Audit fixtures

Fictional audit users and realistic QA commands are available on the public domain.

All records below are fictional, privacy-safe, and designed for QA, demo, and audit evidence only. They model realistic learners, creators, staff, managers, and guardians without using real personal data or production identities.

Review account catalog Review user commands Open support View status

Accounts17

Fictional user records spanning guest, learner, creator, staff, guardian, and enterprise contexts.

Commands45

Realistic user-intent scripts covering onboarding, learning, privacy, support, billing, and failure modes.

Journey types8

Every required journey class is represented in the command library.

Edge flags23

Accessibility, low-bandwidth, minors, privacy-rights, suspicious-login, and billing edge cases are included.

How to use this fixture set

These accounts are fictional fixtures for QA, demos, and audit evidence only.
All identifiers are synthetic and must stay out of production as real user records.
Commands are written as testable user intents and should be mapped to screenshots, logs, or tickets during validation.

This route is public for audit transparency, but it is intentionally marked noindex so it can support QA and partner review without being treated as marketing copy. For operational context, see the status page, support page, and accessibility page.

Role coverage

Guest and anonymous: 1 accounts
Learners: 10 accounts
Instructors and creators: 2 accounts
Admin and support: 2 accounts
Managers and guardians: 2 accounts

Assumptions

The learning platform supports first-party email/password accounts, and optional MFA or SSO may exist depending on the environment.
Some commercial flows may be partner-scoped rather than public self-serve, so purchase-related commands can be executed as simulated or manual-review workflows in QA.
Privacy-rights flows such as export and delete are either implemented or required for audit readiness.
Minor accounts require guardian review, reduced communication scope, or a documented equivalent safeguard.
Instructor, support, trust-and-safety, and manager roles should remain distinct so least-privilege checks can be audited explicitly.

Account catalog

The catalog below uses synthetic names, synthetic phone numbers, and reserved-domain email addresses. It is designed to support role realism, not impersonation.

AC-01 | Guest and anonymousTess Drift

Guest prospect

anonymous_sessionpublic-preview

Preview a lesson and compare the curriculum before creating an account.
Understand what is public, what requires signup, and what data is stored in a guest session.

Device: Shared Windows laptop

Connectivity: Public Wi-Fi

Locale: en-US

Timezone: America/Denver

Language: English

Org: none

User ID: guest_ql_001

Email: none

Phone: none

Risk flags

shared-devicecookie-choice-sensitive

AC-02 | LearnersMira Fen

Learner, new

unverifiedfree

Create a first account from mobile and verify the email flow without confusion.
Enroll in an introductory module quickly after signup.

Device: Android phone

Connectivity: Intermittent 4G

Locale: en-US

Timezone: America/Chicago

Language: English

Org: none

User ID: usr_ql_002

Email: mira.fen@ql.test

Phone: +1-555-010-1002

Enrollments

QC+AI Overview and the NISQ Reality

Risk flags

first-login-friction

AC-03 | LearnersOren Clave

Learner, returning paid pilot

activepaid-pilot

Resume lessons across desktop and tablet without losing progress.
Keep receipts, certificates, and billing records consistent across renewals.

Device: MacBook Air

Connectivity: Home broadband

Locale: en-US

Timezone: America/Los_Angeles

Language: English

Org: none

User ID: usr_ql_003

Email: oren.clave@ql.test

Phone: +1-555-010-1003

Enrollments

QC+AI Overview and the NISQ Reality
Intermediate Quantum Programming
Advanced Quantum Software Development

Risk flags

unsubscribed-marketing

AC-04 | LearnersSana Iver

Learner, scholarship

activescholarship

Use scholarship-funded access without billing friction.
Complete a practical learning path tied to career transition goals.

Device: Chromebook

Connectivity: School Wi-Fi

Locale: en-GB

Timezone: Europe/London

Language: English

Org: none

User ID: usr_ql_004

Email: sana.iver@ql.test

Phone: +1-555-010-1004

Accessibility

captions-preferred

Enrollments

Hardware-Constrained QC+AI Models
Quantum Finance Programming and Optimization

Risk flags

financial-aid-sensitive

AC-05 | LearnersJae Tolland

Learner, low bandwidth

activefree

Stream lessons on a weak mobile connection and save files for offline reading.
Finish checkpoints during a commute without repeated session loss.

Device: Low-end Android phone

Connectivity: Unstable 3G

Locale: en-US

Timezone: America/New_York

Language: English

Org: none

User ID: usr_ql_005

Email: jae.tolland@ql.test

Phone: +1-555-010-1005

Accessibility

reduced-motion-preferred

Enrollments

Introduction to Hardware-Constrained Learning

Risk flags

low-bandwidth

AC-06 | LearnersAri Solen

Learner, accessibility-critical

activepaid-pilot

Complete lessons and quizzes using keyboard and screen reader only.
Confirm that captions, transcripts, and focus management hold across dynamic flows.

Device: Windows laptop

Connectivity: Broadband

Locale: en-US

Timezone: America/Phoenix

Language: English

Org: none

User ID: usr_ql_006

Email: ari.solen@ql.test

Phone: +1-555-010-1006

Accessibility

screen-readerkeyboard-onlyhigh-contrastcaptions-required

Enrollments

Intermediate Quantum Programming
QC+AI Builder Practice

Risk flags

accessibility-critical

AC-07 | LearnersTomas Quill

Learner, renewal failed

grace-periodpaid-pilot-renewal-failed

Recover access after a payment failure without losing progress.
Understand the grace period and invoice status clearly.

Device: iPad

Connectivity: Home Wi-Fi

Locale: en-US

Timezone: America/Seattle

Language: English

Org: none

User ID: usr_ql_007

Email: tomas.quill@ql.test

Phone: +1-555-010-1007

Enrollments

Quantum Finance Programming and Optimization

Risk flags

payment-retry-open

AC-08 | LearnersLina Voss

Learner, privacy-sensitive

activepaid-pilot

Export learning data and understand exactly what is retained.
Use the product in English while living under GDPR-sensitive expectations.

Device: Linux laptop

Connectivity: Fiber broadband

Locale: de-DE

Timezone: Europe/Berlin

Language: German and English

Org: none

User ID: usr_ql_008

Email: lina.voss@ql.test

Phone: +1-555-010-1008

Enrollments

QC+AI Overview and the NISQ Reality

Risk flags

gdpr-request-openpii-sensitive

AC-09 | LearnersNoa Kest

Learner, minor

pending-consentminor-trial

Start only after guardian approval is recorded.
Use age-appropriate communication settings and restricted community access.

Device: School iPad

Connectivity: Managed school Wi-Fi

Locale: en-US

Timezone: America/Denver

Language: English

Org: none

User ID: usr_ql_009

Email: noa.kest@ql.test

Phone: +1-555-010-1009

Accessibility

dyslexia-friendly-spacing-preferred

Enrollments

QC+AI Overview and the NISQ Reality

Risk flags

minor-flaggedconsent-required

AC-10 | LearnersRin Halden

Learner, locked after suspicious login

lockedpaid-pilot

Regain access safely after a suspicious-login alert.
Verify that stale sessions can be revoked without losing course work.

Device: Windows desktop

Connectivity: Broadband

Locale: en-US

Timezone: America/Atlanta

Language: English

Org: none

User ID: usr_ql_010

Email: rin.halden@ql.test

Phone: +1-555-010-1010

Enrollments

Advanced Quantum Software Development

Risk flags

suspicious-loginrisk-review

AC-11 | LearnersPax Merrin

Learner, duplicate-email edge case

active-with-merge-reviewtrial-expired

Resolve a duplicate-email or alias conflict without creating a second identity.
Keep notification preferences and deletion choices intact after account cleanup.

Device: Android phone

Connectivity: LTE

Locale: en-US

Timezone: America/Toronto

Language: English

Org: none

User ID: usr_ql_011

Email: pax.merrin@ql.test

Phone: +1-555-010-1011

Risk flags

duplicate-email-reviewccpa-delete-interestunsubscribed-marketing

AC-12 | Instructors and creatorsNia Calder

Instructor and course creator

activecreator-pro

Publish an accessible cohort course with clear prerequisites and pricing metadata.
Monitor learner progress using privacy-safe analytics.

Device: MacBook Pro

Connectivity: Broadband

Locale: en-US

Timezone: America/Chicago

Language: English

Org: none

User ID: usr_ql_012

Email: nia.calder@ql.test

Phone: +1-555-010-1012

Accessibility

captions-required-for-all-uploads

Enrollments

Author of Team Skills Studio

Risk flags

content-publisher

AC-13 | Instructors and creatorsPavel Sorrel

Instructor under moderation review

review-holdcreator-trial

Revise flagged content and resolve policy or IP concerns fairly.
Retain audit history of revisions and takedown decisions.

Device: Windows laptop

Connectivity: Broadband

Locale: en-GB

Timezone: Europe/Dublin

Language: English

Org: none

User ID: usr_ql_013

Email: pavel.sorrel@ql.test

Phone: +1-555-010-1013

Enrollments

Author of Responsible AI Writing Lab

Risk flags

moderation-review

AC-14 | Admin and supportDaria Flint

Support agent

active-staffsupport-console

Resolve billing, auth, and privacy tickets with least-privilege access.
Leave a clean, auditable trail for every user-visible action.

Device: Managed Windows workstation

Connectivity: Office network

Locale: en-US

Timezone: America/New_York

Language: English

Org: org_staff_support

User ID: usr_ql_014

Email: daria.flint@ql.test

Phone: +1-555-010-1014

Risk flags

privileged-staff

AC-15 | Admin and supportIvo Mercer

Trust and safety admin

active-stafftrust-safety-console

Handle moderation, ban appeals, and security disclosures with clear escalation paths.
Avoid overbroad actions and preserve evidence for review.

