tawqi3
tawqi3.com

Getting Started

Set up your tenant portal

A comprehensive plain-English walk-through of every part of your tenant portal, from first sign-in to a production-ready configuration for any tawqi3 product you subscribe to.

Updated May 22, 2026 18 min read

The tenant portal at app.tawqi3.com (or at your tenant subdomain) is where your organisation administers its tawqi3 setup: people, roles, products, integrations, billing, security, branding, audit, and compliance. This article is the long-form walk-through. The per-product setup pages cover the product-specific surfaces.

This guide assumes you are the founding administrator created at signup, and that your organisation is signed up for at least one tawqi3 product. Every step below is reachable from the left-hand navigation of the tenant portal once you are signed in.

What the tenant portal is, and is not

The tenant portal is the administrative surface for your organisation. It is scoped to your organisation only; a member of one organisation can never see data belonging to another, and the portal does not offer a “switch organisation” picker.

The tenant portal is not the staff console used by tawqi3 employees to operate the platform, and it is not the day-to-day surface used by your end users. It is for the people who configure tawqi3 on behalf of your organisation. End users typically interact with the per-product surfaces (the signing inbox, the in-mail signature, the document library) that the tenant portal configures.

The portal layout adapts to what you have subscribed to. Signatures, Agreements, and Templates appear in the navigation only when the corresponding product is active or on trial. Everything else (users, roles, connectors, billing, security, branding, audit, compliance, notifications, settings) is always visible.

Who can sign in to the tenant portal

Your tenant portal has a small administrative team rather than a seat for every employee. By design, only the people who configure the platform sign in here:

  • Two global administrators (“super-admins”). They have full access to every page and every setting. They invite the other administrator, set the policies, manage subscriptions, and decide what the third administrator can do.
  • One additional administrator. Their scope is decided by the two global administrators. They can be given full access, limited access (for example, only the people and the audit pages), or read-only access. The global administrators change this scope from the People page at any time.
  • Your end users do not sign in to the tenant portal. Their experience lives inside their existing tools: the signature appears on their outgoing mail, the document arrives in their inbox to be signed, the template assigned to them is what their letter goes out on. They never need a tawqi3 account.

A separate article, Who can do what in your tenant, explains this model in detail, including how the global administrators give end users a choice of pre-approved signatures, e-sign formats, or document templates from inside their everyday tools.

Six rules to keep in mind

  1. Your organisation is fully separated. Every action the portal takes is scoped to your organisation; no page can show data from another organisation.
  2. What you see depends on what you subscribe to. A product page disappears the moment its entitlement lapses (for example, when a trial ends without conversion). Plan ahead.
  3. No third-party trackers run in the portal. Telemetry flows through your own organisation’s audit pipeline rather than external services.
  4. Destructive actions require a typed confirmation. Cancelling a subscription, removing a user, deleting a template, voiding an envelope; you will be asked to type a word to confirm.
  5. Audit transparency is total. Every administrator action is recorded in your audit history, visible from the Audit page.
  6. Brand tokens drive your visuals. Colours and typography picked in the Branding page flow into every signature, envelope, and document; you do not need to copy a colour code into each one.

Stage 1: First sign-in and the onboarding wizard

The first time the founding administrator signs in after email verification, the portal opens a guided wizard. The wizard is skippable on any step, but following it is the fastest path through Stages 1, 2, and 3 below. The wizard will:

  1. Show a tour of the products you subscribed to, with a starter card per product.
  2. Offer to invite the other administrators.
  3. Offer to connect a directory provider (Microsoft 365 or Google Workspace).
  4. Walk you through a first run for each product (design a starter signature, send a test envelope, render a sample document).
  5. Mark the wizard as complete.

If you skip the wizard, every step below is reachable through the normal navigation.

Stage 2: Settle your tenant settings

Open the Settings page and confirm three values that govern the rest of the configuration:

  • Display name: the human-readable label that appears on emails, headers, and exports.
  • Time zone: drives schedule windows, expiry computations, and how dates appear in audit and reports.
  • Locale and currency: the default for new users and for invoices; users can override the locale on their own profile.

The data region is shown on the same page but is read-only; it was fixed at signup and is the place where your encrypted artefacts live. Region changes are handled by tawqi3 support.

Stage 3: Invite your administration team

Open the People page and invite at least one second administrator before you go further. The rule against demoting the last owner is enforced by the system; configuring at least two owners protects you against an accidental lockout if the founder leaves the organisation.

