Wiki source code of Operational Readiness Checklist
Last modified by Robert Schaub on 2026/02/08 08:30
Hide last authors
| author | version | line-number | content |
|---|---|---|---|
 |
1.1 | 1 | = Operational Readiness Checklist = |
| |
1.2 | 2 | |
| |
1.1 | 3 | == 1. Purpose and Scope == |
| |
1.2 | 4 | |
| |
1.1 | 5 | This checklist documents prerequisite tasks that must be completed before FactHarbor can launch to the public. |
| 6 | **Organization Reality:** Starting as a solo project with team growth expected within the first year. | ||
| 7 | **Status as of:** December 17, 2025 | ||
| 8 | **Target Launch Date:** [To be determined] | ||
| 9 | **Important:** Initially, one person handles multiple functions. This is normal and legal. As the team grows, responsibilities can be distributed. | ||
| |
1.2 | 10 | |
| |
1.1 | 11 | == 2. Critical Tasks (MUST Complete Before Launch) == |
| |
1.2 | 12 | |
| |
1.1 | 13 | These tasks are mandatory for legal compliance and core functionality. |
| |
1.2 | 14 | |
| |
1.1 | 15 | === 2.1 Legal & Compliance === |
| |
1.2 | 16 | |
| 17 | | Task | Status | Notes |\\ | ||
| 18 | |----||-----|\\ | ||
| 19 | | **Engage Swiss legal advisor for policy review** | ⬜ Not Started | Review all policies, bylaws |\\ | ||
| 20 | | **Draft and adopt Verein bylaws (statutes)** | ⬜ Not Started | Required for legal existence |\\ | ||
| 21 | | **Appoint founding board (minimum two members)** | ⬜ Not Started | Can include yourself |\\ | ||
| 22 | | **Apply for Swiss tax-exempt status** | ⬜ Not Started | Cantonal tax authority |\\ | ||
| 23 | | **Designate Swiss representative** | ⬜ Not Started | Can be yourself with Swiss address |\\ | ||
| 24 | | **Create processing activities register** | ⬜ Not Started | Internal document |\\ | ||
| 25 | | **Conduct initial DPIA for AKEL system** | ⬜ Not Started | Can use templates |\\ | ||
| 26 | | **Set effective dates for policies** | ⬜ Not Started | Privacy & Transparency |\\ | ||
| 27 | |||
| |
1.1 | 28 | === 2.2 Technical Implementation === |
| |
1.2 | 29 | |
| 30 | | Task | Status | Notes |\\ | ||
| 31 | |----||-----|\\ | ||
| 32 | | **Implement opt-in cookie consent banner** | ⬜ Not Started | Open source libraries available |\\ | ||
| 33 | | **Build user data export functionality** | ⬜ Not Started | JSON/CSV export |\\ | ||
| 34 | | **Build account deletion functionality** | ⬜ Not Started | With grace period |\\ | ||
| 35 | | **Implement data retention automation** | ⬜ Not Started | Automated cleanup |\\ | ||
| 36 | | **Set up breach notification procedures** | ⬜ Not Started | Document + FDPIC contact |\\ | ||
| 37 | | **Implement TLS/HTTPS encryption** | ⬜ Not Started | Let's Encrypt or similar |\\ | ||
| 38 | | **Set up security logging** | ⬜ Not Started | One year retention |\\ | ||
| 39 | |||
| |
1.1 | 40 | === 2.3 Organizational Infrastructure === |
| |
1.2 | 41 | |
| 42 | | Task | Status | Notes |\\ | ||
| 43 | |----||-----|\\ | ||
| 44 | | **Set up contact infrastructure** | ⬜ Not Started | See Section 5 |\\ | ||
| 45 | | **Establish document storage** | ⬜ Not Started | Secure storage for bylaws, minutes |\\ | ||
