Operational Readiness Checklist

author	version	line-number	content
		1	= Operational Readiness Checklist =
		2	== 1. Purpose and Scope ==
		3	This checklist documents prerequisite tasks that must be completed before FactHarbor can launch to the public.
		4	Organization Reality: Starting as a solo project with team growth expected within the first year.
		5	Status as of: December 17, 2025
		6	Target Launch Date: [To be determined]
		7	Important: Initially, one person handles multiple functions. This is normal and legal. As the team grows, responsibilities can be distributed.
		8	== 2. Critical Tasks (MUST Complete Before Launch) ==
		9	These tasks are mandatory for legal compliance and core functionality.
		10	=== 2.1 Legal & Compliance ===
		11	\| Task \| Status \| Notes \|
		12	\|------\|--------\|-------\|
		13	\| Engage Swiss legal advisor for policy review \| ⬜ Not Started \| Review all policies, bylaws \|
		14	\| Draft and adopt Verein bylaws (statutes) \| ⬜ Not Started \| Required for legal existence \|
		15	\| Appoint founding board (minimum two members) \| ⬜ Not Started \| Can include yourself \|
		16	\| Apply for Swiss tax-exempt status \| ⬜ Not Started \| Cantonal tax authority \|
		17	\| Designate Swiss representative \| ⬜ Not Started \| Can be yourself with Swiss address \|
		18	\| Create processing activities register \| ⬜ Not Started \| Internal document \|
		19	\| Conduct initial DPIA for AKEL system \| ⬜ Not Started \| Can use templates \|
		20	\| Set effective dates for policies \| ⬜ Not Started \| Privacy & Transparency \|
		21	=== 2.2 Technical Implementation ===
		22	\| Task \| Status \| Notes \|
		23	\|------\|--------\|-------\|
		24	\| Implement opt-in cookie consent banner \| ⬜ Not Started \| Open source libraries available \|
		25	\| Build user data export functionality \| ⬜ Not Started \| JSON/CSV export \|
		26	\| Build account deletion functionality \| ⬜ Not Started \| With grace period \|
		27	\| Implement data retention automation \| ⬜ Not Started \| Automated cleanup \|
		28	\| Set up breach notification procedures \| ⬜ Not Started \| Document + FDPIC contact \|
		29	\| Implement TLS/HTTPS encryption \| ⬜ Not Started \| Let's Encrypt or similar \|
		30	\| Set up security logging \| ⬜ Not Started \| One year retention \|
		31	=== 2.3 Organizational Infrastructure ===
		32	\| Task \| Status \| Notes \|
		33	\|------\|--------\|-------\|
		34	\| Set up contact infrastructure \| ⬜ Not Started \| See Section 5 \|
		35	\| Establish document storage \| ⬜ Not Started \| Secure storage for bylaws, minutes \|
		36	\| Create incident response plan \| ⬜ Not Started \| Brief document \|
		37	\| Set up basic accounting \| ⬜ Not Started \| Spreadsheet initially acceptable \|
		38	\| Establish board meeting schedule \| ⬜ Not Started \| Quarterly minimum \|
		39	== 3. Important Tasks (SHOULD Complete Before Launch) ==
		40	These tasks are strongly recommended before launch.
		41	=== 3.1 Governance & Policy ===
		42	\| Task \| Status \| Priority \|
		43	\|------\|--------\|----------\|
		44	\| Appoint DPO (if serving EU users from day 1) \| ⬜ Not Started \| HIGH - Can be yourself \|
		45	\| Create Terms of Service \| ⬜ Not Started \| HIGH - Adapt templates \|
		46	\| Create basic Security Policy \| ⬜ Not Started \| MEDIUM \|
		47	\| Create simple CLA \| ⬜ Not Started \| HIGH - Adapt existing \|
		48	\| Document internal escalation \| ⬜ Not Started \| LOW \|
		49	=== 3.2 Technical & Operational ===
		50	\| Task \| Status \| Priority \|
		51	\|------\|--------\|----------\|
		52	\| Set up vulnerability disclosure \| ⬜ Not Started \| HIGH \|
		53	\| Implement 2FA \| ⬜ Not Started \| MEDIUM \|
		54	\| Create user documentation \| ⬜ Not Started \| HIGH \|
		55	\| Set up monitoring \| ⬜ Not Started \| HIGH \|
		56	\| Set up backup systems \| ⬜ Not Started \| HIGH \|
		57	=== 3.3 Licensing & Open Source ===
		58	\| Task \| Status \| Priority \|
		59	\|------\|--------\|----------\|
		60	\| Decide: Code licensing model \| ⬜ Not Started \| HIGH - MIT vs MIT+AGPL \|
