Engage-to-grow swarm · Loyalty-management agent · Loyalty-platform-integration skill · Build pillar · Published July 11, 2026

How to build cross-banner loyalty platform integration

Multi-banner franchise operators running more than one loyalty program across more than one banner work above a strong loyalty- platform + identity-resolution + consent-management + policy-as- code + WORM-storage primitives layer (Yotpo + Smile.io + LoyaltyLion + Annex Cloud + Punchh + Paytronix + Open Loyalty + Antavo + Friendbuy + Talon.One + Voucherify + Capillary + LoyaltyPlus + Eagle Eye + Brierley + Comarch + Epsilon Agility for loyalty platforms; Tealium + Segment + mParticle + RudderStack for identity resolution; OneTrust + Cookiebot + Usercentrics + Didomi for consent management; OPA Rego + AWS Cedar + Casbin + Cerbos + Oso for policy-as-code; AWS S3 Object Lock + GCS retention + Azure Blob immutable + Snowflake Time Travel for WORM storage — each vendor ships sophisticated primitives that the orchestration sits above). The orchestration that sits above those primitives — per-vendor API ingestion with reliability engineering, per-event webhook reliability with signature verification and dedup, per-banner member master-record merge with deterministic and probabilistic identity resolution, per- cross-banner tier/points/reward reconciliation, per-banner policy engine, per-jurisdiction compliance gate that ties decisions to ASC 606 deferred-revenue points liability + state auto-renewal laws + state escheatment laws + FDD Item 12/17/19 + CCPA/CPRA + GDPR anchors — is operator-side architecture. Single-banner loyalty accounts cannot resolve tier or points conflicts that arise when the same member holds different tiers across banners; the orchestration layer above them can. This guide explains how to architect the loyalty-platform- integration skill on the loyalty-management agent end-to-end.

Start with the AI Readiness Assessment Explore Fractional CMO with AI Swarm Take the 3-question fit quiz

What you will build

A per-vendor loyalty API ingestion layer that handles per-vendor authentication (OAuth 2.0, API key, HMAC-SHA-256 signature, mTLS), rate-limit, pagination, retry, dead-letter queue, poll-cadence (real-time, hourly, daily, weekly), batch-vs-stream, replay, and schema-evolution across the operator-chosen loyalty-platform surface.
A per-event webhook reliability layer with HMAC-SHA-256 signature verification, idempotency-key handling, deduplication, replay, retry, dead-letter queue, cross-vendor deduplication, out-of-order handling, and late-arrival handling across the 10-event canonical loyalty taxonomy.
A per-banner member master-record merge layer with deterministic merge (shared email SHA-256 hash, shared phone E.164, shared loyalty ID, shared payment token, shared customer ID), probabilistic merge (Levenshtein, Jaro-Winkler, IP/device fingerprint), cross-banner merge, operator-counsel- maintained survivorship rules, versioning, rollback, and customer-data-graph handoff.
A per-cross-banner tier reconciliation layerwith operator-counsel-approved resolution rules (higher-tier- wins, most-recent-tier-wins, banner-of-origin-wins, portfolio- master-tier-wins, corporate-override), tier bridge, tier conversion rate, and tier audit record.
A per-cross-banner points reconciliation layer with cross-banner points conversion rate, expiration-policy merge, burn-rate tracking against ASC 606 deferred-revenue projections, liability tracking, rounding-rule resolution, and points audit record.
A per-cross-banner reward reconciliation layer with cross-banner reward eligibility merge, cooldown merge, fulfillment routing that respects FDD territorial-protection rules, suppression, and reward audit record.
A per-banner policy engine on OPA Rego, AWS Cedar, Casbin, Cerbos, or Oso with policy-bundle versioning, rollback, A/B testing, decision tracing, and decision explainability.
A per-jurisdiction compliance gate anchored on GAAP ASC 606 + IFRS 15 deferred-revenue treatment of points liability + state subscription auto-renewal laws + state escheatment laws + FDD Item 12/17/19 + CCPA/CPRA + GDPR + state-comprehensive-privacy, extended to CASL + PIPEDA + LGPD + DPDP + CAN-SPAM + TCPA + 10DLC + FTC Endorsement Guides + FTC substantiation + FINRA Rule 2210 + HIPAA + state cannabis- board + alcohol DISCUS + tobacco FDA + NIST AI RMF + ISO 42001 + SOC 2 Type II + ISO 27001 + PCI DSS 4.0 via policy-as-code (OPA Rego, AWS Cedar, Casbin, Cerbos, Oso) routed to operator- chosen consent management (OneTrust, Cookiebot, Usercentrics, Didomi).
A feedback loop with per-event correction, pattern learning, false-positive pattern learning, cross- banner reconciliation tuning, tier-conflict resolution tuning, and points-reconciliation tuning.
Cross-skill handoffs and an audit trail to siblings on the loyalty-management agent and broader swarm, with audit trail to operator-controlled WORM storage at per-statute retention windows operator counsel sets.