| 46 | | **Create incident response plan** | ⬜ Not Started | Brief document |\\ | ||
| 47 | | **Set up basic accounting** | ⬜ Not Started | Spreadsheet initially acceptable |\\ | ||
| 48 | | **Establish board meeting schedule** | ⬜ Not Started | Quarterly minimum |\\ | ||
| 49 | |||
| |
1.1 | 50 | == 3. Important Tasks (SHOULD Complete Before Launch) == |
| |
1.2 | 51 | |
| |
1.1 | 52 | These tasks are strongly recommended before launch. |
| |
1.2 | 53 | |
| |
1.1 | 54 | === 3.1 Governance & Policy === |
| |
1.2 | 55 | |
| 56 | | Task | Status | Priority |\\ | ||
| 57 | |----||----|\\ | ||
| 58 | | **Appoint DPO (if serving EU users from day 1)** | ⬜ Not Started | HIGH - Can be yourself |\\ | ||
| 59 | | **Create Terms of Service** | ⬜ Not Started | HIGH - Adapt templates |\\ | ||
| 60 | | **Create basic Security Policy** | ⬜ Not Started | MEDIUM |\\ | ||
| 61 | | **Create simple CLA** | ⬜ Not Started | HIGH - Adapt existing |\\ | ||
| 62 | | **Document internal escalation** | ⬜ Not Started | LOW |\\ | ||
| 63 | |||
| |
1.1 | 64 | === 3.2 Technical & Operational === |
| |
1.2 | 65 | |
| 66 | | Task | Status | Priority |\\ | ||
| 67 | |----||----|\\ | ||
| 68 | | **Set up vulnerability disclosure** | ⬜ Not Started | HIGH |\\ | ||
| 69 | | **Implement 2FA** | ⬜ Not Started | MEDIUM |\\ | ||
| 70 | | **Create user documentation** | ⬜ Not Started | HIGH |\\ | ||
| 71 | | **Set up monitoring** | ⬜ Not Started | HIGH |\\ | ||
| 72 | | **Set up backup systems** | ⬜ Not Started | HIGH |\\ | ||
| 73 | |||
| |
1.1 | 74 | === 3.3 Licensing & Open Source === |
| |
1.2 | 75 | |
| 76 | | Task | Status | Priority |\\ | ||
| 77 | |----||----|\\ | ||
| 78 | | **Decide: Code licensing model** | ⬜ Not Started | HIGH - MIT vs MIT+AGPL |\\ | ||
| 79 | | **Create LICENSE files** | ⬜ Not Started | HIGH |\\ | ||
| 80 | | **Set up code repository** | ⬜ Not Started | HIGH |\\ | ||
| 81 | | **Create CONTRIBUTING.md** | ⬜ Not Started | MEDIUM |\\ | ||
| 82 | |||
| |
1.1 | 83 | == 4. Recommended Tasks (Can Be Post-Launch) == |
| |
1.2 | 84 | |
| |
1.1 | 85 | These can wait until after launch or until team grows. |
| |
1.2 | 86 | |
| 87 | | Task | Priority | Notes |\\ | ||
| 88 | |----|----|-----|\\ | ||
| 89 | | **Trademark registration** | MEDIUM | When budget allows |\\ | ||
| 90 | | **Penetration testing** | MEDIUM | When feasible |\\ | ||
| 91 | | **Transparency Committee** | LOW | When team grows |\\ | ||
| 92 | | **Independent audit** | LOW | When required by revenue threshold |\\ | ||
| 93 | |||
| |
1.1 | 94 | == 5. Required Infrastructure == |
| |
1.2 | 95 | |
| |
1.1 | 96 | === 5.1 Contact Infrastructure === |
| |
1.2 | 97 | |
| |
1.1 | 98 | **Minimum Required:** |
| 99 | At minimum, you need contact methods for: | ||
| |
1.2 | 100 | |
| |
1.1 | 101 | * General inquiries |
| 102 | * Privacy/data requests (FADP/GDPR requirement) | ||
| 103 | * Security/abuse reports | ||
| 104 | * Governing Team/governance | ||
| 105 | **Options:** | ||
| 106 | **Option A: Single Contact Point** | ||
| 107 | * One email or contact form | ||
