Operational Readiness Checklist
Operational Readiness Checklist
1. Purpose and Scope
This checklist documents prerequisite tasks that must be completed before FactHarbor can launch to the public.
Organization Reality: Starting as a solo project with team growth expected within the first year.
Status as of: December 17, 2025 (V0.9.30)
Target Launch Date: [To be determined]
Important: Initially, one person handles multiple functions. This is normal and legal. As the team grows, responsibilities can be distributed.
-
2. Critical Tasks (MUST Complete Before Launch)
These tasks are mandatory for legal compliance and core functionality.
2.1 Legal & Compliance
| Task | Status | Notes | |
| Engage Swiss legal advisor for policy review | ⬜ Not Started | Review all policies, bylaws | |
| Draft and adopt Verein bylaws (statutes) | ⬜ Not Started | Required for legal existence | |
| Appoint founding board (minimum two members) | ⬜ Not Started | Can include yourself | |
| Apply for Swiss tax-exempt status | ⬜ Not Started | Cantonal tax authority | |
| Designate Swiss representative | ⬜ Not Started | Can be yourself with Swiss address | |
| Create processing activities register | ⬜ Not Started | Internal document | |
| Conduct initial DPIA for AKEL system | ⬜ Not Started | Can use templates | |
| Set effective dates for policies | ⬜ Not Started | Privacy & Transparency |
2.2 Technical Implementation
| Task | Status | Notes | |
| Implement opt-in cookie consent banner | ⬜ Not Started | Open source libraries available | |
| Build user data export functionality | ⬜ Not Started | JSON/CSV export | |
| Build account deletion functionality | ⬜ Not Started | With grace period | |
| Implement data retention automation | ⬜ Not Started | Automated cleanup | |
| Set up breach notification procedures | ⬜ Not Started | Document + FDPIC contact | |
| Implement TLS/HTTPS encryption | ⬜ Not Started | Let's Encrypt or similar | |
| Set up security logging | ⬜ Not Started | One year retention |
2.3 Organizational Infrastructure
| Task | Status | Notes | |
| Set up contact infrastructure | ⬜ Not Started | See Section 5 | |
| Establish document storage | ⬜ Not Started | Secure storage for bylaws, minutes | |
| Create incident response plan | ⬜ Not Started | Brief document | |
| Set up basic accounting | ⬜ Not Started | Spreadsheet initially acceptable | |
| Establish board meeting schedule | ⬜ Not Started | Quarterly minimum |
-
3. Important Tasks (SHOULD Complete Before Launch)
These tasks are strongly recommended before launch.
3.1 Governance & Policy
| Task | Status | Priority | |
| Appoint DPO (if serving EU users from day 1) | ⬜ Not Started | HIGH - Can be yourself | |
| Create Terms of Service | ⬜ Not Started | HIGH - Adapt templates | |
| Create basic Security Policy | ⬜ Not Started | MEDIUM | |
| Create simple CLA | ⬜ Not Started | HIGH - Adapt existing | |
| Document internal escalation | ⬜ Not Started | LOW |
3.2 Technical & Operational
| Task | Status | Priority | |
| Set up vulnerability disclosure | ⬜ Not Started | HIGH | |
| Implement 2FA | ⬜ Not Started | MEDIUM | |
| Create user documentation | ⬜ Not Started | HIGH | |
| Set up monitoring | ⬜ Not Started | HIGH | |
| Set up backup systems | ⬜ Not Started | HIGH |
3.3 Licensing & Open Source
| Task | Status | Priority | |
| Decide: Code licensing model | ⬜ Not Started | HIGH - MIT vs MIT+AGPL | |
| Create LICENSE files | ⬜ Not Started | HIGH | |
| Set up code repository | ⬜ Not Started | HIGH | |
| Create CONTRIBUTING.md | ⬜ Not Started | MEDIUM |
-
4. Recommended Tasks (Can Be Post-Launch)
These can wait until after launch or until team grows.
| Task | Priority | Notes | |
| Trademark registration | MEDIUM | When budget allows | |
| Penetration testing | MEDIUM | When feasible | |
| Transparency Committee | LOW | When team grows | |
| Independent audit | LOW | When required by revenue threshold |
-
5. Required Infrastructure
5.1 Contact Infrastructure
Minimum Required:
At minimum, you need contact methods for:
- General inquiries
- Privacy/data requests (FADP/GDPR requirement)
- Security/abuse reports
- Board/governance
Options:
Option A: Single Contact Point
- One email or contact form
- Routes internally as needed
- State response times clearly
Option B: Functional Separation
- Few key addresses for different purposes
- Still manageable by one person
Recommendation: Wait to set up infrastructure until you have domain and email hosting.