Device: Managed MacBook

Connectivity: Office VPN

Locale: en-US

Timezone: America/Los_Angeles

Language: English

Org: org_staff_trust

User ID: usr_ql_015

Email: ivo.mercer@ql.test

Phone: +1-555-010-1015

Risk flags

high-privilege

AC-16 | Managers and guardiansCorin Vale

Enterprise and team manager

activeenterprise-admin

Roll out a controlled team learning program with SSO, seat governance, and privacy-safe reporting.
Understand billing, procurement, and support commitments before expanding usage.

Device: Corporate ThinkPad

Connectivity: Office broadband

Locale: en-US

Timezone: America/Denver

Language: English

Org: org_ql_016

User ID: usr_ql_016

Email: corin.vale@ql.test

Phone: +1-555-010-1016

Enrollments

Enterprise learning path owner

Risk flags

org-admininvoice-sensitive

AC-17 | Managers and guardiansHela Kest

Parent and guardian

active-guardianguardian-portal

Grant and revoke consent for a linked minor learner without ambiguity.
Monitor progress and privacy choices for the linked child account only.

Device: iPhone

Connectivity: Home Wi-Fi

Locale: en-US

Timezone: America/Denver

Language: English

Org: none

User ID: usr_ql_017

Email: hela.kest@ql.test

Phone: +1-555-010-1017

Accessibility

large-text-preferred

Enrollments

Linked to AC-09 only

Risk flags

consent-authoritypii-sensitive

Command coverage by role cluster

Command cluster12

Learners commands with success and failure paths.

Command cluster11

Instructors and creators commands with success and failure paths.

Command cluster11

Admin and support commands with success and failure paths.

Command cluster11

Managers and guardians commands with success and failure paths.

Onboarding and authenticationDiscovery, enrollment, and purchaseLearning experienceContent creation and moderationSupport operationsData rights and privacyNotifications and preferencesError and recovery paths

User commands

Each command below is a realistic user intent with preconditions, expected outcomes, a negative or edge variant, and an explicit audit focus. The goal is to make walkthroughs reproducible and evidence-friendly.

Learners

L-01As a guest, I want to preview Module 1, save it for later, and then create an account without losing the preview trail.

Accounts: AC-01, AC-02

Audit focus: ux, privacy, security

Journey categories

Onboarding and authenticationDiscovery, enrollment, and purchase

Preconditions

Guest preview is enabled for at least one lesson or module card.
A guest session can store a lightweight wishlist or recently viewed item.

Expected outcome

Public content stays public and gated content stays gated.
The signup flow explains whether guest state will migrate or reset.
After account creation, the saved module context is preserved or clearly disclosed as non-portable.

Negative or edge variant

Guest cookies are blocked or expired, so the user is told exactly what will not carry over instead of silently losing state.

L-02I want to sign up on my phone, verify my email, and retry safely if the first link expires.

Accounts: AC-02

Audit focus: ux, security, reliability

Journey categories

Onboarding and authenticationError and recovery paths

Preconditions

Email signup is enabled in the test environment.
Verification emails are captured in a test mailbox or sink.

Expected outcome

The account is created in an unverified state with clear next-step guidance.
The first valid verification link succeeds and activates the account.
A resend flow exists and does not create duplicate accounts.

Negative or edge variant

The user taps an expired or already-used link and gets a safe resend path instead of a generic failure page.

L-03I want to sign in from a new laptop, review the new-device warning, and turn on MFA for future logins.

Accounts: AC-03

Audit focus: security, ux

Journey categories

Onboarding and authenticationError and recovery paths

Preconditions

The account is active and has at least one prior device or session on record.
MFA enrollment is available in the test environment if the product supports it.

Expected outcome

The login flow succeeds only after the required step-up checks complete.
The new-device event is visible in account security history or notification copy.
MFA setup is confirmed without locking the user out of the current session.

Negative or edge variant

Repeated bad codes or passwords trigger rate-limited messaging without leaking whether the account exists.

L-04I forgot my password, my first reset link expired, and I still need a safe recovery path without bypassing identity checks.

Accounts: AC-03, AC-10

Audit focus: security, ux, reliability

Journey categories

Onboarding and authenticationSupport operationsError and recovery paths

Preconditions

Password reset is enabled and sends a one-time or short-lived link.
Support-assisted recovery exists or is intentionally unavailable with clear policy text.

Expected outcome

The expired link is rejected cleanly.
A new reset can be requested without creating multiple conflicting recovery states.
If mailbox access is unavailable, the product routes the user to the documented recovery channel.

Negative or edge variant

The user clicks a stale reset link from another device and the system must fail closed without confusing cross-session behavior.

L-05I want to compare plan details, apply a scholarship or pilot discount, and enroll in Intermediate Quantum Programming.

Accounts: AC-03, AC-04

Audit focus: ux, billing, trust

Journey categories

Discovery, enrollment, and purchaseSupport operations

Preconditions

The environment exposes either self-serve billing or a partner-scoped price simulation.
At least one valid and one invalid discount or scholarship code are configured.

Expected outcome

Price, discount, entitlement scope, and any refund or billing note are visible before confirmation.
The enrollment result matches the selected plan or scholarship state.
A receipt, invoice, or enrollment confirmation is generated if applicable.

Negative or edge variant

An expired or invalid code does not apply silently and does not alter the final entitlement unexpectedly.

L-06My renewal failed. I want to update payment details, understand the grace period, and keep my course progress.

Accounts: AC-07

Audit focus: billing, ux, reliability

Journey categories

Discovery, enrollment, and purchaseSupport operationsError and recovery paths

Preconditions

The account is in a renewal-failed or grace-period state.
The billing UI or support handoff exposes the next required action.

Expected outcome

The user sees the renewal status, due amount, and access window clearly.
Updating the payment method or invoice route restores access without erasing progress.
Support or policy links explain what happens if payment is not recovered.

Negative or edge variant

A second payment failure must not double-charge the user or silently strip access without an explanation.

L-07I want to stream a lesson on a weak mobile connection, switch to a lighter mode, and save the document for offline reading.

Accounts: AC-05

Audit focus: performance, ux, reliability, accessibility

Journey categories

Learning experienceError and recovery paths

Preconditions

At least one lesson includes video plus a downloadable source asset.
The media player or asset list exposes quality or retry behavior where supported.

Expected outcome

Playback degrades gracefully or offers a fallback instead of freezing.
Downloadable assets are labeled clearly for offline reading.
The user can resume the lesson later without losing place unnecessarily.

Negative or edge variant

A stalled network request surfaces a retry state or fallback asset instead of leaving the user on a dead loading spinner.

L-08I want to complete a timed quiz using keyboard navigation, a screen reader, and clear focus states on every control.

Accounts: AC-06

Audit focus: accessibility, ux, reliability

Journey categories

Learning experienceError and recovery paths

Preconditions

A quiz flow exists with keyboard-reachable controls.
The environment supports screen reader and high-contrast checks.

Expected outcome

Focus order is predictable and all quiz controls are labeled.
Timer messaging, submission status, and validation errors are announced clearly.
Autosave or recovery behavior preserves answers if the page refreshes.

Negative or edge variant

Any focus trap, missing label, or inaccessible validation message is logged as a blocker instead of treated as cosmetic.

L-09After completing a module, I want the certificate, completion status, and any receipt or confirmation email to stay consistent.

Accounts: AC-03, AC-04

Audit focus: ux, reliability, trust

Journey categories

Learning experienceNotifications and preferences

Preconditions

A course or module completion threshold is configured.
Certificate issuance or completion badge logic is available in the test environment.

Expected outcome

Completion status matches the recorded progress.
The certificate or badge uses the correct learner identity and completion date.
Any follow-up notifications match the actual completion event.

Negative or edge variant

A recalculated quiz score or late sync must not revoke a certificate silently or produce a mismatched completion record.

L-10I want marketing emails off, course reminders on, and cookie choices to be respected across devices.

Accounts: AC-03, AC-11

Audit focus: privacy, ux

Journey categories

Notifications and preferencesData rights and privacy

Preconditions

The product distinguishes marketing from transactional or learning-critical notifications.
Cookie or analytics preferences are exposed if the product supports them.

Expected outcome

Granular preference settings persist after refresh and re-login.
Critical transactional notices remain appropriately scoped.
Preference screens explain what cannot be turned off and why.

Negative or edge variant

Unsubscribing from marketing must not disable password-reset, billing, or security notifications unintentionally.

L-11I want to export all of my learning data, support history, and receipts, then request account deletion with a retention explanation.

Accounts: AC-08, AC-11

Audit focus: privacy, security, trust

Journey categories

Data rights and privacySupport operations

Preconditions

Authenticated privacy-rights actions are available or routed to support.
The account has enough history to validate export completeness.

Expected outcome

The export includes the documented data categories for the user only.
Deletion explains what is removed immediately and what is retained by policy.
Active sessions are revoked after deletion is confirmed.

Negative or edge variant

The export omits a major data class or the deletion flow fails without telling the user what happened next.

L-12I received a suspicious-login warning. I want to review active sessions, sign out other devices, and recover the account safely.

Accounts: AC-10

Audit focus: security, ux, reliability

Journey categories

Onboarding and authenticationError and recovery paths

Preconditions

The account is locked or flagged after a suspicious event.
Session-management or forced re-authentication controls are available.