Where the orchestration above loyalty-platform, identity- resolution, and consent-management primitives compounds at multi-banner scale

The vendor primitives are strong. Loyalty platforms ship per-account per-loyalty-program per-member operations. Identity resolution vendors ship per-event identity stitching. Consent management vendors ship per-jurisdiction consent capture. Policy-as-code vendors ship authorization decisions. The orchestration above those primitives is what compounds when an operator runs more than one loyalty program across more than one banner.

The first operationally distinctive constraint is GAAP ASC 606 plus IFRS 15 deferred-revenue treatment of cross-banner points liability. Loyalty points create a performance obligation that must be deferred under ASC 606 and IFRS 15 until earned or expired. Cross-banner programs aggregate liability across banners and require consolidated tracking, burn-rate analysis, and breakage estimation. The per- jurisdiction gate emits the points-liability record at every transaction and ties it to the operator finance accounting workflow.

The second distinctive constraint is state subscription auto- renewal laws plus ROSCA plus FTC Click-to-Cancel plus California Automatic Renewal Law when loyalty tiers or rewards trigger subscription billing. State auto-renewal laws vary in disclosure, consent, and cancellation requirements. The per-jurisdiction gate routes loyalty-triggered subscription billing to the operator-counsel-approved disclosure workflow.

The third distinctive constraint is state escheatment laws and unclaimed-property statutes. Expired loyalty points and unredeemed rewards may fall under state escheatment when they remain unclaimed within statutory windows that vary by state. The per-jurisdiction gate emits the unclaimed-points record at expiration so operator counsel can manage state-by-state escheatment filings.

The fourth distinctive constraint is FDD Item 12 (territorial protection), Item 17 (renewal, termination, transfer), and Item 19 (financial-performance representation) when cross- banner loyalty programs affect franchisee revenue. Cross- banner reward fulfillment routing that shifts revenue between franchisees, and cross-banner points liability that affects franchisee P&L, route to operator-counsel-reviewed FDD-aware workflows.

The fifth distinctive constraint is CCPA/CPRA + GDPR + the five-state US comprehensive privacy laws (Connecticut CTDPA, Texas DPSA, Virginia CDPA, Colorado CPA, Utah CPA) plus the additional state privacy laws now in effect, when cross- banner merge joins customer identity. Cross-banner identity merge is a privacy event that operator counsel reviews. The gate routes consent verification, DSAR handling, and right- to-erasure handling through the operator-chosen consent management vendor.

Beyond the five anchors, the per-jurisdiction gate also covers CASL (Canadian opt-in), PIPEDA, LGPD (Brazil), DPDP (India), CAN-SPAM, TCPA, A2P 10DLC TCR registration for SMS, FTC Endorsement Guides 2024 when loyalty-program endorsements surface, FTC substantiation doctrine for loyalty-program claims, FINRA Rule 2210 when loyalty rewards touch investment-grade contexts, HIPAA when loyalty programs involve PHI, state cannabis-board loyalty rules in adult-use jurisdictions, alcohol DISCUS tied-house rules, tobacco FDA prohibitions, NIST AI RMF + ISO 42001 when AI drives loyalty decisioning, SOC 2 Type II + ISO 27001 for the integration infrastructure, and PCI DSS 4.0 when payment tokens flow through merge. The gate is policy-as-code; operator counsel reviews rule updates.

The real ecosystem the orchestration sits above

Loyalty-platform primitives

Yotpo, Smile.io, LoyaltyLion, Annex Cloud, Punchh, Paytronix, Open Loyalty, Antavo, Friendbuy, Talon.One, Voucherify, Capillary, LoyaltyPlus, Eagle Eye, Brierley, Comarch, Epsilon Agility. Strong primitives for per-account per-loyalty-program per-member operations. The per-vendor API ingestion + per-event webhook reliability layers sit above this layer.