		61	\| Create LICENSE files \| ⬜ Not Started \| HIGH \|
		62	\| Set up code repository \| ⬜ Not Started \| HIGH \|
		63	\| Create CONTRIBUTING.md \| ⬜ Not Started \| MEDIUM \|
		64	== 4. Recommended Tasks (Can Be Post-Launch) ==
		65	These can wait until after launch or until team grows.
		66	\| Task \| Priority \| Notes \|
		67	\|------\|----------\|-------\|
		68	\| Trademark registration \| MEDIUM \| When budget allows \|
		69	\| Penetration testing \| MEDIUM \| When feasible \|
		70	\| Transparency Committee \| LOW \| When team grows \|
		71	\| Independent audit \| LOW \| When required by revenue threshold \|
		72	== 5. Required Infrastructure ==
		73	=== 5.1 Contact Infrastructure ===
		74	Minimum Required:
		75	At minimum, you need contact methods for:
		76	* General inquiries
		77	* Privacy/data requests (FADP/GDPR requirement)
		78	* Security/abuse reports
		79	* Governing Team/governance
		80	Options:
		81	Option A: Single Contact Point
		82	* One email or contact form
		83	* Routes internally as needed
		84	* State response times clearly
		85	Option B: Functional Separation
		86	* Few key addresses for different purposes
		87	* Still manageable by one person
		88	Recommendation: Wait to set up infrastructure until you have domain and email hosting.
		89	=== 5.2 Documentation to Prepare ===
		90	Must Exist Before Launch:
		91	* Processing activities register (internal)
		92	* Initial DPIA for AKEL (internal)
		93	* Breach response procedure
		94	* Privacy Policy (done, set effective date)
		95	* Transparency Policy (done, set effective date)
		96	Should Exist:
		97	* Terms of Service
		98	* Simple security policy
		99	* CLA
		100	Can Wait:
		101	* Detailed security documentation
		102	* Complex governance processes
		103	=== 5.3 Tools and Services ===
		104	Hosting:
		105	* Swiss providers (Hetzner, Infomaniak) or other reliable hosting
		106	* Start small, scale up
		107	Email/Contact:
		108	* Swiss privacy-focused providers (ProtonMail, Tutanota)
		109	* Free tiers available initially
		110	Development:
		111	* GitHub or GitLab (free for public repos)
		112	Monitoring:
		113	* Free tier services available (UptimeRobot, etc.)
		114	Documentation:
		115	* GitHub Wiki, GitBook, or XWiki
		116	== 6. Decision Points ==
		117	Strategic decisions needed before implementation:
		118	=== 6.1 Critical Decisions ===
		119	\| Decision \| Options \| Consideration \|
		120	\|----------\|---------\|---------------\|
		121	\| Serve EU users day 1? \| Yes/No/Later \| Affects DPO requirement \|
		122	\| Code licensing \| MIT / MIT+AGPL \| Simpler vs. stronger copyleft \|
		123	\| Hosting location \| CH/EU/US \| Swiss aligns with mission \|
		124	\| AI model \| Open/API \| Infrastructure vs. simplicity \|
		125	=== 6.2 Organizational Decisions ===
		126	\| Decision \| Options \|
		127	\|----------\|---------\|
		128	\| Governing Team size \| Two minimum, can expand later \|
		129	\| Governing Team meetings \| Quarterly minimum \|
		130	\| DPO \| Only if/when needed \|
		131	\| Commercial Register \| Optional for non-profit \|
		132	== 7. Launch Blockers - Go/No-Go Checklist ==
		133	Cannot launch until ALL are complete:
		134	Legal:
		135	- [ ] Verein bylaws adopted
		136	- [ ] Governing Team appointed (two members minimum)
		137	- [ ] Swiss representative designated
		138	- [ ] Privacy Policy effective date set
		139	- [ ] Processing activities register created
		140	- [ ] Initial DPIA completed
		141	Technical:
		142	- [ ] HTTPS encryption implemented
		143	- [ ] Cookie consent (opt-in) working
		144	- [ ] Data export functionality working
		145	- [ ] Account deletion working
		146	- [ ] Breach notification procedure documented
		147	Operational:
		148	- [ ] Contact infrastructure established
		149	- [ ] Security incident procedure documented
		150	- [ ] Data retention automation configured
		151	- [ ] Terms of Service created
		152	== 8. Post-Launch Compliance ==
		153	Immediate Response Required:
		154	* Data subject requests (within required timeframe)
		155	* Security breaches (immediate FDPIC notification if high risk)
		156	* Abuse reports (timely)
		157	Quarterly:
		158	* Governing Team meeting
		159	* Review data retention
		160	* Security check
		161	Twice Yearly:
		162	* Publish transparency report
		163	* Review policies
		164	Annually:
		165	* Publish financial statements
		166	* Annual policy review
		167	* Privacy audit
		168	* External audit (if above revenue threshold)
		169	== 9. As Team Grows ==
		170	Initial (Solo):
		171	* One person handles all functions
		172	* Document everything
		173	* Use templates and tools
		174	Early Growth (First Helpers):
		175	* Distribute technical vs. governance tasks
		176	* Cross-training important
		177	* Keep communication clear
		178	Established Team:
		179	* Specialized roles emerge naturally
		180	* Formal responsibility assignments
		181	* More sophisticated processes
		182	Key: Start simple, scale processes as team and complexity grow.
		183	== 10. Budget Considerations ==
		184	Pre-Launch:
		185	* Legal advisor (essential)
		186	* Minimal infrastructure
		187	* Free tools where possible
		188	Ongoing:
		189	* Hosting (start small)
		190	* Email/contact infrastructure
		191	* Legal support as needed
		192	* Scale as revenue permits
		193	Later:
		194	* Security assessments
		195	* Trademark registration
		196	* Professional audits
		197	* Better tooling
		198	Philosophy: Start lean, invest as you validate product-market fit.
		199	== 11. Risk Management ==
		200	Key Risks:
		201	* Legal delays
		202	* Technical complexity
		203	* Time management (solo)
		204	* Volunteer coordination
		205	* Burnout
		206	Mitigation:
		207	* Start legal work early
		208	* Build MVP, iterate
		209	* Realistic scope
		210	* Good documentation
		211	* Don't overcommit
		212	== 12. Success Criteria ==
		213	Ready to launch when:
		214	* All launch blockers complete
		215	* Legal advisor approves policies
		216	* Governing Team formally approves launch
		217	* Contact infrastructure works
		218	* Core functions operational
		219	* Capacity to handle support exists
		220	Remember: Launch with working MVP, not perfect system.
		221	== 13. Timeline Considerations ==
		222	Factors:
		223	* Legal processes take time
		224	* Technical implementation scope
		225	* Part-time vs. full-time work
		226	* Availability of help
		227	* Budget constraints
		228	Approach:
		229	* Start critical path items early
		230	* Build in buffer time
		231	* Be realistic about capacity
		232	* Iterate after launch
		233	== 14. Final Notes ==
		234	Don't Let Perfect Be the Enemy of Good:
		235	You don't need:
		236	* Complex infrastructure
		237	* Large team
		238	* Expensive tools
		239	You do need:
		240	* Legal compliance
		241	* Working functionality
		242	* Clear communication
		243	You can launch with:
		244	* Yourself initially
		245	* Basic infrastructure
		246	* MVP implementation
		247	* Free/low-cost tools
		248	* Volunteers for help
		249	Focus on:
		250	* Legal requirements (non-negotiable)
		251	* Core functionality (working > perfect)
		252	* Good documentation (for future team)
		253	* Clear communication (honest about solo start)
		254	Scale when:
		255	* You have users
		256	* You have validation
		257	* Team grows naturally
		258	* Revenue supports it
		259	== 15. Version History ==
		260	* V0.9.30 (2025-12-17): Adapted for small organization reality
		261	== 16. Related Documents ==
		262	* [[Privacy Policy>>FactHarbor.Organisation.How-We-Work-Together.Privacy-Policy]]
		263	* [[Transparency Policy>>FactHarbor.Organisation.How-We-Work-Together.Transparency-Policy]]
		264	* [[Open Source Model and Licensing>>FactHarbor.Organisation.Open Source Model and Licensing]]
		265	* [[Finance & Compliance>>FactHarbor.Organisation.Finance-Compliance]]
		266	* [[Governance>>FactHarbor.Organisation.Governance.WebHome]]
		267	Last Updated: December 17, 2025
		268	Status: Adapted for solo start with team growth expected