Expected outcome

The warning explains what triggered the lock or review state at a high level.
Current and prior sessions can be reviewed or revoked safely.
The account returns to a known-good state after recovery.

Negative or edge variant

Stale sessions survive the recovery flow or the user cannot tell whether the account is safe again.

Instructors and creators

I-01I want to activate a creator account, accept the content policy, and verify that I can publish only after the required checks are complete.

Accounts: AC-12

Audit focus: security, ux, moderation_governance

Journey categories

Onboarding and authenticationContent creation and moderation

Preconditions

Creator enrollment or role elevation is enabled in the test environment.
Content policy acceptance is required before publish rights are granted.

Expected outcome

The creator role is inactive until required steps are completed.
Policy acceptance is timestamped and visible in the creator record.
The UI distinguishes draft rights from publish rights clearly.

Negative or edge variant

A partially configured creator should not be able to publish or expose incomplete public metadata.

I-02I want to draft a new course with a title, syllabus, prerequisites, outcomes, and pilot pricing notes.

Accounts: AC-12

Audit focus: ux, reliability

Journey categories

Content creation and moderation

Preconditions

Draft authoring is enabled.
The course model supports required metadata and validation.

Expected outcome

Draft save works without data loss.
Missing required metadata is called out before publish.
The preview reflects the latest saved version.

Negative or edge variant

A required field such as prerequisites or entitlement scope must not fail silently during save or publish.

I-03I want to upload large videos and documents even if my connection drops midway through the upload.

Accounts: AC-12, AC-13

Audit focus: reliability, performance, ux

Journey categories

Content creation and moderationError and recovery paths

Preconditions

Large media or document upload is enabled.
At least one large file is available in the test environment.

Expected outcome

The upload flow resumes or retries without creating duplicate assets.
The creator can tell which version is current.
Partial or failed uploads do not become publicly visible.

Negative or edge variant

A dropped connection leaves an orphaned asset, duplicate attachment, or inconsistent file-type state.

I-04Before I publish, I want to add captions, transcripts, alt text, and download labels for every learner-facing asset.

Accounts: AC-12

Audit focus: accessibility, ux, trust

Journey categories

Content creation and moderationLearning experience

Preconditions

The course includes at least one video, one document, and one image or card-style visual.
Accessibility metadata fields are exposed in authoring.

Expected outcome

Accessibility fields are clearly attached to the relevant asset.
Publish warnings appear if required metadata is missing.
Learner views render the metadata correctly.

Negative or edge variant

A creator can publish inaccessible media with no warning or cannot tell which assets still lack accessibility metadata.

I-05I want to schedule a course release for 09:00 in the learner-facing timezone and receive a confirmation digest.

Accounts: AC-12

Audit focus: ux, reliability

Journey categories

Content creation and moderationNotifications and preferences

Preconditions

Scheduled publishing is enabled.
Course and account timezone settings are configurable.

Expected outcome

The schedule reflects an explicit timezone and release time.
Notifications or status indicators confirm when the release occurred.
Learner-facing availability matches the configured schedule.

Negative or edge variant

Daylight-saving or timezone mismatches cause content to publish early or late with no visible warning.

I-06I need to revise a published lesson without resetting learner progress, breaking bookmarks, or invalidating certificates.

Accounts: AC-12

Audit focus: reliability, ux, trust

Journey categories

Content creation and moderationLearning experience

Preconditions

A published lesson already has active learners and recorded progress.
Versioning or republish behavior is available.

Expected outcome

Learner progress is preserved or changes are explained explicitly.
Existing lesson links continue to resolve where intended.
A version or change log is recorded for auditability.

Negative or edge variant

Republishing unexpectedly restarts lessons, invalidates quiz attempts, or changes public slugs without redirection.

I-07I want to create a quiz with multiple attempts, time extensions, and explicit accommodations for accessibility-sensitive learners.

Accounts: AC-12, AC-06

Audit focus: accessibility, ux, reliability

Journey categories

Content creation and moderationLearning experience

Preconditions

Quiz authoring supports attempts, due dates, and accommodation overrides.
At least one learner profile can receive an accommodation rule in the test environment.

Expected outcome

The quiz rules are visible and saved correctly.
The accommodation applies only to the intended learner or cohort.
Learner-facing timing, messaging, and submission states stay consistent.

Negative or edge variant

Accommodation settings leak to unintended learners or are ignored for the targeted learner at runtime.

I-08A submission or lesson was flagged for plagiarism or AI-policy issues. I want to review the evidence and decide fairly.

Accounts: AC-13

Audit focus: moderation_governance, ux, trust

Journey categories

Content creation and moderationSupport operations

Preconditions

An integrity or policy flag exists on a learner submission or creator asset.
The relevant content policy is visible to the reviewer.

Expected outcome

Evidence, policy basis, and next actions are visible in one workflow.
The decision is logged and reversible through a documented appeal path.
Affected users receive a clear explanation without exposing internal-only notes.

Negative or edge variant

A false positive leaves the creator or learner with no context, no appeal path, or no retained evidence.

I-09I need to unpublish or takedown a lesson after an intellectual-property or policy complaint while preserving audit history.

Accounts: AC-13

Audit focus: moderation_governance, trust, reliability

Journey categories

Content creation and moderationSupport operations

Preconditions

A published asset is under complaint or review.
The creator has access to a takedown workflow or moderation handoff.

Expected outcome

The takedown action is logged with reason and timestamp.
Learners see an appropriate replacement or explanation if access changes.
Appeal or review status is visible to the creator.

Negative or edge variant

The lesson disappears abruptly with no trace, no communication, or no way to distinguish temporary hold from permanent removal.

I-10I want weekly creator analytics and course digests that help me improve teaching without exposing unnecessary learner PII.

Accounts: AC-12

Audit focus: privacy, ux, moderation_governance

Journey categories

Notifications and preferencesData rights and privacy

Preconditions

Creator analytics or digests are enabled.
At least one course has learner activity to summarize.

Expected outcome

Analytics are aggregate or scoped appropriately.
Notification cadence is configurable.
Exports or digests do not expose raw personal data that the creator does not need.

Negative or edge variant

The analytics view exposes support-only fields, sensitive user notes, or other data outside creator scope.

I-11I want to assign a reviewer or co-instructor to one draft course without giving them access to unrelated drafts or billing controls.

Accounts: AC-12

Audit focus: security, moderation_governance, ux

Journey categories

Content creation and moderationOnboarding and authentication

Preconditions

Reviewer or collaborator roles are supported in the test environment.
The creator owns more than one draft or published course.

Expected outcome

The collaborator receives only the intended scope.
Role boundaries are visible in the invitation or permissions UI.
All permission grants are logged.

Negative or edge variant

A collaborator gains access to unrelated courses, learner billing details, or creator-wide settings.

Admin and support

A-01A user says signup fails because the email already exists. I need to resolve a duplicate-email or alias conflict safely.

Accounts: AC-14, AC-11

Audit focus: security, ux, moderation_governance

Journey categories

Support operationsOnboarding and authentication

Preconditions

Support tooling exposes identity-safe duplicate-email diagnostics.
The user can verify ownership through an approved recovery path.

Expected outcome

The agent can distinguish existing account, alias conflict, and merge-review cases safely.
The user receives a precise next step without exposing another person's account state.
Any account merge or cleanup action is logged.

Negative or edge variant

The agent can accidentally merge the wrong records or disclose whether another user's account exists beyond policy.

A-02A learner was locked after a suspicious-login alert. I need to unlock the account only after the right verification steps are complete.

Accounts: AC-14, AC-10

Audit focus: security, reliability, trust

Journey categories

Support operationsOnboarding and authenticationError and recovery paths

Preconditions

The support console exposes lock reason and verification checklist.
The account is actually in a locked or risk-review state.

Expected outcome

The support agent can verify identity without bypassing policy.
Unlock actions revoke stale sessions if required.
The account owner receives a clear recovery notice.

Negative or edge variant

The account is unlocked without sufficient proof, or old sessions stay valid after the incident is resolved.

A-03A learner's payment failed and they need an invoice copy. I need to help without seeing raw card data.

Accounts: AC-14, AC-07

Audit focus: security, billing, privacy

Journey categories

Support operationsDiscovery, enrollment, and purchase

Preconditions

Support billing view is available with redacted payment details.
The user has an invoice or renewal history in the system.

Expected outcome

The agent can see billing status, redacted payment metadata, and invoice history only.
The invoice can be reissued or downloaded safely.
Billing notes are consistent with user-facing entitlement state.

Negative or edge variant

The support view exposes sensitive payment secrets or the invoice history does not match the actual entitlement record.

A-04I need to process a refund, partial credit, or scholarship adjustment under policy and explain the entitlement impact.

Accounts: AC-14, AC-07, AC-04

Audit focus: billing, trust, reliability

Journey categories

Support operationsDiscovery, enrollment, and purchase

Preconditions

A transaction, scholarship record, or manual billing case exists.
Refund and adjustment policies are documented.

Expected outcome

The decision path and monetary effect are logged.
The user sees whether access changes immediately, later, or not at all.
Support can cite the applicable policy or pilot rule.

Negative or edge variant

The refund is duplicated, the credit is applied to the wrong learner, or access is removed with no explanation.

A-05A guardian submitted consent for a minor learner. I need to verify the record and activate access only after approval is complete.

Accounts: AC-14, AC-17, AC-09

Audit focus: privacy, security, moderation_governance

Journey categories

Support operationsData rights and privacy

Preconditions

The platform supports linked guardian-minor records.
The learner account remains pending until consent is confirmed.

