B2B SaaS Pre-Delivery Checklist¶
OWNER: aimee ALSO_USED_BY: anna, eric (contract), hugo (auth/security), faye, sytske
This checklist is validated before every B2B SaaS delivery. Each item is marked PASS, FAIL, or N/A. All FAIL items must be resolved before launch. Faye/Sytske (team PM) runs this checklist. Hugo validates security items. Anna validates technical items.
1. Authentication & Access Control¶
CHECK: Email/password registration and login works end-to-end CHECK: Password reset flow completes (email sent, link works, single-use, expires) CHECK: Email verification flow works (deferred, non-blocking) CHECK: Social login configured and tested (each provider) CHECK: MFA setup flow works (QR code, manual entry, recovery codes) CHECK: MFA enforcement toggleable per org by admin CHECK: SSO configuration flow works (SAML and/or OIDC as scoped) CHECK: SSO tested against target IdPs (Okta, Entra ID, Google Workspace) CHECK: JIT provisioning creates user with correct role on first SSO login CHECK: SCIM provisioning creates, updates, and deactivates users (if scoped) CHECK: Session tokens are httpOnly, Secure, SameSite=Lax CHECK: Session expiry and idle timeout work correctly CHECK: Force logout terminates session immediately CHECK: API keys can be created, scoped, rotated, and revoked CHECK: API key permissions enforced on every request
2. Multi-Tenancy & Data Isolation¶
CHECK: Every tenant-scoped table has tenant_id column (NOT NULL, indexed) CHECK: RLS policies enabled and enforced on all tenant-scoped tables CHECK: Cross-tenant data access returns zero results (tested with direct DB query) CHECK: Tenant context set via SET LOCAL in transaction (not SET without LOCAL) CHECK: Background jobs carry and set tenant context before execution CHECK: Cache keys include tenant_id prefix CHECK: File storage paths include tenant_id prefix CHECK: Search results are tenant-scoped (no cross-tenant leakage) CHECK: Webhook payloads contain only the originating tenant's data CHECK: Audit log entries include tenant_id CHECK: Tenant deletion cascades to all data, files, cache, queued jobs
3. RBAC & Permissions¶
CHECK: All predefined roles created on tenant provisioning CHECK: Permission matrix matches signed-off specification CHECK: Every API route has permission middleware CHECK: Member cannot access Admin-only endpoints (403 returned) CHECK: Viewer cannot create, update, or delete (403 returned) CHECK: Custom roles (if scoped) can be created with cherry-picked permissions CHECK: Role changes take effect within cache TTL (5 minutes max) CHECK: Deactivated user loses all access immediately CHECK: Owner role cannot be removed from last owner CHECK: Platform admin impersonation is time-limited and audit-logged
4. Billing & Subscriptions¶
CHECK: Mollie (PRIMARY) / Stripe (secondary) integration configured with live keys (not test keys) CHECK: Plan selection, upgrade, and downgrade work with correct proration CHECK: Seat count updates when users added/removed CHECK: Usage metering reports correct values (if usage-based) CHECK: Payment succeeds with test card (Mollie/Stripe test mode before go-live) CHECK: Failed payment triggers dunning sequence (retry + email) CHECK: Invoice generated and emailed on each billing cycle CHECK: Invoice contains correct VAT, company details, line items CHECK: Billing portal accessible and functional (plan, payment method, invoices) CHECK: Trial expiry locks account as specified (read-only or full lockout) CHECK: Subscription cancelled state allows access until period end CHECK: Webhook events from payment provider processed idempotently
5. Onboarding¶
CHECK: Signup form has maximum 3 fields CHECK: Setup wizard completes end-to-end CHECK: Each wizard step has skip option CHECK: Wizard state persists across browser sessions CHECK: Data import (CSV) works with valid file CHECK: Data import shows validation errors for invalid file CHECK: Demo data loads correctly and can be removed CHECK: Product tour displays on first visit and remembers completion CHECK: Onboarding checklist tracks progress accurately CHECK: Welcome email sent immediately after signup CHECK: Trial expiry emails sent at correct intervals
6. Core Application¶