Identity-resolution and customer-data-graph primitives

Tealium, Segment, mParticle, RudderStack for identity resolution; Snowflake, Databricks, BigQuery, Redshift, Postgres for the customer-data warehouse layer. Strong primitives for per-event identity stitching. The per-banner member master-record merge layer sits above this layer.

Consent-management and policy-as-code primitives

OneTrust, Cookiebot, Usercentrics, Didomi for consent management; OPA Rego, AWS Cedar, Casbin, Cerbos, Oso, Styra DAS, Permit.io for policy-as-code. Strong primitives. The per-banner policy engine and per-jurisdiction compliance gate sit above this layer.

Workflow, WORM-storage, and compliance-tooling primitives

Temporal, AWS Step Functions, Apache Airflow, Dagster, Prefect, n8n for workflow orchestration; AWS S3 Object Lock, GCS retention, Azure Blob immutable, Snowflake Time Travel for WORM storage; Hyperproof, Drata, Vanta, Thoropass for SOC 2 / ISO control evidence. Strong primitives. The audit trail layer sits above this layer.

How the architecture is built

Per-vendor API ingestion substrate. Implement per-vendor authentication (OAuth 2.0, API key, HMAC-SHA-256 signature, mTLS). Wire per-vendor rate-limit, pagination, retry, DLQ, poll-cadence selection, batch-vs-stream selection, replay capability, and schema-evolution tolerance. Land events in the operator data warehouse (Snowflake, Databricks, BigQuery, Redshift, Postgres).
Per-event webhook reliability. Verify HMAC-SHA-256 signatures. Apply idempotency keys. Deduplicate within and across vendors. Handle out-of-order and late- arrival events. Replay from DLQ when needed. Emit a single canonical event stream covering the 10-event taxonomy.
Per-banner member master-record merge.Implement deterministic merge (shared email SHA-256 hash, shared phone E.164, shared loyalty ID, shared payment token, shared customer ID). Implement probabilistic merge (Levenshtein, Jaro-Winkler, IP/device fingerprint). Apply operator-counsel-maintained survivorship rules. Version every merge for auditability. Support rollback. Hand off to the customer-data-graph skill.
Per-cross-banner tier reconciliation. Apply operator-counsel-approved resolution rules (higher-tier-wins, most-recent-tier-wins, banner-of-origin-wins, portfolio- master-tier-wins, corporate-override). Implement tier bridge and tier conversion rate. Emit tier audit record.
Per-cross-banner points reconciliation. Apply cross-banner points conversion rate. Merge expiration policies. Track burn rate against ASC 606 deferred-revenue projections. Track points liability. Apply rounding-rule resolution. Emit points audit record.
Per-cross-banner reward reconciliation. Apply cross-banner reward eligibility merge. Merge cooldowns. Route fulfillment respecting FDD territorial-protection rules. Apply suppression. Emit reward audit record.
Per-banner policy engine. Version policy bundles on OPA Rego, AWS Cedar, Casbin, Cerbos, or Oso. Support rollback and A/B testing. Trace every decision. Surface explainability.
Per-jurisdiction compliance gate. Express the gate as policy-as-code. Encode the five distinctive anchors (ASC 606 deferred-revenue points liability, state subscription auto-renewal laws, state escheatment laws, FDD Item 12/17/19, CCPA/CPRA + GDPR + state-comprehensive-privacy) plus the broader compliance surface. Route to operator-chosen consent management (OneTrust, Cookiebot, Usercentrics, Didomi). Operator counsel reviews every rule update.
Feedback loop. Compare realized vs projected outcomes. Learn from corrections. Detect false-positive patterns. Tune cross-banner reconciliation, tier-conflict resolution, and points-reconciliation.
Cross-skill handoffs. Hand off to siblings on the loyalty-management agent (cross-location offer coordination, per-tier loyalty journey content, subscriber lifecycle cadence, tier transition timing, per-member next- best-action, per-member monthly CLV) and across the broader swarm (customer-data-graph, identity-resolution, consent management, brand-voice management, forbidden-phrase library, claims-allowlist substantiation, marketing-mix-modeling, per-location cross-channel attribution rollup).
Audit trail. Emit a per-event canonical audit record to operator-controlled WORM storage (AWS S3 Object Lock, GCS retention, Azure Blob immutable, Snowflake Time Travel) with per-statute retention windows operator counsel sets (IRS 7yr, FTC 7yr, SEC 6yr, SOX 7yr, state escheatment per-statute).