1

= Operational Readiness Checklist =

2

== 1. Purpose and Scope ==

3

This checklist documents prerequisite tasks that must be completed before FactHarbor can launch to the public.

4

**Organization Reality:** Starting as a solo project with team growth expected within the first year.

5

**Status as of:** December 17, 2025

6

**Target Launch Date:** [To be determined]

7

**Important:** Initially, one person handles multiple functions. This is normal and legal. As the team grows, responsibilities can be distributed.

8

== 2. Critical Tasks (MUST Complete Before Launch) ==

9

These tasks are mandatory for legal compliance and core functionality.

10

=== 2.1 Legal & Compliance ===

11

| Task | Status | Notes |

12

|------|--------|-------|

13

| **Engage Swiss legal advisor for policy review** | ⬜ Not Started | Review all policies, bylaws |

14

| **Draft and adopt Verein bylaws (statutes)** | ⬜ Not Started | Required for legal existence |

15

| **Appoint founding board (minimum two members)** | ⬜ Not Started | Can include yourself |

16

| **Apply for Swiss tax-exempt status** | ⬜ Not Started | Cantonal tax authority |

17

| **Designate Swiss representative** | ⬜ Not Started | Can be yourself with Swiss address |

18

| **Create processing activities register** | ⬜ Not Started | Internal document |

19

| **Conduct initial DPIA for AKEL system** | ⬜ Not Started | Can use templates |

20

| **Set effective dates for policies** | ⬜ Not Started | Privacy & Transparency |

21

=== 2.2 Technical Implementation ===

22

| Task | Status | Notes |

23

|------|--------|-------|

24

| **Implement opt-in cookie consent banner** | ⬜ Not Started | Open source libraries available |

25

| **Build user data export functionality** | ⬜ Not Started | JSON/CSV export |

26

| **Build account deletion functionality** | ⬜ Not Started | With grace period |

27

| **Implement data retention automation** | ⬜ Not Started | Automated cleanup |

28

| **Set up breach notification procedures** | ⬜ Not Started | Document + FDPIC contact |

29

| **Implement TLS/HTTPS encryption** | ⬜ Not Started | Let's Encrypt or similar |

30

| **Set up security logging** | ⬜ Not Started | One year retention |

31

=== 2.3 Organizational Infrastructure ===

32

| Task | Status | Notes |

33

|------|--------|-------|

34

| **Set up contact infrastructure** | ⬜ Not Started | See Section 5 |

35

| **Establish document storage** | ⬜ Not Started | Secure storage for bylaws, minutes |

36

| **Create incident response plan** | ⬜ Not Started | Brief document |

37

| **Set up basic accounting** | ⬜ Not Started | Spreadsheet initially acceptable |

38

| **Establish board meeting schedule** | ⬜ Not Started | Quarterly minimum |

39

== 3. Important Tasks (SHOULD Complete Before Launch) ==

40

These tasks are strongly recommended before launch.

41

=== 3.1 Governance & Policy ===

42

| Task | Status | Priority |

43

|------|--------|----------|

44

| **Appoint DPO (if serving EU users from day 1)** | ⬜ Not Started | HIGH - Can be yourself |

