# Pre-Scale SaaS Audit Checklist A 10-point checklist to walk through *before* you 10× your traffic — written by Nikola Lalovic. This isn't a list of nice-to-haves. It's the things that have actually broken in production for me, my clients, or someone in my network — and the cheap-to-fix-now / expensive-to-fix-later versions of each. Use it as: a Friday-afternoon checklist on your current SaaS, an architecture-review template before a launch, or a list of questions to ask your engineering team. --- ## 1. Database - [ ] Slow-query log enabled and reviewed weekly. Find the top 3 offenders before a customer does. - [ ] Indexes match actual query patterns — check `EXPLAIN ANALYZE` on hot queries. - [ ] Connection pool size matches actual concurrency. (PgBouncer, Supavisor, or RDS Proxy if needed.) - [ ] Read replicas considered for analytics workloads. - [ ] N+1 queries caught at PR-review time. Add a runtime warning in dev if you don't have one. ## 2. Authentication & sessions - [ ] Sessions expire and refresh sensibly (not "log in every visit" or "logged in forever"). - [ ] Password reset flow is rate-limited and logs the IP that initiated it. - [ ] Login endpoint is rate-limited per IP *and* per username. - [ ] OAuth tokens stored encrypted at rest, not in plain DB columns. - [ ] Secrets rotation plan exists for OAuth client secrets, JWT signing keys, etc. ## 3. Hosting & deploy - [ ] You can ship a hot-fix in under 15 minutes from "I see the bug" to "it's live". - [ ] Rollback is one click or one command — tested in the last 30 days. - [ ] You know which region you're deployed to and whether that matches where your users are. - [ ] CI/CD secrets aren't shared between staging and prod. - [ ] Deploy notifications go somewhere (Slack, email) — silent deploys are how things break unnoticed. ## 4. Observability - [ ] Error tracking (Sentry, Highlight, or similar) — every server error and unhandled client exception lands somewhere a human reads. - [ ] Response-time metrics for the top 5 user actions, with alerts on regression. - [ ] DB CPU / connection / lock-wait metrics with alerts. - [ ] Logs are structured (JSON) and searchable. - [ ] One dashboard you can show an investor that proves the thing is healthy. ## 5. Backups - [ ] Automated daily DB backup with 7+ day retention. - [ ] Backup *restore* has been tested in the last 90 days. Untested backups are theatre. - [ ] RTO and RPO are written down somewhere. Everyone on the team knows them. - [ ] User-uploaded files are backed up too — not just the database. ## 6. Security - [ ] HTTPS everywhere; HSTS header set; mixed-content warnings cleared. - [ ] Secrets in environment variables, not in Git history, not in screenshots, not in client bundle. - [ ] Dependency scanning (Dependabot, Snyk, npm audit) running on every PR. - [ ] CSP and security headers set (use [securityheaders.com](https://securityheaders.com)). - [ ] Open ports / open S3 buckets / open Mongo audited at least quarterly. ## 7. Performance - [ ] Lighthouse run on the marketing page and the most-trafficked app page. Both ≥ 85 in performance. - [ ] Images are sized appropriately and served as WebP/AVIF where possible. - [ ] JS bundle size monitored — alerts if it grows by more than 10% in a PR. - [ ] CDN caching strategy is intentional (not just "Vercel does it"). - [ ] Database queries on the homepage take less than 50ms p95. ## 8. SEO & discoverability - [ ] `robots.txt`, `sitemap.xml`, canonical tags set per page. - [ ] Structured data (JSON-LD) on key pages — Article, BreadcrumbList, Service. - [ ] Open Graph + Twitter card images for social sharing. - [ ] Page titles and meta descriptions are unique per page. - [ ] Internal linking strategy — your best pages don't live three clicks deep. ## 9. Compliance - [ ] If you have EU users: cookie banner, privacy policy, data-deletion endpoint, DPO contact (or substitute). - [ ] If you have California users: CCPA notices, "Do Not Sell" link if applicable. - [ ] Third-party processors documented with their DPAs filed somewhere accessible. - [ ] Data retention policy exists and matches reality. ## 10. Documentation & continuity - [ ] A new engineer can deploy a change to production in under a day. - [ ] Architecture overview written down — even one page is better than zero. - [ ] Run-books for "this thing has broken in the past": payments down, DB locked, deploy stuck. - [ ] Vendor list with what each one costs and what would break if it disappeared. - [ ] Hand-over notes if the only person who knows the deploy pipeline gets hit by a bus. --- ## What to do with this Print it out. Walk through it with your team or your tech lead. Score yourself. The score doesn't matter — the *delta* between where you are and where you want to be does. If you'd like a second pair of eyes on any of these, [get in touch](https://belikenikola.com/#get-in-touch). I do focused architecture audits at a fixed price. — Nikola