Frequently asked

What does cross-banner loyalty platform integration do that a single-banner loyalty platform account does not?

Loyalty platforms (Yotpo, Smile.io, LoyaltyLion, Annex Cloud, Punchh, Paytronix, Open Loyalty, Antavo, Friendbuy, Talon.One, Voucherify, Capillary, LoyaltyPlus, Eagle Eye, Brierley, Comarch, Epsilon Agility) ship strong primitives for per-account per-loyalty-program per-member operations. Identity resolution vendors (Tealium, Segment, mParticle, RudderStack) ship strong primitives for per-event identity stitching. Consent management vendors (OneTrust, Cookiebot, Usercentrics, Didomi) ship strong primitives for per-jurisdiction consent capture. Policy-as-code vendors (OPA Rego, AWS Cedar, Casbin, Cerbos, Oso) ship strong primitives for authorization decisions. Cross-banner loyalty platform integration sits above this layer for multi-banner franchise operators running more than one loyalty program across more than one banner, and adds: a per-vendor loyalty API ingestion layer that handles per-vendor authentication (OAuth 2.0, API key, HMAC-SHA-256 signature, mTLS), rate-limit, pagination, retry, dead-letter queue, poll-cadence (real-time, hourly, daily, weekly), batch-vs-stream, replay, and schema-evolution; a per-event webhook reliability layer with HMAC-SHA-256 signature verification, idempotency-key handling, deduplication, replay, retry, dead-letter queue, cross-vendor deduplication, out-of-order handling, and late-arrival handling across the standard loyalty event surface (member-enrolled, points-earned, points-redeemed, tier-promoted, tier-demoted, reward-issued, reward-claimed, reward-expired, member-suppressed, member-unsubscribed); a per-banner member master-record merge layer with deterministic merge (shared email SHA-256 hash, shared phone E.164, shared loyalty ID, shared payment token, shared customer ID), probabilistic merge (Levenshtein, Jaro-Winkler, IP/device fingerprint), cross-banner merge, survivorship rules, versioning, rollback, and handoff to the customer-data-graph skill; a per-cross-banner tier reconciliation layer that resolves tier conflicts (Brand-A Gold vs Brand-B Silver) via operator-counsel-approved resolution rules (higher-tier-wins, most-recent-tier-wins, banner-of-origin-wins, portfolio-master-tier-wins, corp-override), tier bridge, tier conversion rate, and tier audit record; a per-cross-banner points reconciliation layer that handles cross-banner points conversion rate, expiration-policy merge, burn-rate tracking, liability tracking, rounding rule, and audit record; a per-cross-banner reward reconciliation layer that handles cross-banner reward eligibility merge, cooldown merge, fulfillment routing, suppression, and audit record; a per-banner policy engine with policy-bundle versioning, rollback, A/B testing, decision tracing, and decision explainability; a per-jurisdiction compliance gate (covered in the next answer); a feedback loop comparing realized vs projected outcomes with pattern learning, false-positive pattern learning, cross-banner reconciliation tuning, tier-conflict resolution tuning, and points-reconciliation tuning; and a per-event canonical audit record to operator-controlled WORM storage at per-statute retention windows.

What are the operationally distinctive compliance anchors for cross-banner loyalty platform integration, and how does the per-jurisdiction compliance gate cover them?