CHECK: Dashboard loads in < 2 seconds CHECK: All CRUD operations work for every entity type CHECK: Pagination works correctly (cursor-based, no duplicates or gaps) CHECK: Filtering and sorting produce correct results CHECK: Search returns relevant results within 200ms CHECK: File upload and download work (correct tenant path, access control) CHECK: Activity feed shows recent actions accurately CHECK: Real-time updates work (WebSocket/SSE — if scoped)
7. API & Integrations¶
CHECK: OpenAPI specification is auto-generated and accurate CHECK: API authentication works (API key and/or OAuth2 token) CHECK: Rate limiting enforced (returns 429 with correct headers) CHECK: Webhook delivery works (test endpoint receives event) CHECK: Webhook signature verification passes CHECK: Webhook retry works on simulated failure CHECK: Native integrations connect and sync (each integration tested) CHECK: Zapier/Make triggers fire correctly (if scoped) CHECK: Zapier/Make actions execute correctly (if scoped)
8. Notifications¶
CHECK: Transactional emails delivered (invite, password reset, receipt) CHECK: Notification emails delivered (assignment, mention, status change) CHECK: Email templates render correctly (branding, links, content) CHECK: Unsubscribe link works per notification type CHECK: In-app notification bell shows correct unread count CHECK: In-app notifications update in real-time CHECK: Push notifications delivered (if scoped)
9. Compliance & Security¶
CHECK: DPA template available for download CHECK: Sub-processor list published and current CHECK: Privacy policy and terms of service pages live CHECK: Cookie consent banner functional (if applicable) CHECK: DSAR export generates complete data package CHECK: DSAR erasure removes data from DB, files, cache within 30 days CHECK: Audit log records all state changes (create, update, delete) CHECK: Audit log is append-only (no update or delete possible) CHECK: Audit log viewer works with filters and export CHECK: Login audit captures all attempts (success and failure) CHECK: Encryption at rest verified (database, file storage) CHECK: TLS 1.3 enforced on all endpoints CHECK: Security headers present (CSP, HSTS, X-Frame-Options, X-Content-Type-Options) CHECK: No secrets in client-side code (API keys, database credentials) CHECK: Dependency vulnerability scan passes (no critical or high CVEs) CHECK: Data stored in EU region (verified in hosting provider dashboard)
10. Performance & Reliability¶
CHECK: Page load time < 3 seconds on 3G connection CHECK: API response time < 200ms for single-resource endpoints CHECK: API response time < 500ms for list endpoints (paginated) CHECK: Database queries use indexes (no sequential scans on large tables) CHECK: Background jobs complete within expected time CHECK: Error rate < 0.1% under normal load CHECK: Uptime monitoring configured (status page live) CHECK: Backup strategy implemented and tested (restore verified) CHECK: RTO and RPO documented and achievable CHECK: Auto-scaling configured (if applicable)
11. Infrastructure & DevOps¶
CHECK: CI/CD pipeline runs tests, lints, builds, and deploys CHECK: Staging environment mirrors production CHECK: Environment variables managed via secrets manager (not .env files in repo) CHECK: Database migrations versioned and reversible CHECK: Rollback procedure documented and tested CHECK: Log aggregation configured (application logs, access logs, error logs) CHECK: Alerting configured (downtime, error spike, disk space, memory) CHECK: DNS configured with correct TTL CHECK: SSL certificate auto-renewal configured CHECK: CDN configured (if applicable) with EU-only origins
12. Legal & Contractual¶
CHECK: Privacy policy reviewed by legal and published CHECK: Terms of service reviewed by legal and published CHECK: DPA reviewed by Eric and ready for customer signature CHECK: SLA defined and documented (uptime percentage, response times) CHECK: Acceptable use policy published (if applicable) CHECK: GDPR processing register entry completed CHECK: Sub-processor DPAs in place for all third-party services
Sign-Off¶
| Role | Agent | Status | Date |
|---|---|---|---|
| Technical Architect | Aimee | ||
| Technical Spec | Anna | ||
| Auth & Security | Hugo | ||
| Contract & Legal | Eric | ||
| Team PM | Faye/Sytske | ||
| Client Approval | (client) | ||
| Human Review | Dirk-Jan |
IF: All checks PASS or N/A THEN: Approved for delivery IF: Any FAIL items remain THEN: Block delivery until resolved — no exceptions IF: Client requests waiver on a FAIL item THEN: Document waiver in writing, client signs acceptance of risk