The invite flow accepts a single email or a spreadsheet upload for bulk onboarding. Each invitee receives a single-use magic link that expires in 24 hours; expired links can be reissued. You can choose the invitee’s role at invite time, which is faster than inviting first and assigning a role later.

If your organisation uses departments or business units that you intend to use later as targeting attributes, create those groups now. They become attribute sources for the role-condition builder in Stage 4.

Stage 4: Define roles and what each role can do

Open the Roles page and choose between the built-in roles or custom roles tailored to your organisation:

  • Built-in roles cover the common shapes: full owner, security administrator, integrations administrator, IT administrator, marketing administrator, legal administrator, agreement administrator, agreement sender, viewer, auditor. Built-in roles cannot be edited.
  • Custom roles are copied from a built-in role and then narrowed or widened in a simple matrix.

For organisations that need finer rules (for example, “this person can sign agreements valued under fifty thousand euros only”), the role detail page offers a condition builder for attributes such as region, business unit, document category, contract value ceiling, regulated-entity flag, and signing tier. Before saving a change, use the preview; it replays a sample of recent (anonymised) decisions through the new rule and shows what would have changed.

The Recent grants tab logs every role assignment and removal; review it after a sweep to confirm your changes landed as expected.

Stage 5: Wire your directory and integrations

Open the Connectors page. The connectors fall into three families:

  • Directory connectors keep your tawqi3 directory in sync with a source of truth (Microsoft 365, Google Workspace, Okta, a human-resources platform). Connecting one of these is the precondition for targeting audiences by department, role, or business unit.
  • Customer-relationship connectors (Salesforce, HubSpot, Pipedrive) feed envelope recipient lookups and write back envelope status into your sales records.
  • Notification connectors (Slack, Microsoft Teams) deliver alerts about completed envelopes, signature campaign milestones, or template approvals into the channels your team already watches.

For each connector you wire, a consent screen opens in a new window; complete it as a workspace administrator. After consent, the connector detail page shows last-sync time, next-sync time, the error count (zero is the goal), an attribute mapping editor (the provider’s field on the left, the tawqi3 attribute on the right), and a “sync now” button.

When you bring your first directory connector online, walk through the imported user list on the People page and resolve any conflicts (duplicate emails, missing display names) the connector flagged.

Stage 6: Lock down security

Open the Security page and walk through five sub-pages in order:

  • Single sign-on: import your identity provider’s metadata, map the necessary attributes, and decide whether to require single sign-on. Requiring it refuses password sign-in for every account except emergency-access ones, which protects you against credential-stuffing attacks the platform cannot see.
  • Multi-factor: set the multi-factor policy. The strongest production posture is “require a passkey”, with one-time codes as a fallback. Per-role overrides are available.
  • Sessions: review the active sessions for each user. Bulk-revoke is available; an “impersonation” indicator shows when a tawqi3 support engineer is acting in your tenant on your behalf (always announced, only during support tickets).
  • API keys: create service tokens with the narrowest scope each integration needs. Tokens are shown exactly once at creation; the portal will never reveal them again. Name each token with the system that owns it.
  • Passkeys: enrol your own passkeys (security key, phone, laptop). Passkeys are the best defence against phishing of administrative accounts.

Stage 7: Apply your brand

Open the Branding page and configure the tokens every product surface will reference:

  • Logo: upload a PNG or SVG up to one megabyte. The logo appears on signatures, on envelope cover pages, and on document headers.
  • Colours: pick a primary, a secondary, and an accent colour. The picker refuses combinations that fail accessibility contrast checks so you cannot inadvertently produce unreadable output.
  • Typography: pick the UI label font and the body font from the curated list. The portal does not call out to a third-party font service; fonts ship inside your tenant data plane.
  • Footer text: a small rich-text editor for the legal or marketing footer that propagates into signatures and documents.

The preview pane on the right shows a mock of a signature card, an envelope cover page, and a letter template side by side, so you can confirm the brand looks right across all three products before saving.

Stage 8: Configure billing and subscriptions

Open the Billing page. Each subscribed product has its own card with state (on trial, active, past due, suspended, cancelled), current tier, billing-period dates, seat count, and a “cancel at period end” indicator.

