Phase 1 — Signing & contracting
Three documents move in parallel:
- Master Services Agreement (MSA). Standard SaaS terms. Limitation of liability capped at fees paid in the prior 12 months. SOC-2 audit chain commitments codified. We mark up standard customer redlines within 48 hours.
- Order Form. Plan tier (Free / Pro / Enterprise), seat count, start date, billing cycle, negotiated enterprise discounts. Stripe-managed payment for Pro and Enterprise; invoice option available for annual prepay.
- Data Processing Addendum (DPA). GDPR Article 28 / California CCPA processor commitments. Sub-processor list disclosed (Neon, Netlify, Doppler, Resend). Customer-specific data residency commitments documented.
Same-day provisioning post-signature:
- Welcome packet (PDF) with full deployment checklist
- Shared Slack Connect channel opened with your IT lead, your security reviewer, and our technical contact
- Named technical contact on the AscendCore side (Jacob during pre-Series-A; dedicated SE post-Series-A)
- Calendar invite for the kickoff call (typically within 2 business days)
Phase 2 — Kickoff call
60 minutes. Video. Attendees on your side: IT lead, security reviewer (if separate), implementation champion. On our side: technical contact + our CEO for the first 20 customers.
Standard agenda
- 10 min — Confirm in-scope integrations (Okta, Entra ID, M365, Intune, Jira, Confluence) and enabled runbooks
- 15 min — Walk through your existing IT operations workflow; identify where AscendCore slots in (HITL approval pathway, audit consolidation, etc.)
- 15 min — Security review walkthrough: SHA-256 audit chain, mandatory IdP-mediated MFA + SSO, Customer API authentication model, data residency options
- 15 min — Custom requirements: any organization-specific runbooks, group-naming conventions, custom approver routing, branding preferences
- 5 min — Project plan, deployment owner mapping, next-meeting cadence
Output: written project plan within 24 hours, including milestone dates, owner-per-task split, and a security review document for your CISO if requested.
Phase 3 — Custom request form
A structured intake that captures everything specific to your environment. Your IT lead fills this out (typically 30–45 minutes) and we respond with a feasibility assessment + implementation timeline within 48 hours.
What the form captures:
- Integration scope. Which of the 13 production runbooks to enable on day-1, which to phase in later.
- Identity provider. Okta or Entra ID as primary; mandatory IdP-mediated MFA enforcement preference.
- Approver model. Who can approve approval cards (e.g., L2 helpdesk lead, on-call IT director, specific group of senior engineers). Group-based or named-individuals.
- Custom runbook needs.Any workflows specific to your business not covered by the standard 13. We'll scope feasibility — most fit our existing primitives.
- White-label preferences. (Phase 4 roadmap) Custom Slack/Teams bot name, icon, and approval-card branding. Documented now, enabled when Phase 4 ships.
- Audit retention policy. Default 7 years for Pro/Enterprise; customer-specified retention available on Enterprise plan.
- Data residency. Default US (Neon Postgres + Netlify Blobs); EU-resident option on Enterprise plan.
Phase 4 — Deployment
The actual technical setup. Three parallel tracks; we project-manage all three with daily standups in the shared Slack channel.
Track A — Service account provisioning (your side)
- Create a dedicated service account in each integration system
- Grant minimum-scope OAuth permissions (we provide the exact scope manifest)
- Generate API tokens / OAuth secrets
- Install the AscendCore Slack app + Teams app in your workspaces
- Whitelist our outbound IPs if egress filtering is in place
Track B — Secure credential transfer (joint)
- Credentials transferred via your preferred secure-share tool (1Password, Bitwarden, Hashicorp Vault, or encrypted file via S/MIME)
- We never accept credentials via plaintext email or chat
- All credentials land in Doppler (our secrets manager) under your dedicated tenant namespace
- Your security team can verify our handling against our published architecture walkthrough
Track C — Tenant provisioning (our side)
- Your isolated org tenant provisioned in our multi-tenant infrastructure
- Per-tenant rate limits configured to your plan tier
- SSO + mandatory MFA configured (Entra and/or Okta admin login)
- Audit chain initialized with a genesis row tied to your org ID
- Connection health-check run against every enabled integration; results shared in the Slack channel
End-of-phase verification: a green checkmark for each enabled runbook (e.g., "MFA reset against Okta: connection OK, scopes verified, dry-run passed"). You sign off in writing before we move to sandbox testing.
Phase 5 — Sandbox testing
A full week (or two for larger deployments) in Sandbox Mode. Your Slack/Teams approval cards post for real, your team practices the approve/deny flow for real, the audit log writes for real — but the downstream Okta/Entra/M365/Intune/Jira/Confluence calls are mocked. No real users, licenses, groups, or devices get modified.
What we do this week:
- Run every enabled runbook end-to-end with test users / fake employees
- Practice the approver workflow with your designated approvers
- Review every audit log entry; verify the chain links
- Tune approver routing if anything feels off
- Identify edge cases specific to your environment (custom group naming, B2B guest users, etc.)
- Validate the Customer API end-to-end if you're using it for runbook triggering from your own tooling
We're on-call in the shared Slack channel all week with sub-2-hour response time during business hours. End-of-week, your team signs off that they're ready for production cutover.
Phase 6 — Production cutover & staff rollout
Cutover:
- Flip your org from Sandbox → Live in Settings → Test Mode
- First 3–5 real runbooks run with both teams watching live
- Customer audit log starts capturing real production events
Staff rollout:
- Internal announcement email to your IT team. We provide a template you can customize.
