Agency Client Onboarding Checklist: Brand Assets and Digital Certificates

The onboarding moment is the best time to capture everything. When a new client relationship starts, you have maximum access, maximum attention from the client, and maximum goodwill to ask for assets and information. Four months in, requests for domain registrar credentials or brand asset inventories become friction. At the start, they are expected.

This checklist covers the six phases of a complete brand asset and monitoring onboarding. It is designed for agencies that manage client websites, brand assets, and digital presence as a service — not just campaign agencies that produce content without ongoing operational responsibility.

Why the Onboarding Moment Is Critical

Most SSL incidents in agency portfolios are preventable. The certificate was expiring and no one knew about it because monitoring was never set up. The domain was registered to a former employee's personal email and there was no way to renew it because no one captured that information at onboarding. The brand asset was in a folder on a laptop that left the company.

The onboarding phase is when you prevent these incidents — not reactively with monitoring alone, but proactively by capturing the information, access credentials, and asset inventory that make monitoring meaningful.

An agency that completes this checklist at client onboarding has:

Full visibility into all domains, subdomains, and certificates
Documented brand asset inventory with verifiable custody
Monitoring configured against real scope (not assumed scope)
A baseline report the client can reference at any time
Clear escalation paths when something goes wrong

Phase 1: Domain and SSL Inventory

Complete this before configuring any monitoring. You cannot monitor what you do not know about.

Domain discovery:

Ask the client for all registered domains they own (not just the primary one)
Request access to their domain registrar account or ask for a screenshot of the domain list
Note the registrar name, registrant email, and expiry date for each domain
Identify which domains are actively used vs. parked or redirected
Identify which domains you are responsible for vs. managed by another party (IT team, prior agency, developer)

Subdomain inventory:

List all subdomains in active use (staging, portal, shop, blog, app, api, mail)
For each subdomain, confirm whether it has its own SSL certificate (separate from the apex domain)
Note any subdomains managed by third-party services (a CDN, a SaaS platform, a form tool that uses a client subdomain)

SSL certificate audit:

For each domain and subdomain: check current certificate validity and expiry date
Check certificate issuer (Let's Encrypt, DigiCert, Comodo, etc.) — this tells you where renewal happens
Check who controls renewal — the hosting provider, the client's IT team, you, or an automated process
Flag any certificates expiring within 60 days for immediate action

Registrar access:

Confirm whether the agency needs registrar access for domain management
If yes: obtain credentials or request invitation to registrar account
If client manages: confirm client has renewal notifications enabled and the notification address is active

Phase 2: Brand Asset Inventory

This phase covers the assets you need to protect and potentially issue digital certificates for.

Logo and brand mark inventory:

Collect all official logo files (vector SVG/AI, high-res PNG, variations: color/mono/reversed)
Note the last official revision date for each asset
Confirm which assets are approved for external use vs. internal only
Ask whether any logo variations are licensed to third parties (resellers, affiliates, co-brand partners)

Brand guidelines:

Request the brand guidelines document (PDF or URL)
Note whether brand guidelines include usage restrictions relevant to your scope (size minimums, exclusion zones, unapproved color combinations)
Confirm who approves exceptions to brand guidelines

Trademark and IP documentation:

Ask whether the brand name or logo is trademarked
If yes: note trademark registration numbers and jurisdictions
Ask whether there are known cases of brand asset misuse or unauthorized use the client is aware of

Digital asset storage:

Where are brand assets currently stored? (Dropbox, Google Drive, DAM system, server folder, email)
Who has access to the source files?
Is there a defined process for version control or asset updates?

Phase 3: Digital Certificate Setup

Digital certificates provide verifiable proof of brand asset authenticity and custody. This phase covers issuing and configuring certificates for the client's primary brand assets.

Certificate issuance:

Log into app.merlonix.com and confirm client account is created
Navigate to Attestations → Issue Certificate for the client
Issue a certificate for the primary logo (SVG or PNG — use the highest-fidelity version)
Issue certificates for any additional assets that need verifiable custody documentation (brand marks, product imagery, campaign assets, licensed content)
Download each certificate and the associated verification record
Store certificates alongside the assets they attest (same folder/DAM location)

Certificate delivery to client:

Send the client a summary of certificates issued (asset name, certificate ID, issue date)
Explain what the certificate proves and how to verify it: the client can share the certificate ID with a third party who can verify authenticity via the public verification endpoint
Note the certificate ID in your client record for future reference

Certificate renewal planning:

Certificates issued through Merlonix are tied to the asset file hash — if the asset is updated, a new certificate is needed
Agree with the client on the process for re-certification when brand assets are updated (annual review, or triggered by asset update)

Phase 4: Monitoring Configuration

With the domain inventory complete and asset certificates issued, configure monitoring to cover the full scope.