Four flows live on this page:

  • Add product: a wizard for adding a product you did not pick at signup. It picks the appropriate plan, optionally activates a trial (refused if the organisation has already used a trial for that product), and confirms before subscribing.
  • Upgrade tier: a wizard for changing the plan on an existing subscription. Takes effect at the next billing period; the wizard shows what the next invoice will be.
  • Cancel: a typed confirmation. The default is soft cancel (the subscription continues until the period ends, then lapses); hard cancel is available with a second confirmation.
  • Payment method: configure card, direct debit mandate, or bank-transfer instructions. The portal stores only opaque references to your card; full card numbers never enter tawqi3 storage.

The Invoices tab lists every invoice with a per-row PDF download; the Usage tab shows per-metered gauge (envelopes per month, signatures per month, render jobs per month) with threshold bands at eighty percent and one hundred percent of the plan quota.

Stage 9: Stand up audit and compliance

Open the Audit page and confirm that the integrity tab shows a recent successful verification and a recent timestamp. Run “verify now” once to confirm the proof completes inside your tenant. You can also save filtered views (for example, “all destructive actions in the last 30 days”) that appear as quick links in the side panel.

Open the Compliance page and walk through three sub-pages:

  • Data Processing Agreement: confirm the agreement state per jurisdiction tier. If a state is pending, your tawqi3 account owner will surface a co-signing flow.
  • Sub-processors: review the sub-processor opt-outs per region. The defaults are conservative; tightening them further is straightforward, loosening them requires a security administrator’s sign-off.
  • Retention: per-product retention overrides. Extending evidence-bundle retention beyond the plan default is audited and requires an auditor co-sign; shortening it below the regulatory floor is refused.

The Data Subject Access Request page lets a security administrator open a right-to-access or right-to-erasure request on behalf of an end user. The platform fulfils the request and writes the fulfilment evidence back into the same page.

Stage 10: Configure notifications

Open the Notifications page. Two layers exist:

  • Per-user notification preferences are typically left to each user; the defaults are conservative.
  • Organisation-wide notification rules decide which platform events page which channel. Pair this with the Slack or Microsoft Teams connector from Stage 5 to route audit alerts, billing threshold breaches, or connector sync failures into the channel your operations team already watches.

A reasonable starting policy is to page operations on connector sync failures and billing past-due states, page security on multi-factor opt-outs and session revocations, and leave product activity (envelopes completed, documents rendered) to per-user opt-in.

Stage 11: Onboard your products

With Stages 1 through 10 done, the per-product setup pages take over:

  • For Email Signature, follow Set up Email Signature Cloud.
  • For Agreement and E-Sign, follow Set up Agreement and E-Sign.
  • For Document and Template, follow Set up Document and Template.

Each product article is short and assumes Stages 1 through 10 of this guide are complete; do them first and the product steps become a ten-minute exercise.

Day-two operations

Once your tenant is configured, the portal supports the recurring operations every administrator needs:

  • User changes: invite new starters and deactivate leavers from the People page; if you wired a directory connector in Stage 5, most of this happens automatically when your source of truth changes.
  • Role drift: review the Recent grants tab on the Roles page monthly to catch creeping privilege accumulation.
  • Subscription review: review the Usage tab on the Billing page monthly; if you are routinely brushing the threshold band, plan a tier upgrade before you hit the ceiling.
  • Audit posture: run “verify now” on the Audit integrity tab quarterly and snapshot the result for your own records.
  • Connector health: review the connector list weekly; a connector accumulating errors is a sign that an upstream provider has changed something.

When something does not work

Two pages help diagnose problems before contacting support:

  • The Audit feed carries an entry for every refusal with a structured reason. If a teammate reports “I cannot send envelopes”, the audit feed will usually tell you whether it was a missing role, an entitlement lapse, or a connector failure.
  • The Sessions page shows whether the user is signed in at all and from which device; a lot of “I cannot do X” reports turn out to be expired sessions.

If neither page explains the symptom, the support contact on your account page is the next step; please include your organisation identifier, the user’s email, and the time of the failed action so tawqi3 support can correlate against the operator-side audit log.

A note on the in-portal guide

A condensed copy of every setup article is also available from the Help menu inside the tenant portal. The in-portal version stays in lockstep with the version of the portal you are using; if a particular page mentions a feature the public knowledge base does not yet cover, the in-portal version is the authoritative one.

Where to go next

Once the portal is configured, the per-product knowledge-base articles cover the day-to-day product work. The Security category covers a public summary of our threat model and the controls reviewers commonly ask about. The Welcome article points at every other section.