- 30-minute training session for your IT staff, delivered live by us or recorded for async viewing. Covers: how to request runbooks via Slack/Teams, how the approval flow works, where to check the audit log.
- Customer-specific cheat sheet with your org's exact slash commands, approver chain, and SLA expectations.
- Daily check-ins for the first week, then weekly for the first month, then monthly thereafter for the first 90 days.
Day 30 milestone: full deployment review meeting with your IT lead. We walk through what worked, what didn't, what we'll change for the next 90 days. Renewal conversation timing is shared transparently.
Day-1 operations
Bookmark status.ascendcore.ai for live uptime, scheduled maintenance, and historical incidents. Subscribe by email, SMS, Slack, or webhook to receive incident updates the moment they post.
99.5% monthly uptime SLA committed in your MSA. P1 incidents acknowledged within 30 min, 4-hour resolution target. Full SLA + severity definitions at ascendcore.ai/status.
Responsibility split
| Task | Your team | Our team |
|---|---|---|
| Contract negotiation + signatures | Sign | Draft + redline turnaround |
| Service account creation in Okta/Entra/M365/Intune/Jira/Confluence | Execute | Provide exact scope manifest |
| Slack + Teams app installation in your workspace | Execute (admin consent) | Provide install links + verify |
| AscendCore tenant provisioning | Approve config | Execute |
| SSO + MFA configuration | Set IdP policy | Configure on AscendCore side |
| Audit chain initialization | — | Execute (one-time, genesis row) |
| Sandbox-mode testing | Execute (your designated approvers) | On-call support + observe |
| Production cutover | Authorize the flip | Execute + monitor first 5 runs |
| Staff training | Schedule + attend | Deliver live or recorded |
| Ongoing support | Use the shared Slack channel | Daily/weekly/monthly cadence |
What you'll need on your IT side
Gathering these before Day 0 takes the deployment timeline from 4 weeks to 2 weeks:
- Admin access (or a path to admin) in each integration system you want to enable
- Authority to create new service accounts + grant OAuth scopes
- A decision on which IdP (Okta or Entra ID) will be the source-of-truth for AscendCore admin login
- A list of who can approve approval cards (group-based works fine — e.g.,
it-leadership@yourdomain) - A secure credential-transfer mechanism (1Password, Bitwarden, Hashicorp Vault, or S/MIME)
- If egress filtering is in place: ability to whitelist our outbound IPs
- A point-of-contact for security review (if separate from IT lead)
Plan tier impact on onboarding
| What you get | Free | Pro | Enterprise |
|---|---|---|---|
| Onboarding format | Self-serve docs | Live kickoff + ongoing | Full white-glove |
| Sandbox mode | ✓ | ✓ | ✓ |
| Custom runbook authoring | — | 1 / quarter included | Unlimited |
| Audit retention | 90 days | 7 years | Customer-specified |
| Data residency | US only | US only | US or EU |
| Customer API rate limit | 60/min | 600/min | 6,000/min |
| Support SLA | Community | 4hr business | 1hr 24×7 |
| QBR cadence | — | Quarterly | Monthly |
Frequently asked
Can we go live without sandbox testing?▾
Yes, but we don't recommend it. The sandbox week catches edge cases specific to your environment (group naming, B2B users, custom approver chains) without any risk to real users. Skipping it shaves 7 days but inherits more risk. The choice is yours.
What if our security team needs more than what's published on /security?▾
We provide our 5,700-word architecture walkthrough document under NDA on request — covers full data flow, sub-processor list, encryption posture, audit chain implementation, and SOC-2 evidence pulls. Most CISO reviews complete within a single 60-min call with that document in hand.
Can we test against our staging environment instead of sandbox mode?▾
Sandbox mode is in-process mocks (faster, no setup). If you have a dedicated staging tenant in Okta/Entra/M365, we can configure AscendCore to point at it instead — same architecture, different credentials. Adds 2–3 days to deployment.
How do custom runbooks get authored?▾
Today, we author them on your behalf based on the spec you provide. Phase 4 ships a customer-facing runbook authoring UI; until then, custom runbooks are a 1–2 week implementation included in your Pro plan (1/quarter) or unlimited in Enterprise.
Can our IT team see AscendCore's source code?▾
Selectively. Every runbook spec is public at /runbooks. The OpenAPI 3.1 contract is public at /api-docs. The audit chain verification logic is documented and customers can independently verify their own chain against the published algorithm. The orchestrator implementation itself is closed; the trust mechanism is the verifiable audit chain, not source visibility.
What happens if AscendCore goes down during a critical runbook?▾
Approval cards that fail mid-execution write a partial-completion audit row (which step succeeded, which failed, why) so you have a manual remediation roadmap. We monitor our own uptime publicly and our SLA is 99.9% (Pro) / 99.95% (Enterprise) on the critical-path infrastructure.
Can we cancel mid-onboarding?▾
Yes. Pro plan: pro-rated refund through end of current billing month, no termination fee. Enterprise: per contract, typically 30-day notice with no penalty during the first 90 days of deployment.
Do you white-label the Slack/Teams bot?▾
Phase 4 roadmap — custom bot name, icon, and approval-card branding per customer. Captured in your custom request form now; enabled when Phase 4 ships (target Q3 2026).
Ready to start?
Most kickoffs are scheduled within 3 business days of the inbound conversation. We'll walk through your specific environment, confirm timeline, and answer any questions before any paperwork moves.
Book a kickoff conversation (60 min) →