| 108 | * Routes internally as needed | ||
| 109 | * State response times clearly | ||
| 110 | **Option B: Functional Separation** | ||
| 111 | * Few key addresses for different purposes | ||
| 112 | * Still manageable by one person | ||
| 113 | **Recommendation:** Wait to set up infrastructure until you have domain and email hosting. | ||
| |
1.2 | 114 | |
| |
1.1 | 115 | === 5.2 Documentation to Prepare === |
| |
1.2 | 116 | |
| |
1.1 | 117 | **Must Exist Before Launch:** |
| |
1.2 | 118 | |
| |
1.1 | 119 | * Processing activities register (internal) |
| 120 | * Initial DPIA for AKEL (internal) | ||
| 121 | * Breach response procedure | ||
| 122 | * Privacy Policy (done, set effective date) | ||
| 123 | * Transparency Policy (done, set effective date) | ||
| 124 | **Should Exist:** | ||
| 125 | * Terms of Service | ||
| 126 | * Simple security policy | ||
| 127 | * CLA | ||
| 128 | **Can Wait:** | ||
| 129 | * Detailed security documentation | ||
| 130 | * Complex governance processes | ||
| |
1.2 | 131 | |
| |
1.1 | 132 | === 5.3 Tools and Services === |
| |
1.2 | 133 | |
| |
1.1 | 134 | **Hosting:** |
| |
1.2 | 135 | |
| |
1.1 | 136 | * Swiss providers (Hetzner, Infomaniak) or other reliable hosting |
| 137 | * Start small, scale up | ||
| 138 | **Email/Contact:** | ||
| 139 | * Swiss privacy-focused providers (ProtonMail, Tutanota) | ||
| 140 | * Free tiers available initially | ||
| 141 | **Development:** | ||
| 142 | * GitHub or GitLab (free for public repos) | ||
| 143 | **Monitoring:** | ||
| 144 | * Free tier services available (UptimeRobot, etc.) | ||
| 145 | **Documentation:** | ||
| 146 | * GitHub Wiki, GitBook, or XWiki | ||
| |
1.2 | 147 | |
| |
1.1 | 148 | == 6. Decision Points == |
| |
1.2 | 149 | |
| |
1.1 | 150 | Strategic decisions needed before implementation: |
| |
1.2 | 151 | |
| |
1.1 | 152 | === 6.1 Critical Decisions === |
| |
1.2 | 153 | |
| 154 | | Decision | Options | Consideration |\\ | ||
| 155 | |----|-|-----|\\ | ||
| 156 | | **Serve EU users day 1?** | Yes/No/Later | Affects DPO requirement |\\ | ||
| 157 | | **Code licensing** | MIT / MIT+AGPL | Simpler vs. stronger copyleft |\\ | ||
| 158 | | **Hosting location** | CH/EU/US | Swiss aligns with mission |\\ | ||
| 159 | | **AI model** | Open/API | Infrastructure vs. simplicity |\\ | ||
| 160 | |||
| |
1.1 | 161 | === 6.2 Organizational Decisions === |
| |
1.2 | 162 | |
| 163 | | Decision | Options |\\ | ||
| 164 | |----|-|\\ | ||
| 165 | | **Governing Team size** | Two minimum, can expand later |\\ | ||
| 166 | | **Governing Team meetings** | Quarterly minimum |\\ | ||
| 167 | | **DPO** | Only if/when needed |\\ | ||
| 168 | | **Commercial Register** | Optional for non-profit |\\ | ||
| 169 | |||
| |
1.1 | 170 | == 7. Launch Blockers - Go/No-Go Checklist == |
| |
1.2 | 171 | |
| |
1.1 | 172 | **Cannot launch until ALL are complete:** |
| 173 | **Legal:** | ||
| 174 | - [ ] Verein bylaws adopted | ||
| 175 | - [ ] Governing Team appointed (two members minimum) | ||
| 176 | - [ ] Swiss representative designated | ||
| 177 | - [ ] Privacy Policy effective date set | ||