Expected outcome

Guardian relationship and consent scope are logged with timestamps.
Minor access activates only after successful approval.
Support can explain revocation and community restrictions clearly.

Negative or edge variant

Minor access opens before approval is finalized, or the consent record lacks enough detail to audit later.

A-06A user requested a copy of all personal data under GDPR or CCPA. I need to fulfill it completely and only for the right person.

Accounts: AC-14, AC-08

Audit focus: privacy, reliability, data_integrity

Journey categories

Support operationsData rights and privacy

Preconditions

An authenticated rights request or verified support workflow is available.
The user has enough history to validate export completeness.

Expected outcome

The export includes the documented user data categories and timestamps.
The request lifecycle is logged end to end.
The export excludes data belonging to other users or staff-only notes that should remain internal by policy.

Negative or edge variant

A major data class is missing, or unrelated user data leaks into the export package.

A-07A user wants their account deleted. I need to complete the deletion and explain what must be retained by policy.

Accounts: AC-14, AC-08, AC-11

Audit focus: privacy, security, trust

Journey categories

Support operationsData rights and privacy

Preconditions

Deletion is either self-serve or support-assisted with identity verification.
Retention exceptions are documented.

Expected outcome

Sessions are revoked and the account enters the documented deletion state.
The user receives clear messaging about any retained billing, security, or abuse records.
The deletion action is audit logged.

Negative or edge variant

The user still has active access after deletion, or the support workflow cannot explain retained records.

A-08A learner reported abusive community content. I need to review it, take action if needed, and preserve an appeal path.

Accounts: AC-15

Audit focus: moderation_governance, trust, security

Journey categories

Support operationsContent creation and moderation

Preconditions

A moderation queue or abuse-report workflow exists.
Trust-and-safety staff can see the report context and policy rules.

Expected outcome

The moderation decision is logged with reason and timestamp.
The affected user receives a notice consistent with policy.
The appeal or review state is visible internally.

Negative or edge variant

The action is overbroad, irreversible, or lacks an audit trail explaining why it happened.

A-09Video streaming is degraded. I need to publish a clear public status update and give support agents a consistent message.

Accounts: AC-14, AC-15

Audit focus: reliability, ux, trust

Journey categories

Support operationsError and recovery pathsNotifications and preferences

Preconditions

A status surface or banner exists for public communication.
Support staff can reference incident notes or canned responses.

Expected outcome

The public status update is scoped, timestamped, and consistent with support guidance.
The issue can be marked resolved or updated without leaving stale copy behind.
Users know whether the workaround is retry, fallback download, or wait.

Negative or edge variant

The status page, banner, and support responses drift apart or stay stale after the incident is fixed.

A-10Users report rate-limit messages and unsupported-browser issues. I need to provide a precise, accessible resolution path.

Accounts: AC-14

Audit focus: ux, accessibility, reliability

Journey categories

Support operationsError and recovery pathsNotifications and preferences

Preconditions

The product surfaces rate-limit or browser-support errors in a user-visible way.
Support has guidance for retry windows and supported environments.

Expected outcome

Messages explain the problem in plain language and avoid blame.
Retry timing, supported browsers, and fallback options are explicit.
Help content is readable and keyboard accessible.

Negative or edge variant

The user only sees a generic failure page with no retry window, no browser guidance, and no accessible error summary.

A-11A report arrives through the public security disclosure channel. I need to acknowledge it and route it properly without unsafe back-and-forth.

Accounts: AC-15

Audit focus: security, moderation_governance, trust

Journey categories

Support operationsData rights and privacy

Preconditions

A public security disclosure contact or intake route exists.
Trust-and-safety or engineering routing ownership is documented.

Expected outcome

The report receives an acknowledgement within the documented response target.
Internal escalation and ownership are recorded.
Public responses avoid requesting risky public reproduction steps.

Negative or edge variant

The report is lost, handled by the wrong queue, or answered with instructions that would weaken security posture.

Managers and guardians

M-01I want to start a 25-seat team trial or convert it into an annual enterprise plan with clear pricing and support commitments.

Accounts: AC-16

Audit focus: ux, billing, trust

Journey categories

Discovery, enrollment, and purchaseSupport operations

Preconditions

Enterprise or pilot commercial routing exists in the test environment.
The workspace can be created with a defined seat count.

Expected outcome

Seat count, billing owner, term, and support expectations are explicit.
The quote or trial state can be reviewed before activation.
The manager receives a named next step for procurement or pilot support.

Negative or edge variant

Seat limits, pricing assumptions, or support scope remain ambiguous after the commercial setup flow finishes.

M-02I want to configure SSO, require MFA, and restrict access to my company domain before inviting my team.

Accounts: AC-16

Audit focus: security, reliability, ux

Journey categories

Onboarding and authenticationError and recovery paths

Preconditions

SSO or domain restriction is enabled in the test environment.
A test identity provider is available if SSO is supported.

Expected outcome

Configuration values are validated before go-live.
A rollback or safe-test path exists before enforcing the policy for all seats.
Auth rules are visible enough for a manager to understand the impact.

Negative or edge variant

A bad SSO configuration or domain rule locks out valid users without a safe recovery path.

M-03I want to invite a cohort, assign a learning path, and see which seats are activated, pending, or unused.

Accounts: AC-16

Audit focus: ux, reliability

Journey categories

Discovery, enrollment, and purchaseNotifications and preferences

Preconditions

An enterprise workspace already exists.
Invite and seat-state tracking are enabled.

Expected outcome

Invite state is visible and refreshable.
Assigned content matches the intended learning path.
Reminder messaging is configurable and tied to real invitation status.

Negative or edge variant

Expired or duplicate invites consume seats incorrectly or show the wrong activation state.

M-04An employee left the team. I want to reclaim or transfer the seat without losing the audit trail of completed training.

Accounts: AC-16

Audit focus: reliability, privacy, security

Journey categories

Support operationsData rights and privacy

Preconditions

A seat is currently assigned to a departing user.
Transfer or reclaim rules are defined for the workspace.

Expected outcome

The seat can be reclaimed or reassigned cleanly.
Historical completion and access records remain attributable for reporting.
The departing user's access ends on the correct date.

Negative or edge variant

The seat is stuck, the history becomes orphaned, or the former user retains access after offboarding.

M-05I want to download invoices, PO references, and monthly seat-usage reports that match the contract period.

Accounts: AC-16

Audit focus: billing, trust, reliability

Journey categories

Discovery, enrollment, and purchaseSupport operations

Preconditions

Enterprise billing records exist in the test environment.
The workspace has at least one completed billing cycle.

Expected outcome

Invoices and seat reports align with the visible contract details.
Files are downloadable and labeled by billing period.
The manager can tell what is estimate versus final invoice data.

Negative or edge variant

Seat counts, dates, or currencies differ between the dashboard and the downloadable invoice.

M-06I want to review team progress without seeing private learner notes, support tickets, or unrelated personal data.

Accounts: AC-16

Audit focus: privacy, security, ux

Journey categories

Data rights and privacyLearning experience

Preconditions

A manager dashboard exists with scoped reporting.
The workspace has at least a few invited or active learners.

Expected outcome

The manager view is aggregate or role-appropriate by default.
Sensitive learner data stays out of managerial reporting.
Access boundaries are consistent across UI, exports, and notifications.

Negative or edge variant

The manager can see private notes, raw support correspondence, or billing identifiers that are outside their role.

M-07Before rollout, I want the DPA, security summary, retention commitments, and a named support or procurement contact.

Accounts: AC-16

Audit focus: trust, privacy, ux

Journey categories

Support operationsData rights and privacy

Preconditions

Partner-ready documentation exists or is routed through support.
The manager can request materials without opening a generic learner ticket.

Expected outcome

The right documents or support route are surfaced clearly.
The manager sees who owns follow-up and expected response timing.
Policy references match the current product behavior.

Negative or edge variant

The request falls into a generic queue with no owner, stale documentation, or no response expectation.

M-08I want weekly product digests, critical incident alerts immediately, and billing notices only to finance.

Accounts: AC-16

Audit focus: ux, privacy, reliability

Journey categories

Notifications and preferencesSupport operations

Preconditions

Role-based or category-based notification preferences are available.
More than one stakeholder email can be configured for the workspace if supported.

Expected outcome

Notification categories are clearly separated by purpose.
Urgent incident messages bypass the digest cadence when appropriate.
Billing notices route only to the intended owner or finance contact.

Negative or edge variant

Notifications are all-or-nothing, or high-volume digests drown out critical incident notices.

M-09I want to grant guardian consent for a minor learner, choose communication settings, and confirm what community features are disabled.

Accounts: AC-17, AC-09

Audit focus: privacy, ux, moderation_governance

Journey categories

Data rights and privacyNotifications and preferences

Preconditions

A linked guardian-minor workflow exists.
The minor account remains pending until consent is resolved.

Expected outcome

Consent scope, community restrictions, and notification choices are explicit.
The guardian can tell exactly what was approved.
Revocation or change steps are documented.

Negative or edge variant

The guardian cannot distinguish consent for learning access from consent for marketing, community participation, or analytics.

M-10I want to view my linked minor's progress and request a correction or export of that learner's record only.

Accounts: AC-17, AC-09

Audit focus: privacy, security, data_integrity

Journey categories

Data rights and privacyLearning experience

Preconditions

The guardian account is linked to exactly one learner in the test setup.
Progress and privacy-rights views are available for guardians if policy allows them.

Expected outcome

The guardian sees only the linked learner's data.
Correction or export requests are logged against the correct learner record.
The UI distinguishes guardian rights from the learner's own account rights.