Five anchors sit at the operational center of cross-banner loyalty platform integration that off-the-shelf single-banner loyalty compliance overlays often miss. Anchor 1 — GAAP ASC 606 + IFRS 15 deferred-revenue treatment of cross-banner points liability. Loyalty points create a performance obligation that must be deferred under ASC 606 and IFRS 15 until earned or expired; cross-banner programs aggregate liability across banners and require consolidated tracking, burn-rate analysis, and breakage estimation. The per-jurisdiction gate emits the points-liability record at every transaction and ties it to the operator finance accounting workflow. Anchor 2 — state subscription auto-renewal laws + ROSCA + FTC Click-to-Cancel + California Automatic Renewal Law when loyalty tiers or rewards trigger subscription billing. State auto-renewal laws vary in disclosure, consent, and cancellation requirements; the per-jurisdiction gate routes loyalty-triggered subscription billing to the operator-counsel-approved disclosure workflow. Anchor 3 — state escheatment laws / unclaimed-property statutes. Expired loyalty points and unredeemed rewards may fall under state escheatment when they remain unclaimed within statutory windows that vary by state; the per-jurisdiction gate emits the unclaimed-points record at expiration so operator counsel can manage state-by-state escheatment filings. Anchor 4 — FDD Item 12 (territorial protection), Item 17 (renewal/termination/transfer), and Item 19 (financial-performance representation) when cross-banner loyalty programs affect franchisee revenue. Cross-banner reward fulfillment routing that shifts revenue between franchisees, and cross-banner points liability that affects franchisee P&L, route to operator-counsel-reviewed FDD-aware workflows. Anchor 5 — CCPA/CPRA + GDPR + the five-state US comprehensive privacy laws (Connecticut CTDPA, Texas DPSA, Virginia CDPA, Colorado CPA, Utah CPA) plus the additional state privacy laws now in effect, when cross-banner merge joins customer identity. Cross-banner identity merge is a privacy event that operator counsel reviews; the per-jurisdiction gate routes consent verification, DSAR handling, and right-to-erasure handling through the operator-chosen consent management vendor (OneTrust, Cookiebot, Usercentrics, Didomi). Beyond the five anchors, the per-jurisdiction gate also covers CASL (Canadian opt-in), PIPEDA, LGPD (Brazil), DPDP (India), CAN-SPAM, TCPA, A2P 10DLC TCR registration for SMS, FTC Endorsement Guides 2024 when loyalty-program endorsements surface, FTC substantiation doctrine for loyalty-program claims, FINRA Rule 2210 when loyalty rewards touch investment-grade contexts, HIPAA when loyalty programs involve PHI, state cannabis-board loyalty rules in adult-use jurisdictions, alcohol DISCUS tied-house rules, tobacco FDA prohibitions, NIST AI RMF + ISO 42001 when AI drives loyalty decisioning, SOC 2 Type II + ISO 27001 for the integration infrastructure, PCI DSS 4.0 when payment tokens flow through merge. The gate is policy-as-code on OPA Rego, AWS Cedar, Casbin, Cerbos, or Oso, with operator counsel reviewing rule updates.

How do the per-vendor API ingestion, per-event webhook reliability, and per-banner member master-record merge layers actually work?

The per-vendor API ingestion layer normalizes the operator-chosen loyalty-platform surface. Each vendor exposes a different authentication scheme (OAuth 2.0, API key, HMAC-SHA-256 signature, mTLS), rate-limit policy, pagination model, and webhook contract. The ingestion layer encapsulates per-vendor details behind a canonical event stream with operator-configured cadence (real-time, hourly, daily, weekly), per-vendor retry and dead-letter queue handling, batch-vs-stream selection, replay capability, and schema-evolution tolerance. The per-event webhook reliability layer verifies HMAC-SHA-256 signatures, applies idempotency keys, deduplicates within and across vendors, handles out-of-order and late-arrival events, replays from the dead-letter queue when needed, and emits a single canonical event stream covering member enrollment, points earned, points redeemed, tier promotion, tier demotion, reward issuance, reward claim, reward expiration, member suppression, and member unsubscribe. The per-banner member master-record merge layer combines deterministic and probabilistic identity resolution. Deterministic merge consumes shared email SHA-256 hashes, shared phone numbers in E.164 format, shared loyalty IDs, shared payment tokens, and shared customer IDs. Probabilistic merge consumes Levenshtein and Jaro-Winkler string similarity, IP and device fingerprints. Survivorship rules operator counsel maintains determine which banner version wins on a per-field basis. Versioning and rollback preserve auditability. The handoff to the customer-data-graph skill carries the merged master record downstream.

How do the per-cross-banner tier/points/reward reconciliation layers, per-banner policy engine, and cross-skill handoffs coordinate with the rest of the swarm?