| 178 | - [ ] Processing activities register created | ||
| 179 | - [ ] Initial DPIA completed | ||
| 180 | **Technical:** | ||
| 181 | - [ ] HTTPS encryption implemented | ||
| 182 | - [ ] Cookie consent (opt-in) working | ||
| 183 | - [ ] Data export functionality working | ||
| 184 | - [ ] Account deletion working | ||
| 185 | - [ ] Breach notification procedure documented | ||
| 186 | **Operational:** | ||
| 187 | - [ ] Contact infrastructure established | ||
| 188 | - [ ] Security incident procedure documented | ||
| 189 | - [ ] Data retention automation configured | ||
| 190 | - [ ] Terms of Service created | ||
| |
1.2 | 191 | |
| |
1.1 | 192 | == 8. Post-Launch Compliance == |
| |
1.2 | 193 | |
| |
1.1 | 194 | **Immediate Response Required:** |
| |
1.2 | 195 | |
| |
1.1 | 196 | * Data subject requests (within required timeframe) |
| 197 | * Security breaches (immediate FDPIC notification if high risk) | ||
| 198 | * Abuse reports (timely) | ||
| 199 | **Quarterly:** | ||
| 200 | * Governing Team meeting | ||
| 201 | * Review data retention | ||
| 202 | * Security check | ||
| 203 | **Twice Yearly:** | ||
| 204 | * Publish transparency report | ||
| 205 | * Review policies | ||
| 206 | **Annually:** | ||
| 207 | * Publish financial statements | ||
| 208 | * Annual policy review | ||
| 209 | * Privacy audit | ||
| 210 | * External audit (if above revenue threshold) | ||
| |
1.2 | 211 | |
| |
1.1 | 212 | == 9. As Team Grows == |
| |
1.2 | 213 | |
| |
1.1 | 214 | **Initial (Solo):** |
| |
1.2 | 215 | |
| |
1.1 | 216 | * One person handles all functions |
| 217 | * Document everything | ||
| 218 | * Use templates and tools | ||
| 219 | **Early Growth (First Helpers):** | ||
| 220 | * Distribute technical vs. governance tasks | ||
| 221 | * Cross-training important | ||
| 222 | * Keep communication clear | ||
| 223 | **Established Team:** | ||
| 224 | * Specialized roles emerge naturally | ||
| 225 | * Formal responsibility assignments | ||
| 226 | * More sophisticated processes | ||
| 227 | **Key:** Start simple, scale processes as team and complexity grow. | ||
| |
1.2 | 228 | |
| |
1.1 | 229 | == 10. Budget Considerations == |
| |
1.2 | 230 | |
| |
1.1 | 231 | **Pre-Launch:** |
| |
1.2 | 232 | |
| |
1.1 | 233 | * Legal advisor (essential) |
| 234 | * Minimal infrastructure | ||
| 235 | * Free tools where possible | ||
| 236 | **Ongoing:** | ||
| 237 | * Hosting (start small) | ||
| 238 | * Email/contact infrastructure | ||
| 239 | * Legal support as needed | ||
| 240 | * Scale as revenue permits | ||
| 241 | **Later:** | ||
| 242 | * Security assessments | ||
| 243 | * Trademark registration | ||
| 244 | * Professional audits | ||
| 245 | * Better tooling | ||
| 246 | **Philosophy:** Start lean, invest as you validate product-market fit. | ||
| |
1.2 | 247 | |
| |
1.1 | 248 | == 11. Risk Management == |
| |
1.2 | 249 | |
| |
1.1 | 250 | **Key Risks:** |
| |
1.2 | 251 | |
| |
1.1 | 252 | * Legal delays |
| 253 | * Technical complexity | ||
| 254 | * Time management (solo) | ||
| 255 | * Volunteer coordination | ||
| 256 | * Burnout | ||
| 257 | **Mitigation:** | ||