Negative or edge variant

The guardian can see data from unrelated learners or cannot tell whether a request applies to the guardian or the child record.

M-11Our contract is ending. I want to export workspace data and close the organization safely without deleting anything before the export is ready.

Accounts: AC-16

Audit focus: privacy, reliability, trust

Journey categories

Data rights and privacySupport operationsError and recovery paths

Preconditions

The workspace contains user, progress, and billing history.
Org offboarding or workspace closure is supported in the test environment.

Expected outcome

Export completes before destructive steps begin.
The manager sees what will be retained by policy after closure.
Access removal is timestamped and auditable.

Negative or edge variant

The workspace deletion begins before export completion or no retention disclosure is shown during offboarding.

How to use this fixture set

These accounts are fictional fixtures for QA, demos, and audit evidence only.

All identifiers are synthetic and must stay out of production as real user records.

Commands are written as testable user intents and should be mapped to screenshots, logs, or tickets during validation.

Assumptions

The learning platform supports first-party email/password accounts, and optional MFA or SSO may exist depending on the environment.

Some commercial flows may be partner-scoped rather than public self-serve, so purchase-related commands can be executed as simulated or manual-review workflows in QA.

Privacy-rights flows such as export and delete are either implemented or required for audit readiness.

Minor accounts require guardian review, reduced communication scope, or a documented equivalent safeguard.

Instructor, support, trust-and-safety, and manager roles should remain distinct so least-privilege checks can be audited explicitly.

Account catalog

The catalog below uses synthetic names, synthetic phone numbers, and reserved-domain email addresses. It is designed to support role realism, not impersonation.

AC-01 | Guest and anonymousTess Drift

Guest prospect

anonymous_sessionpublic-preview

Preview a lesson and compare the curriculum before creating an account.
Understand what is public, what requires signup, and what data is stored in a guest session.

Device: Shared Windows laptop

Connectivity: Public Wi-Fi

Locale: en-US

Timezone: America/Denver

Language: English

Org: none

User ID: guest_ql_001

Email: none

Phone: none

Risk flags

shared-devicecookie-choice-sensitive

AC-02 | LearnersMira Fen

Learner, new

unverifiedfree

Create a first account from mobile and verify the email flow without confusion.
Enroll in an introductory module quickly after signup.

Device: Android phone

Connectivity: Intermittent 4G

Locale: en-US

Timezone: America/Chicago

Language: English

Org: none

User ID: usr_ql_002

Email: mira.fen@ql.test

Phone: +1-555-010-1002

Enrollments

QC+AI Overview and the NISQ Reality

Risk flags

first-login-friction

AC-03 | LearnersOren Clave

Learner, returning paid pilot

activepaid-pilot

Resume lessons across desktop and tablet without losing progress.
Keep receipts, certificates, and billing records consistent across renewals.

Device: MacBook Air

Connectivity: Home broadband

Locale: en-US

Timezone: America/Los_Angeles

Language: English

Org: none

User ID: usr_ql_003

Email: oren.clave@ql.test

Phone: +1-555-010-1003

Enrollments

QC+AI Overview and the NISQ Reality
Intermediate Quantum Programming
Advanced Quantum Software Development

Risk flags

unsubscribed-marketing

AC-04 | LearnersSana Iver

Learner, scholarship

activescholarship

Use scholarship-funded access without billing friction.
Complete a practical learning path tied to career transition goals.

Device: Chromebook

Connectivity: School Wi-Fi

Locale: en-GB

Timezone: Europe/London

Language: English

Org: none

User ID: usr_ql_004

Email: sana.iver@ql.test

Phone: +1-555-010-1004

Accessibility

captions-preferred

Enrollments

Hardware-Constrained QC+AI Models
Quantum Finance Programming and Optimization

Risk flags

financial-aid-sensitive

AC-05 | LearnersJae Tolland

Learner, low bandwidth

activefree

Stream lessons on a weak mobile connection and save files for offline reading.
Finish checkpoints during a commute without repeated session loss.

Device: Low-end Android phone

Connectivity: Unstable 3G

Locale: en-US

Timezone: America/New_York

Language: English

Org: none

User ID: usr_ql_005

Email: jae.tolland@ql.test

Phone: +1-555-010-1005

Accessibility

reduced-motion-preferred

Enrollments

Introduction to Hardware-Constrained Learning

Risk flags

low-bandwidth

AC-06 | LearnersAri Solen

Learner, accessibility-critical

activepaid-pilot

Complete lessons and quizzes using keyboard and screen reader only.
Confirm that captions, transcripts, and focus management hold across dynamic flows.

Device: Windows laptop

Connectivity: Broadband

Locale: en-US

Timezone: America/Phoenix

Language: English

Org: none

User ID: usr_ql_006

Email: ari.solen@ql.test

Phone: +1-555-010-1006

Accessibility

screen-readerkeyboard-onlyhigh-contrastcaptions-required

Enrollments

Intermediate Quantum Programming
QC+AI Builder Practice

Risk flags

accessibility-critical

AC-07 | LearnersTomas Quill

Learner, renewal failed

grace-periodpaid-pilot-renewal-failed

Recover access after a payment failure without losing progress.
Understand the grace period and invoice status clearly.

Device: iPad

Connectivity: Home Wi-Fi

Locale: en-US

Timezone: America/Seattle

Language: English

Org: none

User ID: usr_ql_007

Email: tomas.quill@ql.test

Phone: +1-555-010-1007

Enrollments

Quantum Finance Programming and Optimization

Risk flags

payment-retry-open

AC-08 | LearnersLina Voss

Learner, privacy-sensitive

activepaid-pilot

Export learning data and understand exactly what is retained.
Use the product in English while living under GDPR-sensitive expectations.

Device: Linux laptop

Connectivity: Fiber broadband

Locale: de-DE

Timezone: Europe/Berlin

Language: German and English

Org: none

User ID: usr_ql_008

Email: lina.voss@ql.test

Phone: +1-555-010-1008

Enrollments

QC+AI Overview and the NISQ Reality

Risk flags

gdpr-request-openpii-sensitive

AC-09 | LearnersNoa Kest

Learner, minor

pending-consentminor-trial

Start only after guardian approval is recorded.
Use age-appropriate communication settings and restricted community access.

Device: School iPad

Connectivity: Managed school Wi-Fi

Locale: en-US

Timezone: America/Denver

Language: English

Org: none

User ID: usr_ql_009

Email: noa.kest@ql.test

Phone: +1-555-010-1009

Accessibility

dyslexia-friendly-spacing-preferred

Enrollments

QC+AI Overview and the NISQ Reality

Risk flags

minor-flaggedconsent-required

AC-10 | LearnersRin Halden

Learner, locked after suspicious login

lockedpaid-pilot

Regain access safely after a suspicious-login alert.
Verify that stale sessions can be revoked without losing course work.

Device: Windows desktop

Connectivity: Broadband

Locale: en-US

Timezone: America/Atlanta

Language: English

Org: none

User ID: usr_ql_010

Email: rin.halden@ql.test

Phone: +1-555-010-1010

Enrollments

Advanced Quantum Software Development

Risk flags

suspicious-loginrisk-review

AC-11 | LearnersPax Merrin

Learner, duplicate-email edge case

active-with-merge-reviewtrial-expired

Resolve a duplicate-email or alias conflict without creating a second identity.
Keep notification preferences and deletion choices intact after account cleanup.

Device: Android phone

Connectivity: LTE

Locale: en-US

Timezone: America/Toronto

Language: English

Org: none

User ID: usr_ql_011

Email: pax.merrin@ql.test

Phone: +1-555-010-1011

Risk flags

duplicate-email-reviewccpa-delete-interestunsubscribed-marketing

AC-12 | Instructors and creatorsNia Calder

Instructor and course creator

activecreator-pro

Publish an accessible cohort course with clear prerequisites and pricing metadata.
Monitor learner progress using privacy-safe analytics.

Device: MacBook Pro

Connectivity: Broadband

Locale: en-US

Timezone: America/Chicago

Language: English

Org: none

User ID: usr_ql_012

Email: nia.calder@ql.test

Phone: +1-555-010-1012

Accessibility

captions-required-for-all-uploads

Enrollments

Author of Team Skills Studio

Risk flags

content-publisher

AC-13 | Instructors and creatorsPavel Sorrel

Instructor under moderation review

review-holdcreator-trial

Revise flagged content and resolve policy or IP concerns fairly.
Retain audit history of revisions and takedown decisions.

Device: Windows laptop

Connectivity: Broadband

Locale: en-GB

Timezone: Europe/Dublin

Language: English

Org: none

User ID: usr_ql_013

Email: pavel.sorrel@ql.test

Phone: +1-555-010-1013

Enrollments

Author of Responsible AI Writing Lab

Risk flags

moderation-review

AC-14 | Admin and supportDaria Flint

Support agent

active-staffsupport-console

Resolve billing, auth, and privacy tickets with least-privilege access.
Leave a clean, auditable trail for every user-visible action.

Device: Managed Windows workstation

Connectivity: Office network

Locale: en-US

Timezone: America/New_York

Language: English

Org: org_staff_support

User ID: usr_ql_014

Email: daria.flint@ql.test

Phone: +1-555-010-1014

Risk flags

privileged-staff

AC-15 | Admin and supportIvo Mercer

Trust and safety admin

active-stafftrust-safety-console

Handle moderation, ban appeals, and security disclosures with clear escalation paths.
Avoid overbroad actions and preserve evidence for review.