45

| **Create Terms of Service** | ⬜ Not Started | HIGH - Adapt templates |

46

| **Create basic Security Policy** | ⬜ Not Started | MEDIUM |

47

| **Create simple CLA** | ⬜ Not Started | HIGH - Adapt existing |

48

| **Document internal escalation** | ⬜ Not Started | LOW |

49

=== 3.2 Technical & Operational ===

50

| Task | Status | Priority |

51

|------|--------|----------|

52

| **Set up vulnerability disclosure** | ⬜ Not Started | HIGH |

53

| **Implement 2FA** | ⬜ Not Started | MEDIUM |

54

| **Create user documentation** | ⬜ Not Started | HIGH |

55

| **Set up monitoring** | ⬜ Not Started | HIGH |

56

| **Set up backup systems** | ⬜ Not Started | HIGH |

57

=== 3.3 Licensing & Open Source ===

58

| Task | Status | Priority |

59

|------|--------|----------|

60

| **Decide: Code licensing model** | ⬜ Not Started | HIGH - MIT vs MIT+AGPL |

61

| **Create LICENSE files** | ⬜ Not Started | HIGH |

62

| **Set up code repository** | ⬜ Not Started | HIGH |

63

| **Create CONTRIBUTING.md** | ⬜ Not Started | MEDIUM |

64

== 4. Recommended Tasks (Can Be Post-Launch) ==

65

These can wait until after launch or until team grows.

66

| Task | Priority | Notes |

67

|------|----------|-------|

68

| **Trademark registration** | MEDIUM | When budget allows |

69

| **Penetration testing** | MEDIUM | When feasible |

70

| **Transparency Committee** | LOW | When team grows |

71

| **Independent audit** | LOW | When required by revenue threshold |

72

== 5. Required Infrastructure ==

73

=== 5.1 Contact Infrastructure ===

74

**Minimum Required:**

75

At minimum, you need contact methods for:

76

* General inquiries

77

* Privacy/data requests (FADP/GDPR requirement)

78

* Security/abuse reports

79

* Governing Team/governance

80

**Options:**

81

**Option A: Single Contact Point**

82

* One email or contact form

83

* Routes internally as needed

84

* State response times clearly

85

**Option B: Functional Separation**

86

* Few key addresses for different purposes

87

* Still manageable by one person

88

**Recommendation:** Wait to set up infrastructure until you have domain and email hosting.

89

=== 5.2 Documentation to Prepare ===

90

**Must Exist Before Launch:**

91

* Processing activities register (internal)

92

* Initial DPIA for AKEL (internal)

93

* Breach response procedure

94

* Privacy Policy (done, set effective date)

95

* Transparency Policy (done, set effective date)

96

**Should Exist:**

97

* Terms of Service

98

* Simple security policy

99

* CLA

100

**Can Wait:**

101

* Detailed security documentation

102

* Complex governance processes

103

=== 5.3 Tools and Services ===

104

**Hosting:**

105

* Swiss providers (Hetzner, Infomaniak) or other reliable hosting

106

* Start small, scale up

107

**Email/Contact:**

108

* Swiss privacy-focused providers (ProtonMail, Tutanota)

109

* Free tiers available initially

110

**Development:**

111

* GitHub or GitLab (free for public repos)

112

**Monitoring:**

113

* Free tier services available (UptimeRobot, etc.)

114

**Documentation:**

115

* GitHub Wiki, GitBook, or XWiki

116

== 6. Decision Points ==

117

Strategic decisions needed before implementation:

118

=== 6.1 Critical Decisions ===

119

| Decision | Options | Consideration |

120

|----------|---------|---------------|

121

| **Serve EU users day 1?** | Yes/No/Later | Affects DPO requirement |

122

| **Code licensing** | MIT / MIT+AGPL | Simpler vs. stronger copyleft |

123

| **Hosting location** | CH/EU/US | Swiss aligns with mission |

124

| **AI model** | Open/API | Infrastructure vs. simplicity |

125

=== 6.2 Organizational Decisions ===

126

| Decision | Options |

127

|----------|---------|

128

| **Governing Team size** | Two minimum, can expand later |

129

| **Governing Team meetings** | Quarterly minimum |

130

| **DPO** | Only if/when needed |

131

| **Commercial Register** | Optional for non-profit |

132

== 7. Launch Blockers - Go/No-Go Checklist ==

133

**Cannot launch until ALL are complete:**

134

**Legal:**

135

- [ ] Verein bylaws adopted

136

- [ ] Governing Team appointed (two members minimum)

137

- [ ] Swiss representative designated

138

- [ ] Privacy Policy effective date set

139

- [ ] Processing activities register created

140

- [ ] Initial DPIA completed

141

**Technical:**

142

- [ ] HTTPS encryption implemented

143

- [ ] Cookie consent (opt-in) working

144

- [ ] Data export functionality working

145

- [ ] Account deletion working

146

- [ ] Breach notification procedure documented

147

**Operational:**

148

- [ ] Contact infrastructure established

149

- [ ] Security incident procedure documented

150

- [ ] Data retention automation configured

151

- [ ] Terms of Service created

152

== 8. Post-Launch Compliance ==

153

**Immediate Response Required:**

154

* Data subject requests (within required timeframe)

