SaaS MVP Launch Checklist

Security failures destroy trust instantly. These items are non-negotiable before any user sees your product.

1. HTTPS everywhere: Force SSL on all routes. Use Let's Encrypt (free) or your hosting provider's SSL. No mixed content warnings.
2. Authentication hardened: Password hashing with bcrypt/argon2, minimum 8-character passwords, account lockout after 5 failed attempts.
3. Session management: HTTP-only cookies, secure flag set, session timeout after 24 hours of inactivity, session invalidation on password change.
4. CSRF protection: Django CSRF middleware enabled on all POST endpoints. SPA applications use CSRF tokens or SameSite cookies.
5. Input validation: Server-side validation on every form field. Never trust client-side validation alone. Sanitize HTML input to prevent XSS.
6. SQL injection prevention: Use ORM queries exclusively. If raw SQL is required, use parameterized queries — never string interpolation.
7. Rate limiting: Implement on login (5 attempts/minute), registration (3/hour), API endpoints (100/minute), and password reset (3/hour).
8. API authentication: Token-based auth (JWT or API keys) for all API endpoints. Tokens expire after 24 hours. Refresh tokens stored securely.
9. File upload security: Validate file types server-side, scan for malware, limit file size (10MB default), store outside web root.
10. Secrets management: No API keys, database passwords, or secrets in code. Use environment variables or a secrets manager (AWS Secrets Manager, HashiCorp Vault).
11. Dependency audit: Run pip audit or npm audit. Fix all critical and high vulnerabilities before launch.
12. Security headers: Set X-Content-Type-Options, X-Frame-Options, Content-Security-Policy, Strict-Transport-Security headers.

Time to implement: If you built with Django, most of these are configured by default. Budget 2-3 days for a security review and fixes. Cost: EUR 200-400 if hiring a developer.

Users abandon pages that take more than 3 seconds to load. Performance is a feature.

1. Page load time under 3 seconds: Test with Google PageSpeed Insights. Target a score of 80+ on mobile. Optimize images, minify CSS/JS, enable gzip compression.
2. Database indexes: Add indexes on all columns used in WHERE clauses, JOIN conditions, and ORDER BY. Missing indexes are the number one cause of slow SaaS dashboards.
3. Query optimization: Use Django Debug Toolbar or EXPLAIN ANALYZE to find slow queries. Fix N+1 query problems with select_related and prefetch_related.
4. CDN for static assets: Serve CSS, JS, images, and fonts from a CDN (Cloudflare free tier is excellent). Reduces latency for global users by 50-80%.
5. Caching strategy: Cache expensive database queries with Redis (5-minute TTL for dashboard data). Cache API responses where appropriate. Use browser caching headers for static files.
6. Background tasks: Move email sending, report generation, webhook processing, and PDF generation to Celery background tasks. Never block HTTP requests with slow operations.
7. Database connection pooling: Use pgBouncer or Django persistent connections. Creating new database connections on every request adds 10-50ms of latency.
8. Load testing: Simulate 100 concurrent users with Locust or k6. Verify response times stay under 1 second under load. Identify bottlenecks before real users find them.

Time to implement: 2-4 days for performance optimization. This is often the highest-ROI work you can do before launch.

Billing bugs cost you money directly and destroy customer trust. Get this right before launch — fixing billing issues post-launch is painful.

1. Stripe integration tested in live mode: Do not rely only on test mode. Make a real EUR 1 charge and verify the entire flow: charge, receipt, webhook, database update.
2. Webhook handling: Handle all critical Stripe webhooks: checkout.session.completed, invoice.paid, invoice.payment_failed, customer.subscription.deleted. Verify with Stripe CLI.
3. Failed payment handling: When a payment fails, do not immediately revoke access. Send a dunning email, retry 3 times over 7 days, then downgrade gracefully. Stripe Smart Retries handles this well.
4. Plan upgrade/downgrade: Proration must work correctly. Test upgrading mid-cycle and verify the invoice shows the correct prorated amount.
5. Cancellation flow: Allow users to cancel from their dashboard. Show remaining subscription period. Optionally ask for cancellation reason (valuable data).
6. Invoice generation: Send PDF invoices automatically via Stripe. Include your company VAT number, customer details, and line items. EU businesses: ensure invoices meet EU invoicing requirements.
7. VAT/tax handling: For EU B2B: implement VAT reverse charge. For B2C: charge local VAT rate. Use Stripe Tax or a service like Quaderno (from EUR 49/month) for automatic tax calculation.
8. Free trial expiration: If offering a trial, send reminder emails at 3 days and 1 day before expiration. Handle trial-to-paid conversion automatically via Stripe.
9. Refund process: Document your refund policy. Implement a one-click refund from your admin panel. Test that Stripe refunds reflect correctly in your system.