Device: Managed MacBook

Connectivity: Office VPN

Locale: en-US

Timezone: America/Los_Angeles

Language: English

Org: org_staff_trust

User ID: usr_ql_015

Email: ivo.mercer@ql.test

Phone: +1-555-010-1015

Risk flags

high-privilege

AC-16 | Managers and guardiansCorin Vale

Enterprise and team manager

activeenterprise-admin

Roll out a controlled team learning program with SSO, seat governance, and privacy-safe reporting.
Understand billing, procurement, and support commitments before expanding usage.

Device: Corporate ThinkPad

Connectivity: Office broadband

Locale: en-US

Timezone: America/Denver

Language: English

Org: org_ql_016

User ID: usr_ql_016

Email: corin.vale@ql.test

Phone: +1-555-010-1016

Enrollments

Enterprise learning path owner

Risk flags

org-admininvoice-sensitive

AC-17 | Managers and guardiansHela Kest

Parent and guardian

active-guardianguardian-portal

Grant and revoke consent for a linked minor learner without ambiguity.
Monitor progress and privacy choices for the linked child account only.

Device: iPhone

Connectivity: Home Wi-Fi

Locale: en-US

Timezone: America/Denver

Language: English

Org: none

User ID: usr_ql_017

Email: hela.kest@ql.test

Phone: +1-555-010-1017

Accessibility

large-text-preferred

Enrollments

Linked to AC-09 only

Risk flags

consent-authoritypii-sensitive

Command coverage by role cluster

Command cluster12

Learners commands with success and failure paths.

Command cluster11

Instructors and creators commands with success and failure paths.

Command cluster11

Admin and support commands with success and failure paths.

Command cluster11

Managers and guardians commands with success and failure paths.

User commands

Learners

L-01As a guest, I want to preview Module 1, save it for later, and then create an account without losing the preview trail.

Accounts: AC-01, AC-02

Audit focus: ux, privacy, security

Journey categories

Onboarding and authenticationDiscovery, enrollment, and purchase

Preconditions

Guest preview is enabled for at least one lesson or module card.
A guest session can store a lightweight wishlist or recently viewed item.

Expected outcome

Public content stays public and gated content stays gated.
The signup flow explains whether guest state will migrate or reset.
After account creation, the saved module context is preserved or clearly disclosed as non-portable.

Negative or edge variant

Guest cookies are blocked or expired, so the user is told exactly what will not carry over instead of silently losing state.

L-02I want to sign up on my phone, verify my email, and retry safely if the first link expires.

Accounts: AC-02

Audit focus: ux, security, reliability

Journey categories

Onboarding and authenticationError and recovery paths

Preconditions

Email signup is enabled in the test environment.
Verification emails are captured in a test mailbox or sink.

Expected outcome

The account is created in an unverified state with clear next-step guidance.
The first valid verification link succeeds and activates the account.
A resend flow exists and does not create duplicate accounts.

Negative or edge variant

The user taps an expired or already-used link and gets a safe resend path instead of a generic failure page.

L-03I want to sign in from a new laptop, review the new-device warning, and turn on MFA for future logins.

Accounts: AC-03

Audit focus: security, ux

Journey categories

Onboarding and authenticationError and recovery paths

Preconditions

The account is active and has at least one prior device or session on record.
MFA enrollment is available in the test environment if the product supports it.

Expected outcome

The login flow succeeds only after the required step-up checks complete.
The new-device event is visible in account security history or notification copy.
MFA setup is confirmed without locking the user out of the current session.

Negative or edge variant

Repeated bad codes or passwords trigger rate-limited messaging without leaking whether the account exists.

L-04I forgot my password, my first reset link expired, and I still need a safe recovery path without bypassing identity checks.

Accounts: AC-03, AC-10

Audit focus: security, ux, reliability

Journey categories

Onboarding and authenticationSupport operationsError and recovery paths

Preconditions

Password reset is enabled and sends a one-time or short-lived link.
Support-assisted recovery exists or is intentionally unavailable with clear policy text.

Expected outcome

The expired link is rejected cleanly.
A new reset can be requested without creating multiple conflicting recovery states.
If mailbox access is unavailable, the product routes the user to the documented recovery channel.

Negative or edge variant

The user clicks a stale reset link from another device and the system must fail closed without confusing cross-session behavior.

L-05I want to compare plan details, apply a scholarship or pilot discount, and enroll in Intermediate Quantum Programming.

Accounts: AC-03, AC-04

Audit focus: ux, billing, trust

Journey categories

Discovery, enrollment, and purchaseSupport operations

Preconditions

The environment exposes either self-serve billing or a partner-scoped price simulation.
At least one valid and one invalid discount or scholarship code are configured.

Expected outcome

Price, discount, entitlement scope, and any refund or billing note are visible before confirmation.
The enrollment result matches the selected plan or scholarship state.
A receipt, invoice, or enrollment confirmation is generated if applicable.

Negative or edge variant

An expired or invalid code does not apply silently and does not alter the final entitlement unexpectedly.

L-06My renewal failed. I want to update payment details, understand the grace period, and keep my course progress.

Accounts: AC-07

Audit focus: billing, ux, reliability

Journey categories

Discovery, enrollment, and purchaseSupport operationsError and recovery paths

Preconditions

The account is in a renewal-failed or grace-period state.
The billing UI or support handoff exposes the next required action.

Expected outcome

The user sees the renewal status, due amount, and access window clearly.
Updating the payment method or invoice route restores access without erasing progress.
Support or policy links explain what happens if payment is not recovered.

Negative or edge variant

A second payment failure must not double-charge the user or silently strip access without an explanation.

L-07I want to stream a lesson on a weak mobile connection, switch to a lighter mode, and save the document for offline reading.

Accounts: AC-05

Audit focus: performance, ux, reliability, accessibility

Journey categories

Learning experienceError and recovery paths

Preconditions

At least one lesson includes video plus a downloadable source asset.
The media player or asset list exposes quality or retry behavior where supported.

Expected outcome

Playback degrades gracefully or offers a fallback instead of freezing.
Downloadable assets are labeled clearly for offline reading.
The user can resume the lesson later without losing place unnecessarily.

Negative or edge variant

A stalled network request surfaces a retry state or fallback asset instead of leaving the user on a dead loading spinner.

L-08I want to complete a timed quiz using keyboard navigation, a screen reader, and clear focus states on every control.

Accounts: AC-06

Audit focus: accessibility, ux, reliability

Journey categories

Learning experienceError and recovery paths

Preconditions

A quiz flow exists with keyboard-reachable controls.
The environment supports screen reader and high-contrast checks.

Expected outcome

Focus order is predictable and all quiz controls are labeled.
Timer messaging, submission status, and validation errors are announced clearly.
Autosave or recovery behavior preserves answers if the page refreshes.

Negative or edge variant

Any focus trap, missing label, or inaccessible validation message is logged as a blocker instead of treated as cosmetic.

L-09After completing a module, I want the certificate, completion status, and any receipt or confirmation email to stay consistent.

Accounts: AC-03, AC-04

Audit focus: ux, reliability, trust

Journey categories

Learning experienceNotifications and preferences

Preconditions

A course or module completion threshold is configured.
Certificate issuance or completion badge logic is available in the test environment.

Expected outcome

Completion status matches the recorded progress.
The certificate or badge uses the correct learner identity and completion date.
Any follow-up notifications match the actual completion event.

Negative or edge variant

A recalculated quiz score or late sync must not revoke a certificate silently or produce a mismatched completion record.

L-10I want marketing emails off, course reminders on, and cookie choices to be respected across devices.

Accounts: AC-03, AC-11

Audit focus: privacy, ux

Journey categories

Notifications and preferencesData rights and privacy

Preconditions

The product distinguishes marketing from transactional or learning-critical notifications.
Cookie or analytics preferences are exposed if the product supports them.

Expected outcome

Granular preference settings persist after refresh and re-login.
Critical transactional notices remain appropriately scoped.
Preference screens explain what cannot be turned off and why.

Negative or edge variant

Unsubscribing from marketing must not disable password-reset, billing, or security notifications unintentionally.

L-11I want to export all of my learning data, support history, and receipts, then request account deletion with a retention explanation.

Accounts: AC-08, AC-11

Audit focus: privacy, security, trust

Journey categories

Data rights and privacySupport operations

Preconditions

Authenticated privacy-rights actions are available or routed to support.
The account has enough history to validate export completeness.

Expected outcome

The export includes the documented data categories for the user only.
Deletion explains what is removed immediately and what is retained by policy.
Active sessions are revoked after deletion is confirmed.

Negative or edge variant

The export omits a major data class or the deletion flow fails without telling the user what happened next.

L-12I received a suspicious-login warning. I want to review active sessions, sign out other devices, and recover the account safely.

Accounts: AC-10

Audit focus: security, ux, reliability

Journey categories

Onboarding and authenticationError and recovery paths

Preconditions

The account is locked or flagged after a suspicious event.
Session-management or forced re-authentication controls are available.

Expected outcome

The warning explains what triggered the lock or review state at a high level.
Current and prior sessions can be reviewed or revoked safely.
The account returns to a known-good state after recovery.

Negative or edge variant

Stale sessions survive the recovery flow or the user cannot tell whether the account is safe again.

Instructors and creators

I-01I want to activate a creator account, accept the content policy, and verify that I can publish only after the required checks are complete.

Accounts: AC-12

Audit focus: security, ux, moderation_governance

Journey categories

Onboarding and authenticationContent creation and moderation

Preconditions

Creator enrollment or role elevation is enabled in the test environment.
Content policy acceptance is required before publish rights are granted.