The per-cross-banner tier reconciliation layer resolves tier conflicts that arise when the same member holds different tiers across banners. Operator-counsel-approved resolution rules choose between higher-tier-wins, most-recent-tier-wins, banner-of-origin-wins, portfolio-master-tier-wins, and corporate-override patterns. A tier bridge and tier conversion rate normalize across banner-specific tier structures. The per-cross-banner points reconciliation layer handles cross-banner points conversion rates, expiration-policy merge across banners, burn-rate tracking against ASC 606 deferred-revenue projections, liability tracking, rounding-rule resolution, and the audit record. The per-cross-banner reward reconciliation layer handles cross-banner reward eligibility merge, cooldown merge to prevent abuse, fulfillment routing that respects FDD territorial-protection rules, suppression for compliance reasons, and the audit record. The per-banner policy engine versions policy bundles, supports rollback and A/B testing of policy changes, traces every decision, and surfaces explainability. The skill hands off to siblings on the loyalty-management agent (cross-location offer coordination, per-tier loyalty journey content, subscriber lifecycle cadence, tier transition timing, per-member next-best-action, per-member monthly CLV) and across the broader swarm (customer-data-graph, identity-resolution, consent management, brand-voice management, forbidden-phrase library, claims-allowlist substantiation, marketing-mix-modeling, per-location cross-channel attribution rollup).

What does Completions report on a Tier 3 engagement that covers cross-banner loyalty platform integration?

Tier 3 engagements report against a pre-engagement baseline that the Tier 1 assessment establishes for the operator stack. The reporting cycle covers six workstreams: (1) per-vendor API ingestion coverage observed across the operator loyalty-platform surface, with per-vendor authentication conformance, rate-limit consumption, retry exhaustion, and DLQ depth diagnostics reported; (2) per-event webhook reliability observed across the standard loyalty event taxonomy, with signature-verification rate, idempotency-key application rate, dedup precision/recall, and out-of-order/late-arrival handling diagnostics reported; (3) per-banner member master-record merge surface observed across deterministic and probabilistic identity resolution, with per-rule precision/recall against operator-labeled holdouts and survivorship-rule conflict diagnostics reported; (4) per-cross-banner tier/points/reward reconciliation surface observed against operator-counsel-approved resolution rules, with per-rule conflict-resolution diagnostics and ASC 606 deferred-revenue points-liability reconciliation reported; (5) per-banner policy-engine surface observed across policy-bundle version + rollback + A/B test + decision tracing + explainability, with per-policy-bundle drift diagnostics reported; (6) per-jurisdiction compliance gate pass rate observed across ASC 606 + IFRS 15 + state subscription auto-renewal laws + ROSCA + FTC Click-to-Cancel + California ARL + state escheatment laws + FDD Item 12/17/19 + CCPA/CPRA + GDPR + state-comprehensive-privacy + CASL + PIPEDA + LGPD + DPDP + CAN-SPAM + TCPA + 10DLC + FTC Endorsement Guides + FTC substantiation + FINRA Rule 2210 + HIPAA + state cannabis-board + alcohol DISCUS + tobacco FDA + NIST AI RMF + ISO 42001 + SOC 2 Type II + ISO 27001 + PCI DSS 4.0 scope. Caveats: loyalty-vendor API rate limits + per-vendor webhook delivery cadence + identity-resolution-vendor availability + consent-management-vendor availability + per-statute retention windows shifting with operator counsel policy + state-by-state escheatment statute amendments + state-comprehensive-privacy statute amendments sit outside Completions control and are reported alongside observed performance; attorney-client privilege on counsel-reviewed survivorship rules, tier-conflict resolution rules, FDD Item 12/17/19 disclosure rules, ASC 606 points-liability accounting policy, and state-escheatment filing rules is preserved through every layer. Completions does not commit to fixed numeric SLAs on ingestion coverage, dedup precision, identity-resolution precision/recall, reconciliation accuracy, or compliance pass rate when those KPIs depend on vendor performance, regulatory cadence, or counsel policy decisions.

Engage Completions

Start with the AI Readiness Assessment (Tier 1, 2-3 weeks, $10k). If the operation is ready to absorb the loyalty-platform- integration skill on the loyalty-management agent, the assessment hands off to the AI Swarm Setup Sprint (Tier 2, 4-8 weeks, $25-50k). If the operation needs ongoing orchestration after Tier 2 hand-off, the skill continues under Fractional CMO with AI Swarm (Tier 3, 6-month minimum, $15-25k/month, 1-2 days/wk embedded). Operator owns every artifact at every tier. Operator can in-house at any time.