Cost: Stripe fees are 1.4% + EUR 0.25 per transaction (EU cards). Budget EUR 300-600 for Stripe integration development. Budget 3-5 days of development time.

GDPR compliance is mandatory for any SaaS serving EU users. Fines can reach EUR 20 million or 4% of annual revenue. These are the minimum requirements.

1. Privacy policy: Publish a clear privacy policy explaining what data you collect, why, how long you store it, and who you share it with. Link it from your signup page and footer.
2. Cookie consent: Implement a cookie banner with opt-in consent (not just a notice). Do not load analytics or marketing cookies before consent. Use a tool like Cookiebot or build a simple custom banner.
3. Terms of service: Cover liability limitations, acceptable use, intellectual property, service availability, and termination. Have a lawyer review (EUR 300-800 for a startup-focused lawyer in Europe).
4. Data processing agreement (DPA): If using sub-processors (AWS, Stripe, analytics tools), ensure DPAs are in place. Most major services provide standard DPAs.
5. Right to erasure: Users must be able to request deletion of all their data. Implement a "Delete my account" feature that removes personal data from your database, backups (within 30 days), and third-party services.
6. Data export: Users must be able to export their data in a machine-readable format (JSON or CSV). Implement a "Download my data" feature in account settings.
7. Data breach procedure: Document your process for handling data breaches. GDPR requires notification to authorities within 72 hours. Keep a template notification ready.
8. Consent for marketing emails: Separate consent checkbox for marketing communications. Do not pre-check it. Record the timestamp and IP of consent.
9. Age verification: If your service might be used by minors, implement age verification. GDPR requires parental consent for users under 16 (varies by country, 13-16).

Cost: Budget EUR 500-1,000 for legal review of privacy policy and terms. GDPR technical implementation: EUR 300-600 (account deletion, data export, cookie consent).

If your SaaS goes down and you find out from a customer tweet, you have already lost. Set up monitoring before launch, not after the first outage.

1. Uptime monitoring: Use UptimeRobot (free for 50 monitors) or Better Stack (from $24/month). Check every 1-5 minutes. Alert via email + Telegram/Slack within 60 seconds of downtime.
2. Error tracking: Integrate Sentry (free for 5,000 events/month). Capture all unhandled exceptions with full stack traces, request data, and user context. Set up alerts for new error types.
3. Log aggregation: Centralize logs from your application, web server, and database. Use Papertrail (free tier), Loki, or simple log files with logrotate. Structured JSON logging makes debugging 10x faster.
4. Database monitoring: Track slow queries (>100ms), connection pool usage, disk space, and replication lag. PostgreSQL: use pg_stat_statements. Set alerts at 80% disk usage.
5. SSL certificate monitoring: Monitor certificate expiration. Let's Encrypt certificates expire every 90 days — automate renewal with certbot. Alert 14 days before expiration.
6. Backup verification: Automated daily database backups are not enough — you must verify they restore correctly. Schedule a monthly restore test. Store backups in a different region than your primary server.

Cost: EUR 0-50/month for monitoring tools. Most have free tiers sufficient for an MVP. Implementation time: 1-2 days.

You cannot improve what you do not measure. Set up analytics before launch so you have data from day one.

1. Conversion funnel tracking: Track every step: landing page visit, signup start, signup complete, onboarding complete, first value moment, paid conversion. Use Plausible (EUR 9/month, GDPR-friendly) or PostHog (free self-hosted).
2. User behavior tracking: Record key actions: feature usage, settings changes, data creation/deletion. Store as events in your database or send to PostHog/Mixpanel. This data drives product decisions.
3. Retention metrics: Track daily/weekly/monthly active users from launch. Calculate Day 1, Day 7, and Day 30 retention. If Day 7 retention is below 20%, you have a product-market fit problem, not a marketing problem.
4. Revenue metrics: Track MRR, churn rate, average revenue per user (ARPU), and lifetime value (LTV). Use Stripe dashboard for basics. For advanced metrics: Baremetrics (from $58/month) or build a custom dashboard.
5. Error and support metrics: Track support ticket volume, response time, and common issues. Categorize issues (bug, feature request, billing, UX confusion). This feeds your product roadmap.
6. Infrastructure metrics: Track server CPU, memory, disk I/O, and network. Set alerts at 70% CPU and 80% memory. Right-size your server — most MVPs run fine on a EUR 10-20/month VPS (2 CPU, 4GB RAM).

Total analytics cost: EUR 10-50/month. Plausible or self-hosted PostHog for web analytics. Stripe dashboard for revenue. Sentry for errors. Everything else: custom database queries.