SSL monitoring:

Add all domains and active subdomains to the client's Merlonix account
Confirm first-check results look correct (no unexpected warning or critical states)
Set SSL expiry thresholds appropriate for this client's renewal process:
- Standard: 30-day warning, 14-day critical
- Complex renewal (third-party IT, manual process): 45-day warning, 21-day critical
- Automated renewal (Let's Encrypt with certbot): 14-day warning, 7-day critical

DNS monitoring:

Enable A record monitoring for all domains
Enable MX record monitoring if email deliverability is in scope
Enable CNAME monitoring for CDN-routed domains

Domain registration monitoring:

Confirm domain expiry monitoring is active for all registered domains
Set expiry warning threshold: 60 days minimum; 90 days for clients who renew manually or through a slow procurement process

Vendor monitoring (if applicable):

List third-party services embedded in client sites (payment processor, analytics, form tool, CDN, live chat)
Add key vendors to vendor monitoring if they have material impact on the client's site function
Configure vendor alert routing to match internal escalation scope

Alert routing:

Confirm internal alert email is configured for this client
Confirm client-facing alert routing (if part of service agreement)
Configure Slack routing if applicable
Test alert delivery: use the Send Test Alert function in the client's alert settings

Phase 5: Reporting Setup

The client-facing report is the product the client receives each month. Configure it at onboarding so the first scheduled report arrives automatically.

Report configuration:

Navigate to Reports → Schedule for the client
Set delivery frequency: monthly is standard; quarterly is acceptable for low-complexity clients
Set delivery timing: 3–5 days before the client billing date (gives you a review window)
Confirm delivery address: client's primary contact email + internal agency address
Set report scope: confirm which domains and asset types appear in the report

First baseline report:

Generate the first report manually immediately after setup
Review the report for accuracy: correct domains, correct asset certificates, correct alert history (empty at first)
Send the first report to the client with a brief covering note explaining what it covers and what they should do if they have questions

Report branding (if white-label is part of your service offering):

Configure agency name or client-facing service name in report header
Upload agency logo if applicable
Confirm report footer contact information is correct

Phase 6: Client Communication and Handoff

Complete onboarding ends with confirming that the client understands what monitoring is in place, what they will receive, and who to contact when something goes wrong.

Client briefing:

Send a short written summary: what domains are monitored, what the alert thresholds are, when reports are delivered
Explain what happens when a critical alert fires: who gets notified, what the expected response time is, what action you take
Confirm the client's preferred escalation contact for situations that require client action (certificate renewal that requires registrar access, domain transfer, brand asset update)

Internal documentation:

Update your internal client record with: all domain names and registrars, registrar credentials or contact, brand asset storage location, certificate IDs issued, monitoring configuration notes
Schedule a 30-day review on your calendar to confirm monitoring is running correctly and the first report was delivered and acknowledged

Escalation paths:

Confirm who at the client handles SSL certificate renewals (hosting provider, IT, the client themselves)
Confirm who handles domain renewals
Confirm who has access to change DNS records if an emergency record correction is needed

Condensed Checklist (Quick Reference)

Phase 1 — Domain inventory

All registered domains listed and confirmed
Subdomain inventory complete
SSL certificates audited with expiry dates
Registrar access or contacts confirmed

Phase 2 — Brand asset inventory

Logo files collected (vector + PNG)
Brand guidelines documented
Trademark status confirmed
Asset storage location documented

Phase 3 — Digital certificates

Client account created in Merlonix
Certificates issued for primary brand assets
Certificates delivered to client
Re-certification process agreed

Phase 4 — Monitoring

All domains and subdomains added
SSL thresholds configured
DNS monitoring enabled
Domain expiry monitoring confirmed
Alert routing tested

Phase 5 — Reporting

Report schedule configured
First baseline report generated and reviewed
First report delivered to client

Phase 6 — Handoff

Client briefed on monitoring scope and escalation
Internal record updated
30-day review scheduled

Time Estimate

A complete onboarding for a single client takes 45–90 minutes, depending on the number of domains and assets. The bulk of the time is Phase 1 (domain discovery) and Phase 3 (certificate issuance). Phases 4–6 are mechanical once the inventory is complete.

For a new client relationship where you have good access and cooperation, the full checklist can be completed in a single onboarding session. For clients with complex domain portfolios or disorganized asset storage, plan for two sessions: one for discovery and one for configuration.