Expected outcome

The creator role is inactive until required steps are completed.
Policy acceptance is timestamped and visible in the creator record.
The UI distinguishes draft rights from publish rights clearly.

Negative or edge variant

A partially configured creator should not be able to publish or expose incomplete public metadata.

I-02I want to draft a new course with a title, syllabus, prerequisites, outcomes, and pilot pricing notes.

Accounts: AC-12

Audit focus: ux, reliability

Journey categories

Content creation and moderation

Preconditions

Draft authoring is enabled.
The course model supports required metadata and validation.

Expected outcome

Draft save works without data loss.
Missing required metadata is called out before publish.
The preview reflects the latest saved version.

Negative or edge variant

A required field such as prerequisites or entitlement scope must not fail silently during save or publish.

I-03I want to upload large videos and documents even if my connection drops midway through the upload.

Accounts: AC-12, AC-13

Audit focus: reliability, performance, ux

Journey categories

Content creation and moderationError and recovery paths

Preconditions

Large media or document upload is enabled.
At least one large file is available in the test environment.

Expected outcome

The upload flow resumes or retries without creating duplicate assets.
The creator can tell which version is current.
Partial or failed uploads do not become publicly visible.

Negative or edge variant

A dropped connection leaves an orphaned asset, duplicate attachment, or inconsistent file-type state.

I-04Before I publish, I want to add captions, transcripts, alt text, and download labels for every learner-facing asset.

Accounts: AC-12

Audit focus: accessibility, ux, trust

Journey categories

Content creation and moderationLearning experience

Preconditions

The course includes at least one video, one document, and one image or card-style visual.
Accessibility metadata fields are exposed in authoring.

Expected outcome

Accessibility fields are clearly attached to the relevant asset.
Publish warnings appear if required metadata is missing.
Learner views render the metadata correctly.

Negative or edge variant

A creator can publish inaccessible media with no warning or cannot tell which assets still lack accessibility metadata.

I-05I want to schedule a course release for 09:00 in the learner-facing timezone and receive a confirmation digest.

Accounts: AC-12

Audit focus: ux, reliability

Journey categories

Content creation and moderationNotifications and preferences

Preconditions

Scheduled publishing is enabled.
Course and account timezone settings are configurable.

Expected outcome

The schedule reflects an explicit timezone and release time.
Notifications or status indicators confirm when the release occurred.
Learner-facing availability matches the configured schedule.

Negative or edge variant

Daylight-saving or timezone mismatches cause content to publish early or late with no visible warning.

I-06I need to revise a published lesson without resetting learner progress, breaking bookmarks, or invalidating certificates.

Accounts: AC-12

Audit focus: reliability, ux, trust

Journey categories

Content creation and moderationLearning experience

Preconditions

A published lesson already has active learners and recorded progress.
Versioning or republish behavior is available.

Expected outcome

Learner progress is preserved or changes are explained explicitly.
Existing lesson links continue to resolve where intended.
A version or change log is recorded for auditability.

Negative or edge variant

Republishing unexpectedly restarts lessons, invalidates quiz attempts, or changes public slugs without redirection.

I-07I want to create a quiz with multiple attempts, time extensions, and explicit accommodations for accessibility-sensitive learners.

Accounts: AC-12, AC-06

Audit focus: accessibility, ux, reliability

Journey categories

Content creation and moderationLearning experience

Preconditions

Quiz authoring supports attempts, due dates, and accommodation overrides.
At least one learner profile can receive an accommodation rule in the test environment.

Expected outcome

The quiz rules are visible and saved correctly.
The accommodation applies only to the intended learner or cohort.
Learner-facing timing, messaging, and submission states stay consistent.

Negative or edge variant

Accommodation settings leak to unintended learners or are ignored for the targeted learner at runtime.

I-08A submission or lesson was flagged for plagiarism or AI-policy issues. I want to review the evidence and decide fairly.

Accounts: AC-13

Audit focus: moderation_governance, ux, trust

Journey categories

Content creation and moderationSupport operations

Preconditions

An integrity or policy flag exists on a learner submission or creator asset.
The relevant content policy is visible to the reviewer.

Expected outcome

Evidence, policy basis, and next actions are visible in one workflow.
The decision is logged and reversible through a documented appeal path.
Affected users receive a clear explanation without exposing internal-only notes.

Negative or edge variant

A false positive leaves the creator or learner with no context, no appeal path, or no retained evidence.

I-09I need to unpublish or takedown a lesson after an intellectual-property or policy complaint while preserving audit history.

Accounts: AC-13

Audit focus: moderation_governance, trust, reliability

Journey categories

Content creation and moderationSupport operations

Preconditions

A published asset is under complaint or review.
The creator has access to a takedown workflow or moderation handoff.

Expected outcome

The takedown action is logged with reason and timestamp.
Learners see an appropriate replacement or explanation if access changes.
Appeal or review status is visible to the creator.

Negative or edge variant

The lesson disappears abruptly with no trace, no communication, or no way to distinguish temporary hold from permanent removal.

I-10I want weekly creator analytics and course digests that help me improve teaching without exposing unnecessary learner PII.

Accounts: AC-12

Audit focus: privacy, ux, moderation_governance

Journey categories

Notifications and preferencesData rights and privacy

Preconditions

Creator analytics or digests are enabled.
At least one course has learner activity to summarize.

Expected outcome

Analytics are aggregate or scoped appropriately.
Notification cadence is configurable.
Exports or digests do not expose raw personal data that the creator does not need.

Negative or edge variant

The analytics view exposes support-only fields, sensitive user notes, or other data outside creator scope.

I-11I want to assign a reviewer or co-instructor to one draft course without giving them access to unrelated drafts or billing controls.

Accounts: AC-12

Audit focus: security, moderation_governance, ux

Journey categories

Content creation and moderationOnboarding and authentication

Preconditions

Reviewer or collaborator roles are supported in the test environment.
The creator owns more than one draft or published course.

Expected outcome

The collaborator receives only the intended scope.
Role boundaries are visible in the invitation or permissions UI.
All permission grants are logged.

Negative or edge variant

A collaborator gains access to unrelated courses, learner billing details, or creator-wide settings.

Admin and support

A-01A user says signup fails because the email already exists. I need to resolve a duplicate-email or alias conflict safely.

Accounts: AC-14, AC-11

Audit focus: security, ux, moderation_governance

Journey categories

Support operationsOnboarding and authentication

Preconditions

Support tooling exposes identity-safe duplicate-email diagnostics.
The user can verify ownership through an approved recovery path.

Expected outcome

The agent can distinguish existing account, alias conflict, and merge-review cases safely.
The user receives a precise next step without exposing another person's account state.
Any account merge or cleanup action is logged.

Negative or edge variant

The agent can accidentally merge the wrong records or disclose whether another user's account exists beyond policy.

A-02A learner was locked after a suspicious-login alert. I need to unlock the account only after the right verification steps are complete.

Accounts: AC-14, AC-10

Audit focus: security, reliability, trust

Journey categories

Support operationsOnboarding and authenticationError and recovery paths

Preconditions

The support console exposes lock reason and verification checklist.
The account is actually in a locked or risk-review state.

Expected outcome

The support agent can verify identity without bypassing policy.
Unlock actions revoke stale sessions if required.
The account owner receives a clear recovery notice.

Negative or edge variant

The account is unlocked without sufficient proof, or old sessions stay valid after the incident is resolved.

A-03A learner's payment failed and they need an invoice copy. I need to help without seeing raw card data.

Accounts: AC-14, AC-07

Audit focus: security, billing, privacy

Journey categories

Support operationsDiscovery, enrollment, and purchase

Preconditions

Support billing view is available with redacted payment details.
The user has an invoice or renewal history in the system.

Expected outcome

The agent can see billing status, redacted payment metadata, and invoice history only.
The invoice can be reissued or downloaded safely.
Billing notes are consistent with user-facing entitlement state.

Negative or edge variant

The support view exposes sensitive payment secrets or the invoice history does not match the actual entitlement record.

A-04I need to process a refund, partial credit, or scholarship adjustment under policy and explain the entitlement impact.

Accounts: AC-14, AC-07, AC-04

Audit focus: billing, trust, reliability

Journey categories

Support operationsDiscovery, enrollment, and purchase

Preconditions

A transaction, scholarship record, or manual billing case exists.
Refund and adjustment policies are documented.

Expected outcome

The decision path and monetary effect are logged.
The user sees whether access changes immediately, later, or not at all.
Support can cite the applicable policy or pilot rule.

Negative or edge variant

The refund is duplicated, the credit is applied to the wrong learner, or access is removed with no explanation.

A-05A guardian submitted consent for a minor learner. I need to verify the record and activate access only after approval is complete.

Accounts: AC-14, AC-17, AC-09

Audit focus: privacy, security, moderation_governance

Journey categories

Support operationsData rights and privacy

Preconditions

The platform supports linked guardian-minor records.
The learner account remains pending until consent is confirmed.

Expected outcome

Guardian relationship and consent scope are logged with timestamps.
Minor access activates only after successful approval.
Support can explain revocation and community restrictions clearly.

Negative or edge variant

Minor access opens before approval is finalized, or the consent record lacks enough detail to audit later.

A-06A user requested a copy of all personal data under GDPR or CCPA. I need to fulfill it completely and only for the right person.

Accounts: AC-14, AC-08

Audit focus: privacy, reliability, data_integrity

Journey categories

Support operationsData rights and privacy

Preconditions

An authenticated rights request or verified support workflow is available.
The user has enough history to validate export completeness.

Expected outcome

The export includes the documented user data categories and timestamps.
The request lifecycle is logged end to end.
The export excludes data belonging to other users or staff-only notes that should remain internal by policy.

