Project CentWin — Internal Brief

Updated Jun 5 — Review before sending proposal

Build cost revised: €11,500 → €13,000 — new scope items confirmed after Mariana's answers (Slack integration, counterparty trail, Elliptic audit log, EU infra config)
Billing restructured: 3 × €5,000 build phase (M1–3) + €1,200/mo subscription from M4 + €950/mo maintenance from Y2
Y1 total: €25,800 · Y1 margin: +€12,800 · Y2 profit: +€2,040 · 2-yr profit: +€14,840
Data compliance reviewed: AML + Privacy Policy both read. GDPR Art. 28 DPA required in contract before we start — client provides template. Stateless architecture confirmed correct. Elliptic audit trail now in scope.
Still pending: Mariana to confirm (1) Slack bidirectional vs outbound-only and (2) whether workflow design is a standalone deliverable. Answers expected before proposal goes out.

01 Company Overview

CompanyProject CentWin — crypto / digital assets compliance firm

LocationPortugal

Company size❓ TBD — larger than 7 (verify directly)

Team affected7 people (6 active daily) — compliance/ops only

Entry pathReferral — Nicola Morfini

Key contactsMariana Costa (ops lead) · Charalampos Lazoglou · Veronika Gmiterko · Nicola Morfini

Decision processLegal officer + directors — board approval required

Temperature🟡 Warm — real pain, process buyer, no budget signal yet

ICP fitNot ICP — financial services hard fail. Custom build.

Proposal deadlineJune 5, 2026

02 Project Scope

What we are building: Project CentWin is a crypto compliance firm in Portugal. Their 7-person operations team has roughly 40 client onboarding processes open simultaneously — each one can run for months — all involving 6 disconnected tools — Sumsub (client data), Asana (task tracking), Google Sheets (risk assessment), Elliptic (transaction monitoring), Fireblocks (trade registration), and Google Drive (document storage). None of these tools communicate with each other. Every time a client moves through onboarding, the team manually carries information from one system to the next. This costs them 5+ hours per day — around 80-90% of all onboarding work.

We are building a background automation layer that connects these 6 tools and keeps them in sync. When something changes in one system, the others update automatically. The team continues working in the same tools they use today — nothing changes on the surface. The engine runs invisibly behind it.

⚠️ Note: "80-90% of onboarding time" — client flagged this figure as overstated. Use "5+ hours/day" only. Quote on file: "cinco horas por dia" — no percentage confirmed.

Tool stack — API feasibility

Tool	Role	API Status
Sumsub	Client data repository	🟢 Public API confirmed (developers.sumsub.com), webhooks supported. Confirm their plan tier includes API access before architecture is finalised.
Asana	Project management	🟢 Fully public API, webhooks, OAuth 2.0
Google Sheets	Risk assessment	🟢 Sheets API v4, service account supported
Elliptic	Transaction monitoring	🟡 Public API confirmed (developers.elliptic.co), HMAC auth. Enterprise contract required. Alert suppression endpoint coverage needs verification under their contract.
Fireblocks	Trade registration	🟢 Public API, RSA JWT auth, webhooks v1+v2 confirmed
Google Drive	Document storage	🟢 Drive API v3, service account supported

What we build

① Sumsub → Google Sheets risk assessment (auto-populate)

Client questionnaire responses automatically map to Google Sheets risk model fields. Eliminates manual copy-paste and scoring errors.

High potential

② Sumsub → Elliptic (wallet auto-registration)

Client wallet addresses extracted from Sumsub and automatically registered in Elliptic for transaction monitoring.

High potential

③ Sumsub state → Asana task automation

When client completes a step in Sumsub, the corresponding Asana task advances and is assigned automatically. Weekly status posts auto-generated from task state.

High potential

④ Automated client follow-up reminders

Daily job checks all ~40 active cases. When a client has pending documents, automated email reminder sent. Eliminates manual daily monitoring.

High potential

⑤ Elliptic smart filter / alert deduplication

Middleware between Fireblocks and Elliptic. Internal whitelist of cleared exposures suppresses duplicate alerts for already-reviewed risks.

High potential

⑥ Google Drive auto-filing

Documents and reports automatically filed to the correct client folder in Drive when milestones are reached.

Medium potential

⑦ Periodic review auto-creation in Asana

Risk rating + date in Google Sheets triggers automatic Asana project creation at the scheduled review date (1-3 year cycle).

Medium potential

Out of scope

No new UI / case manager dashboard

Team stays in Asana and Sumsub. If Project CentWin later wants a dashboard, that is a Phase 2 conversation.

Out of scope v1

No changes to Elliptic or Sumsub configuration

We integrate via their APIs — we do not modify how they use those tools directly.

