Saas Launch Checklist

Security (5 items)

• Penetration test -- Run OWASP ZAP or equivalent against staging, fix all HIGH/CRITICAL findings
• Dependency audit -- npm audit / pip-audit / trivy shows zero critical CVEs
• Secret rotation -- All production secrets differ from staging, rotation schedule documented
• Rate limiting -- API endpoints rate-limited (e.g., 100 req/min per user), auth endpoints stricter (10 req/min)
• Headers -- CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy all configured

Legal (4 items)

• Terms of Service -- Reviewed by legal counsel, published at /terms, acceptance recorded at signup
• Privacy Policy -- GDPR/CCPA compliant, published at /privacy, covers data collection, retention, and third parties
• Cookie consent -- Banner shown to EU visitors, non-essential cookies blocked until consent, preferences stored
• DPA (Data Processing Agreement) -- Template available for enterprise customers, sub-processor list published

Payment (4 items)

• Test transactions -- Full purchase flow tested with test cards (success, decline, 3DS), subscription upgrade/downgrade verified
• Webhook verification -- Stripe/Paddle webhook signature verified, replay attacks prevented with idempotency keys
• Invoice generation -- Invoices auto-generated with correct tax info, downloadable as PDF, emailed on payment
• Dunning flow -- Failed payment retry schedule configured (day 1, 3, 5, 7), grace period before cancellation

Email (4 items)

• SPF/DKIM/DMARC -- DNS records configured, DMARC policy set to quarantine or reject, verified with mail-tester.com
• Transactional templates -- Welcome, password reset, invoice, and trial expiry emails tested across Gmail/Outlook/Apple Mail
• Unsubscribe -- One-click unsubscribe header present (RFC 8058), /unsubscribe endpoint works, preference center available
• Sender reputation -- Dedicated IP warmed up (if >10k emails/day), bounce handling configured, complaint feedback loop active

Analytics (3 items)

• Core events -- Signup, activation, purchase, and churn events tracked with user ID and properties
• Funnels -- Signup-to-activation and trial-to-paid funnels configured in analytics dashboard
• Dashboards -- Real-time dashboard shows active users, revenue (MRR), error rate, and response time

Performance (3 items)

• Load test -- k6/Artillery run at 2x expected peak traffic, p95 latency under 500ms, zero errors
• CDN cache -- Cache hit ratio above 90% for static assets, proper Cache-Control and ETag headers
• Image optimization -- All images served as WebP/AVIF with responsive srcset, lazy loading below the fold

Day-1 Monitoring Dashboard

Build this dashboard before launch. Every panel answers a specific question.

+-----------------------------------------------------+
|                  SaaS Launch Dashboard               |
+---------------------------+-------------------------+
| Request Rate (req/s)      | Error Rate (%)          |
| Normal: 10-50/s           | Target: < 1%            |
| Alert: > 200/s            | Alert: > 2%             |
+---------------------------+-------------------------+
| p95 Latency (ms)          | Active Users (real-time) |
| Target: < 200ms           | Shows WebSocket/polling  |
| Alert: > 500ms            | count                    |
+---------------------------+-------------------------+
| Signup Rate (/hr)         | Payment Success Rate (%) |
| Compare to projection     | Target: > 95%            |
| Alert: 0 for 30min        | Alert: < 90%             |
+---------------------------+-------------------------+
| CPU / Memory              | Database Connections      |
| Alert: > 80%              | Alert: > 80% pool        |
+---------------------------+-------------------------+

Dashboard as Code (Prometheus Queries)

# monitoring/launch-dashboard.yml