Negative or edge variant

A major data class is missing, or unrelated user data leaks into the export package.

A-07A user wants their account deleted. I need to complete the deletion and explain what must be retained by policy.

Accounts: AC-14, AC-08, AC-11

Audit focus: privacy, security, trust

Journey categories

Support operationsData rights and privacy

Preconditions

Deletion is either self-serve or support-assisted with identity verification.
Retention exceptions are documented.

Expected outcome

Sessions are revoked and the account enters the documented deletion state.
The user receives clear messaging about any retained billing, security, or abuse records.
The deletion action is audit logged.

Negative or edge variant

The user still has active access after deletion, or the support workflow cannot explain retained records.

A-08A learner reported abusive community content. I need to review it, take action if needed, and preserve an appeal path.

Accounts: AC-15

Audit focus: moderation_governance, trust, security

Journey categories

Support operationsContent creation and moderation

Preconditions

A moderation queue or abuse-report workflow exists.
Trust-and-safety staff can see the report context and policy rules.

Expected outcome

The moderation decision is logged with reason and timestamp.
The affected user receives a notice consistent with policy.
The appeal or review state is visible internally.

Negative or edge variant

The action is overbroad, irreversible, or lacks an audit trail explaining why it happened.

A-09Video streaming is degraded. I need to publish a clear public status update and give support agents a consistent message.

Accounts: AC-14, AC-15

Audit focus: reliability, ux, trust

Journey categories

Support operationsError and recovery pathsNotifications and preferences

Preconditions

A status surface or banner exists for public communication.
Support staff can reference incident notes or canned responses.

Expected outcome

The public status update is scoped, timestamped, and consistent with support guidance.
The issue can be marked resolved or updated without leaving stale copy behind.
Users know whether the workaround is retry, fallback download, or wait.

Negative or edge variant

The status page, banner, and support responses drift apart or stay stale after the incident is fixed.

A-10Users report rate-limit messages and unsupported-browser issues. I need to provide a precise, accessible resolution path.

Accounts: AC-14

Audit focus: ux, accessibility, reliability

Journey categories

Support operationsError and recovery pathsNotifications and preferences

Preconditions

The product surfaces rate-limit or browser-support errors in a user-visible way.
Support has guidance for retry windows and supported environments.

Expected outcome

Messages explain the problem in plain language and avoid blame.
Retry timing, supported browsers, and fallback options are explicit.
Help content is readable and keyboard accessible.

Negative or edge variant

The user only sees a generic failure page with no retry window, no browser guidance, and no accessible error summary.

A-11A report arrives through the public security disclosure channel. I need to acknowledge it and route it properly without unsafe back-and-forth.

Accounts: AC-15

Audit focus: security, moderation_governance, trust

Journey categories

Support operationsData rights and privacy

Preconditions

A public security disclosure contact or intake route exists.
Trust-and-safety or engineering routing ownership is documented.

Expected outcome

The report receives an acknowledgement within the documented response target.
Internal escalation and ownership are recorded.
Public responses avoid requesting risky public reproduction steps.

Negative or edge variant

The report is lost, handled by the wrong queue, or answered with instructions that would weaken security posture.

Managers and guardians

M-01I want to start a 25-seat team trial or convert it into an annual enterprise plan with clear pricing and support commitments.

Accounts: AC-16

Audit focus: ux, billing, trust

Journey categories

Discovery, enrollment, and purchaseSupport operations

Preconditions

Enterprise or pilot commercial routing exists in the test environment.
The workspace can be created with a defined seat count.

Expected outcome

Seat count, billing owner, term, and support expectations are explicit.
The quote or trial state can be reviewed before activation.
The manager receives a named next step for procurement or pilot support.

Negative or edge variant

Seat limits, pricing assumptions, or support scope remain ambiguous after the commercial setup flow finishes.

M-02I want to configure SSO, require MFA, and restrict access to my company domain before inviting my team.

Accounts: AC-16

Audit focus: security, reliability, ux

Journey categories

Onboarding and authenticationError and recovery paths

Preconditions

SSO or domain restriction is enabled in the test environment.
A test identity provider is available if SSO is supported.

Expected outcome

Configuration values are validated before go-live.
A rollback or safe-test path exists before enforcing the policy for all seats.
Auth rules are visible enough for a manager to understand the impact.

Negative or edge variant

A bad SSO configuration or domain rule locks out valid users without a safe recovery path.

M-03I want to invite a cohort, assign a learning path, and see which seats are activated, pending, or unused.

Accounts: AC-16

Audit focus: ux, reliability

Journey categories

Discovery, enrollment, and purchaseNotifications and preferences

Preconditions

An enterprise workspace already exists.
Invite and seat-state tracking are enabled.

Expected outcome

Invite state is visible and refreshable.
Assigned content matches the intended learning path.
Reminder messaging is configurable and tied to real invitation status.

Negative or edge variant

Expired or duplicate invites consume seats incorrectly or show the wrong activation state.

M-04An employee left the team. I want to reclaim or transfer the seat without losing the audit trail of completed training.

Accounts: AC-16

Audit focus: reliability, privacy, security

Journey categories

Support operationsData rights and privacy

Preconditions

A seat is currently assigned to a departing user.
Transfer or reclaim rules are defined for the workspace.

Expected outcome

The seat can be reclaimed or reassigned cleanly.
Historical completion and access records remain attributable for reporting.
The departing user's access ends on the correct date.

Negative or edge variant

The seat is stuck, the history becomes orphaned, or the former user retains access after offboarding.

M-05I want to download invoices, PO references, and monthly seat-usage reports that match the contract period.

Accounts: AC-16

Audit focus: billing, trust, reliability

Journey categories

Discovery, enrollment, and purchaseSupport operations

Preconditions

Enterprise billing records exist in the test environment.
The workspace has at least one completed billing cycle.

Expected outcome

Invoices and seat reports align with the visible contract details.
Files are downloadable and labeled by billing period.
The manager can tell what is estimate versus final invoice data.

Negative or edge variant

Seat counts, dates, or currencies differ between the dashboard and the downloadable invoice.

M-06I want to review team progress without seeing private learner notes, support tickets, or unrelated personal data.

Accounts: AC-16

Audit focus: privacy, security, ux

Journey categories

Data rights and privacyLearning experience

Preconditions

A manager dashboard exists with scoped reporting.
The workspace has at least a few invited or active learners.

Expected outcome

The manager view is aggregate or role-appropriate by default.
Sensitive learner data stays out of managerial reporting.
Access boundaries are consistent across UI, exports, and notifications.

Negative or edge variant

The manager can see private notes, raw support correspondence, or billing identifiers that are outside their role.

M-07Before rollout, I want the DPA, security summary, retention commitments, and a named support or procurement contact.

Accounts: AC-16

Audit focus: trust, privacy, ux

Journey categories

Support operationsData rights and privacy

Preconditions

Partner-ready documentation exists or is routed through support.
The manager can request materials without opening a generic learner ticket.

Expected outcome

The right documents or support route are surfaced clearly.
The manager sees who owns follow-up and expected response timing.
Policy references match the current product behavior.

Negative or edge variant

The request falls into a generic queue with no owner, stale documentation, or no response expectation.

M-08I want weekly product digests, critical incident alerts immediately, and billing notices only to finance.

Accounts: AC-16

Audit focus: ux, privacy, reliability

Journey categories

Notifications and preferencesSupport operations

Preconditions

Role-based or category-based notification preferences are available.
More than one stakeholder email can be configured for the workspace if supported.

Expected outcome

Notification categories are clearly separated by purpose.
Urgent incident messages bypass the digest cadence when appropriate.
Billing notices route only to the intended owner or finance contact.

Negative or edge variant

Notifications are all-or-nothing, or high-volume digests drown out critical incident notices.

M-09I want to grant guardian consent for a minor learner, choose communication settings, and confirm what community features are disabled.

Accounts: AC-17, AC-09

Audit focus: privacy, ux, moderation_governance

Journey categories

Data rights and privacyNotifications and preferences

Preconditions

A linked guardian-minor workflow exists.
The minor account remains pending until consent is resolved.

Expected outcome

Consent scope, community restrictions, and notification choices are explicit.
The guardian can tell exactly what was approved.
Revocation or change steps are documented.

Negative or edge variant

The guardian cannot distinguish consent for learning access from consent for marketing, community participation, or analytics.

M-10I want to view my linked minor's progress and request a correction or export of that learner's record only.

Accounts: AC-17, AC-09

Audit focus: privacy, security, data_integrity

Journey categories

Data rights and privacyLearning experience

Preconditions

The guardian account is linked to exactly one learner in the test setup.
Progress and privacy-rights views are available for guardians if policy allows them.

Expected outcome

The guardian sees only the linked learner's data.
Correction or export requests are logged against the correct learner record.
The UI distinguishes guardian rights from the learner's own account rights.

Negative or edge variant

The guardian can see data from unrelated learners or cannot tell whether a request applies to the guardian or the child record.

M-11Our contract is ending. I want to export workspace data and close the organization safely without deleting anything before the export is ready.

Accounts: AC-16

Audit focus: privacy, reliability, trust

Journey categories

Data rights and privacySupport operationsError and recovery paths

Preconditions

The workspace contains user, progress, and billing history.
Org offboarding or workspace closure is supported in the test environment.

Expected outcome

Export completes before destructive steps begin.
The manager sees what will be retained by policy after closure.
Access removal is timestamped and auditable.

Negative or edge variant

The workspace deletion begins before export completion or no retention disclosure is shown during offboarding.