Out of scope v1

03 Confirmed Pains

Only what was explicitly said on the call. Nothing inferred.

Same client data entered manually into 4-5 systems after every Sumsub questionnaire submission"A nossa ideia era que a partir do momento em que essa informação existe num sistema, pudesse ser atualizada noutros" — Ops Lead
No central view of onboarding status — team opens 4-5 tools to check one client"Idealmente algo acima de todos estes sistemas que fosse case manager" — Ops Lead
Duplicate Elliptic alerts for exposures already reviewed and cleared (e.g. Russia)"Nós não conseguimos fazer o whitelist dessa exposição que já identificamos" — Ops Lead
Weekly status reports across ~40 Asana projects written manually, one by one"Temos que vir aqui e fazer os posts dos estados — demora-nos muito tempo" — Ops Lead
Periodic client review dates set in Excel but Asana projects created by hand, months later"Temos que manualmente verificar e criar projeto no Asana para revermos o cliente" — Ops Lead
5+ hours/day manual labor across the 7-person team (⚠️ "80-90% of onboarding time" disputed — use hours only)"Em todas as tarefas manuais no geral, sim nós passamos se calhar cinco horas por dia" — Ops Lead
No internal dev capacity — explicitly stated as a hard requirement for any solution"Não tínhamos essa capacidade de ter alguém que pudesse fazer essa continuidade" — Ops Lead

04 Build Cost Updated Jun 5

Assumes AI-assisted development (Claude Code + Codex). ~2x productivity multiplier applied to dev hours.

Role	Hours	Rate	Cost
Partners (consulting — kickoff, architecture, review, client calls)	10h	$200/h	$2,000
Dev — AI-assisted (traditional ~200h ÷ 2x multiplier)	100h	$60/h	$6,000
AI tooling — Claude Code Max + API overflow (~$800/mo × 2.5mo)	—	—	$2,000
Base build cost			$10,000
+25% custom premium (zero replicability — full cost on this client)			+$2,500
New scope — Slack integration (+5h), counterparty trail (+10h), Elliptic audit log (+6h), EU infra config (+2h)	+23h	$60/h	+$1,500
Total build cost			~$14,000 / €13,000

Top 2 unknowns that could move hours:
1. Sumsub plan tier — API confirmed public (developers.sumsub.com), webhooks supported. Need to verify their plan includes API access. If restricted to polling only, add ~10-15h fallback work. Low risk overall.
2. Data compliance scope — client confirmed data must stay in existing platforms (no external storage). Automation layer must be stateless. If audit trail depth or EU residency requirements are strict, adds ~10-15h infra work.

Complexity: Medium-High · Build estimate: 8-10 weeks · Dev profile: LatAm + AI-assisted

05 Pricing Updated Jun 5

Factor 2 — Client value

Client hidden cost~€40,000/yr (5h/day manual work across 7-person team)

Active sub (Y1)€1,200/mo → €14,400/yr equivalent

Client ROI on active sub1.78x — they save €25,600/yr net

Maintenance rate (Y2+)€950/mo → €11,400/yr

Client ROI on maintenance2.5x — even better from Y2

Factor 3 — Replicability

Pipeline demand: 0 clients — crypto/compliance vertical outside ICP. Full build cost on this client. Custom premium (+25%) already applied in Section 4.

Billing structure (locked Jun 2026)

Month 1€5,000 — Kickoff + build start

Month 2€5,000 — Build continues

Month 3€5,000 — Go-live + testing

Month 4+€1,200/mo — Monthly subscription (system live)

Year 2+€950/mo — Maintenance tier (lower rate, keep-the-lights-on)

Floor + margin check

Floor check (≥ €10K/yr active)	✓ PASS — €14,400/yr
Y1 total charged	€15,000 + (9 × €1,200) = €25,800
Y1 margin	€25,800 − €13,000 = +€12,800
Y2 total charged (€950/mo × 12)	€11,400
Y2 profit (~€780/mo support cost)	€11,400 − €9,360 = +€2,040
2-year total charged	€37,200
2-year total profit	+€14,840
Client ROI (subscription rate)	(€40K − €14.4K) / €14.4K = 1.78x ✓

Rationale: €5K/mo during build is a credible consulting retainer for compliance-grade automation across 6 enterprise APIs in a regulated environment. Market equivalent (specialist fintech automation firm) would charge €25–40K for this scope. Subscription from M4 only when system is live — client sees direct ROI before recurring cost kicks in. Y2 maintenance visibly cheaper to make renewal easy.