155

* Security breaches (immediate FDPIC notification if high risk)

156

* Abuse reports (timely)

157

**Quarterly:**

158

* Governing Team meeting

159

* Review data retention

160

* Security check

161

**Twice Yearly:**

162

* Publish transparency report

163

* Review policies

164

**Annually:**

165

* Publish financial statements

166

* Annual policy review

167

* Privacy audit

168

* External audit (if above revenue threshold)

169

== 9. As Team Grows ==

170

**Initial (Solo):**

171

* One person handles all functions

172

* Document everything

173

* Use templates and tools

174

**Early Growth (First Helpers):**

175

* Distribute technical vs. governance tasks

176

* Cross-training important

177

* Keep communication clear

178

**Established Team:**

179

* Specialized roles emerge naturally

180

* Formal responsibility assignments

181

* More sophisticated processes

182

**Key:** Start simple, scale processes as team and complexity grow.

183

== 10. Budget Considerations ==

184

**Pre-Launch:**

185

* Legal advisor (essential)

186

* Minimal infrastructure

187

* Free tools where possible

188

**Ongoing:**

189

* Hosting (start small)

190

* Email/contact infrastructure

191

* Legal support as needed

192

* Scale as revenue permits

193

**Later:**

194

* Security assessments

195

* Trademark registration

196

* Professional audits

197

* Better tooling

198

**Philosophy:** Start lean, invest as you validate product-market fit.

199

== 11. Risk Management ==

200

**Key Risks:**

201

* Legal delays

202

* Technical complexity

203

* Time management (solo)

204

* Volunteer coordination

205

* Burnout

206

**Mitigation:**

207

* Start legal work early

* Build MVP, iterate

* Realistic scope

* Good documentation

* Don't overcommit

== 12. Success Criteria ==

213

**Ready to launch when:**

214

* All launch blockers complete

215

* Legal advisor approves policies

216

* Governing Team formally approves launch

217

* Contact infrastructure works

218

* Core functions operational

219

* Capacity to handle support exists

220

**Remember:** Launch with working MVP, not perfect system.

221

== 13. Timeline Considerations ==

222

**Factors:**

223

* Legal processes take time

224

* Technical implementation scope

225

* Part-time vs. full-time work

226

* Availability of help

227

* Budget constraints

228

**Approach:**

229

* Start critical path items early

230

* Build in buffer time

231

* Be realistic about capacity

232

* Iterate after launch

233

== 14. Final Notes ==

234

**Don't Let Perfect Be the Enemy of Good:**

235

You don't need:

236

* Complex infrastructure

* Large team

* Expensive tools

You do need:

* Legal compliance

* Working functionality

242

* Clear communication

243

**You can launch with:**

244

* Yourself initially

245

* Basic infrastructure

246

* MVP implementation

247

* Free/low-cost tools

248

* Volunteers for help

249

**Focus on:**

250

* Legal requirements (non-negotiable)

251

* Core functionality (working > perfect)

252

* Good documentation (for future team)

253

* Clear communication (honest about solo start)

254

**Scale when:**

255

* You have users

256

* You have validation

257

* Team grows naturally

258

* Revenue supports it

259

== 15. Version History ==

260

* **V0.9.30** (2025-12-17): Adapted for small organization reality

261

== 16. Related Documents ==

262

* [[Privacy Policy>>FactHarbor.Organisation.How-We-Work-Together.Privacy-Policy]]

263

* [[Transparency Policy>>FactHarbor.Organisation.How-We-Work-Together.Transparency-Policy]]

264

* [[Open Source Model and Licensing>>FactHarbor.Organisation.Open Source Model and Licensing]]

265

* [[Finance & Compliance>>FactHarbor.Organisation.Finance-Compliance]]

266

* [[Governance>>FactHarbor.Organisation.Governance.WebHome]]

267

**Last Updated:** December 17, 2025

268

**Status:** Adapted for solo start with team growth expected

Wiki source code of Operational Readiness Checklist

Applications

Navigation

Need help?