| 258 | * Start legal work early | ||
| 259 | * Build MVP, iterate | ||
| 260 | * Realistic scope | ||
| 261 | * Good documentation | ||
| 262 | * Don't overcommit | ||
| |
1.2 | 263 | |
| |
1.1 | 264 | == 12. Success Criteria == |
| |
1.2 | 265 | |
| |
1.1 | 266 | **Ready to launch when:** |
| |
1.2 | 267 | |
| |
1.1 | 268 | * All launch blockers complete |
| 269 | * Legal advisor approves policies | ||
| 270 | * Governing Team formally approves launch | ||
| 271 | * Contact infrastructure works | ||
| 272 | * Core functions operational | ||
| 273 | * Capacity to handle support exists | ||
| 274 | **Remember:** Launch with working MVP, not perfect system. | ||
| |
1.2 | 275 | |
| |
1.1 | 276 | == 13. Timeline Considerations == |
| |
1.2 | 277 | |
| |
1.1 | 278 | **Factors:** |
| |
1.2 | 279 | |
| |
1.1 | 280 | * Legal processes take time |
| 281 | * Technical implementation scope | ||
| 282 | * Part-time vs. full-time work | ||
| 283 | * Availability of help | ||
| 284 | * Budget constraints | ||
| 285 | **Approach:** | ||
| 286 | * Start critical path items early | ||
| 287 | * Build in buffer time | ||
| 288 | * Be realistic about capacity | ||
| 289 | * Iterate after launch | ||
| |
1.2 | 290 | |
| |
1.1 | 291 | == 14. Final Notes == |
| |
1.2 | 292 | |
| |
1.1 | 293 | **Don't Let Perfect Be the Enemy of Good:** |
| 294 | You don't need: | ||
| |
1.2 | 295 | |
| |
1.1 | 296 | * Complex infrastructure |
| 297 | * Large team | ||
| 298 | * Expensive tools | ||
| 299 | You do need: | ||
| 300 | * Legal compliance | ||
| 301 | * Working functionality | ||
| 302 | * Clear communication | ||
| 303 | **You can launch with:** | ||
| 304 | * Yourself initially | ||
| 305 | * Basic infrastructure | ||
| 306 | * MVP implementation | ||
| 307 | * Free/low-cost tools | ||
| 308 | * Volunteers for help | ||
| 309 | **Focus on:** | ||
| 310 | * Legal requirements (non-negotiable) | ||
| 311 | * Core functionality (working > perfect) | ||
| 312 | * Good documentation (for future team) | ||
| 313 | * Clear communication (honest about solo start) | ||
| 314 | **Scale when:** | ||
| 315 | * You have users | ||
| 316 | * You have validation | ||
| 317 | * Team grows naturally | ||
| 318 | * Revenue supports it | ||
| |
1.2 | 319 | |
| |
1.1 | 320 | == 15. Version History == |
| |
1.2 | 321 | |
| |
1.1 | 322 | * **V0.9.30** (2025-12-17): Adapted for small organization reality |
| |
1.2 | 323 | |
| |
1.1 | 324 | == 16. Related Documents == |
| |
1.2 | 325 | |
| |
1.1 | 326 | * [[Privacy Policy>>FactHarbor.Organisation.How-We-Work-Together.Privacy-Policy]] |
| 327 | * [[Transparency Policy>>FactHarbor.Organisation.How-We-Work-Together.Transparency-Policy]] | ||
| 328 | * [[Open Source Model and Licensing>>FactHarbor.Organisation.Open Source Model and Licensing]] | ||
| 329 | * [[Finance & Compliance>>FactHarbor.Organisation.Finance-Compliance]] | ||
| |
1.2 | 330 | * [[Governance>>Archive.FactHarbor 2026\.02\.08.Organisation.Governance.WebHome]] |
| |
1.1 | 331 | **Last Updated:** December 17, 2025 |
| 332 | **Status:** Adapted for solo start with team growth expected |