06 Replicability

Module registry matchNone — custom build, outside all current modules

Pipeline demand0 clients — financial services not in ICP

Architectural reusePartial — orchestration patterns reusable in future builds

VerdictZero replicability. Price to full recovery.

Note for Raffaello: Outside ICP. Taking it because (1) the pain is real and well-scoped, (2) Nicola referral opens a warm channel into crypto compliance, (3) build cost is low with AI-assisted dev. Not a strategic pivot — a one-off. If a second compliance client appears, revisit building a module for it.

07 Deal Dynamics

Risks

Board approval process — 2-3 week delay between proposal and sign. Need proposal in their hands by June 5 to stay on track.

No budget signal — they have approved this type of spend before but we have no anchor. Proposal is the first data point for the board.

Sumsub API confirmed — public API at developers.sumsub.com, webhooks supported. Residual: confirm their plan tier includes API access. Low risk.

Zero replicability — if build slips to 3 months, margin disappears. Build timeline must be tight. No feature creep in v1.

Strong referral from Nicola — warm entry, trust already established. Not a cold outreach close.

They have bought software this way before — board process is known to them. No education required.

Data compliance reviewed. AML policy + privacy policy reviewed (Jun 2026). Key findings: GDPR Art. 28 DPA required in contract before work starts (client provides template); stateless architecture confirmed correct by privacy-by-design requirement; Elliptic audit trail logging now in scope; EU-region infra required. No blocking architecture changes — adds ~23h dev (already in revised build cost).

Why now

Team grew from 2 to 7 recently. Processes were never scaled. Only now that the ops team is large enough do they have the bandwidth to fix what they have been tolerating. Classic "now we have people to define processes" trigger.

08 Open Questions

Being sent to Ops Lead via external scoping doc. None block sending the proposal — scope caveat covers them.

#	Full question (sent to client)	Why it matters	Blocking?
1	Does your Sumsub plan include API and webhook access? API confirmed public (developers.sumsub.com) — waiting on plan tier confirmation	Confirms integration approach — low risk either way	No — scope caveat covers
2	Does your risk model need to stay in Google Sheets, or are you open to the same logic living inside the system we build? ✓ Answered: Data must stay in existing platforms only — security requirement. Automation layer must be stateless (pass-through, no persistence).	~5-10h either way — Sheets API is clean. Low risk.	No
3	Can you confirm API access for Asana and Fireblocks?	Almost certainly yes — low risk	No
4	When your team clears an exposure, who should be able to add it to the whitelist? And at what level: per entity (e.g. "Gazprom"), per exposure type (e.g. "Russia country risk"), or per client-entity pair?	Affects filter engine complexity and admin UI scope	No
5	Roughly how many new client onboardings start each month? (We know you have ~40 active — we are asking about monthly intake going forward.)	Sizes the system correctly for growth	No
6	How would you describe Project CentWin's regulatory role? For example: crypto asset manager, broker, compliance service provider, or something else. ✓ Answered: Financial service provider, regulated by the Gibraltar Financial Services Commission (GFSC).	Audit trail requirements — affects v1 spec	No
7	Does your board have a preferred format for proposals? We typically send a web page but can export to PDF or Word if that works better for your approval process.	Proposal format for board submission	No
8	Do you have specific requirements for how client data is stored and handled — data residency, retention policies, or audit trail depth? ⏳ Partial: 2 compliance policies — Mariana sending tomorrow (June 2). Review before finalising architecture.	Architecture decision: EU-only infra, GDPR logging, MiCA compliance scope	No — but shapes v1 spec

09 Decisions Needed from Raffaello Updated Jun 5

Need answers before the proposal goes out. Please reply with yes/no or your pick on each.

Pricing OK? (3 × €5,000 build / €1,200/mo from M4 / €950/mo Y2 maintenance)

Y1 total: €25,800. Y1 margin: +€12,800. Y2 profit: +€2,040. 2-yr profit: +€14,840. Build cost €13,000 (revised after new scope items). ROI 1.78x on subscription rate. Competitive: specialist fintech automation firms charge €25–40K for equivalent scope. Workflow design pending Mariana — if in scope, build phase absorbs it (no price change).

Any concern on taking a non-ICP client?

Financial services is a hard ICP fail. Decision to proceed: referral quality (Nicola), low build cost (AI-assisted), clear scope, strong pain signal. Not a strategic pivot — a one-off. Flag if you see a risk I am missing.

Scope caveat wording OK?

"Pricing assumes API-based integrations across all 6 systems. Any scope adjustment identified during the Month 1 kickoff will be communicated within 5 business days before any additional cost is incurred." This protects us on the Elliptic contract scope and data compliance depth (2 policies pending review) without alarming the client.