5.2 Documentation to Prepare
Must Exist Before Launch:
- Processing activities register (internal)
- Initial DPIA for AKEL (internal)
- Breach response procedure
- Privacy Policy (done, set effective date)
- Transparency Policy (done, set effective date)
Should Exist:
- Terms of Service
- Simple security policy
- CLA
Can Wait:
- Detailed security documentation
- Complex governance processes
5.3 Tools and Services
Hosting:
- Swiss providers (Hetzner, Infomaniak) or other reliable hosting
- Start small, scale up
Email/Contact:
- Swiss privacy-focused providers (ProtonMail, Tutanota)
- Free tiers available initially
Development:
- GitHub or GitLab (free for public repos)
Monitoring:
- Free tier services available (UptimeRobot, etc.)
Documentation:
- GitHub Wiki, GitBook, or XWiki
-
6. Decision Points
Strategic decisions needed before implementation:
6.1 Critical Decisions
| Decision | Options | Consideration | |
| - | |||
| Serve EU users day 1? | Yes/No/Later | Affects DPO requirement | |
| Code licensing | MIT / MIT+AGPL | Simpler vs. stronger copyleft | |
| Hosting location | CH/EU/US | Swiss aligns with mission | |
| AI model | Open/API | Infrastructure vs. simplicity |
6.2 Organizational Decisions
| Decision | Options | |
| - | ||
| Board size | Two minimum, can expand later | |
| Board meetings | Quarterly minimum | |
| DPO | Only if/when needed | |
| Commercial Register | Optional for non-profit |
-
7. Launch Blockers - Go/No-Go Checklist
Cannot launch until ALL are complete:
Legal:
- [ ] Verein bylaws adopted
- [ ] Board appointed (two members minimum)
- [ ] Swiss representative designated
- [ ] Privacy Policy effective date set
- [ ] Processing activities register created
- [ ] Initial DPIA completed
Technical:
- [ ] HTTPS encryption implemented
- [ ] Cookie consent (opt-in) working
- [ ] Data export functionality working
- [ ] Account deletion working
- [ ] Breach notification procedure documented
Operational:
- [ ] Contact infrastructure established
- [ ] Security incident procedure documented
- [ ] Data retention automation configured
- [ ] Terms of Service created
-
8. Post-Launch Compliance
Immediate Response Required:
- Data subject requests (within required timeframe)
- Security breaches (immediate FDPIC notification if high risk)
- Abuse reports (timely)
Quarterly:
- Board meeting
- Review data retention
- Security check
Twice Yearly:
- Publish transparency report
- Review policies
Annually:
- Publish financial statements
- Annual policy review
- Privacy audit
- External audit (if above revenue threshold)
-
9. As Team Grows
Initial (Solo):
- One person handles all functions
- Document everything
- Use templates and tools
Early Growth (First Helpers):
- Distribute technical vs. governance tasks
- Cross-training important
- Keep communication clear
Established Team:
- Specialized roles emerge naturally
- Formal responsibility assignments
- More sophisticated processes
Key: Start simple, scale processes as team and complexity grow.
-
10. Budget Considerations
Pre-Launch:
- Legal advisor (essential)
- Minimal infrastructure
- Free tools where possible
Ongoing:
- Hosting (start small)
- Email/contact infrastructure
- Legal support as needed
- Scale as revenue permits
Later:
- Security assessments
- Trademark registration
- Professional audits
- Better tooling
Philosophy: Start lean, invest as you validate product-market fit.
-
11. Risk Management
Key Risks:
- Legal delays
- Technical complexity
- Time management (solo)
- Volunteer coordination
- Burnout
Mitigation:
- Start legal work early
- Build MVP, iterate
- Realistic scope
- Good documentation
- Don't overcommit
-
12. Success Criteria
Ready to launch when:
- All launch blockers complete
- Legal advisor approves policies
- Board formally approves launch
- Contact infrastructure works
- Core functions operational
- Capacity to handle support exists
Remember: Launch with working MVP, not perfect system.
-
13. Timeline Considerations
Factors:
- Legal processes take time
- Technical implementation scope
- Part-time vs. full-time work
- Availability of help
- Budget constraints
Approach:
- Start critical path items early
- Build in buffer time
- Be realistic about capacity
- Iterate after launch
-
14. Final Notes
Don't Let Perfect Be the Enemy of Good:
You don't need:
- Complex infrastructure
- Large team
- Expensive tools
You do need:
- Legal compliance
- Working functionality
- Clear communication
You can launch with:
- Yourself initially
- Basic infrastructure
- MVP implementation
- Free/low-cost tools
- Volunteers for help
Focus on:
- Legal requirements (non-negotiable)
- Core functionality (working > perfect)
- Good documentation (for future team)
- Clear communication (honest about solo start)
Scale when:
- You have users
- You have validation
- Team grows naturally
- Revenue supports it
-
15. Version History
- V0.9.30 (2025-12-17): Adapted for small organization reality
-
16. Related Documents
-
Last Updated: December 17, 2025
Status: Adapted for solo start with team growth expected