● Bubble Architect Series · Pre-Launch Architecture Checklist
The Bubble SaaS Architecture Checklist We Use Before Every Launch
50 items across security, billing, performance, and operations. Every item on this checklist has been the cause of a real incident in a real Bubble SaaS. This is not theoretical. It is documented failure modes — each one a real founder, real customer, real cost.
50Checklist Items
4Categories
EveryItem a Real Incident
Pre-Launch Protocol
The 50-Item Checklist That Stands Between Your App and Production
Every application we build passes through a 50-item pre-launch checklist before it is deployed to live. This checklist exists because every item on it has been the cause of a real incident in a real Bubble SaaS product. These are not theoretical concerns. They are documented failure modes, each of which has cost a founder real customers, real revenue, or real reputation.
🔒 Security (12 items)
Non-Negotiable Before Any Paying Customer
01. Every data type has at least one explicit privacy rule
02. No data type has ‘Everyone’ in its final privacy configuration
03. Tenant isolation test PASSED: two-browser protocol, zero cross-tenant data leakage
04. Every sensitive workflow has a role check on Step 1 with Only when condition
05. No API keys, secrets, or tokens stored in data type fields visible to users
06. Stripe webhook signature validated on Step 1 of all webhook handlers
07. No Bubble Data API exposed without explicit field-level access controls
08. File uploads are not accessible via public URLs without authentication check
09. Direct URL access to another workspace’s record detail page returns empty/error
10. Admin pages redirect non-admin users on page load
11. All delete and modify workflows verified against client API calls (not just UI)
12. HTTPS confirmed active on custom domain
02. No data type has ‘Everyone’ in its final privacy configuration
03. Tenant isolation test PASSED: two-browser protocol, zero cross-tenant data leakage
04. Every sensitive workflow has a role check on Step 1 with Only when condition
05. No API keys, secrets, or tokens stored in data type fields visible to users
06. Stripe webhook signature validated on Step 1 of all webhook handlers
07. No Bubble Data API exposed without explicit field-level access controls
08. File uploads are not accessible via public URLs without authentication check
09. Direct URL access to another workspace’s record detail page returns empty/error
10. Admin pages redirect non-admin users on page load
11. All delete and modify workflows verified against client API calls (not just UI)
12. HTTPS confirmed active on custom domain
💰 Billing (10 items)
Stripe Integration Verified End-to-End
13. Stripe keys switched from sk_test_ to sk_live_ in all API Connector calls
14. Webhook URL updated to production app URL (not /version-test URL)
15. All 6 webhook events handled: checkout.completed, subscription.updated,
subscription.deleted, payment_failed, payment_succeeded, trial_will_end
16. Subscription status set ONLY by webhook events, never by redirect URL
17. A live end-to-end test completed with real card before any announcement
18. Stripe Customer Portal enabled for self-serve billing management
19. Cancelled workspaces: data preserved, read-only mode, reactivation visible
20. Plan limits enforced in both UI conditions AND Step 1 workflow guards
21. Seat limit and record limit checked before every creation workflow
22. Invoice.payment_failed sends urgent payment update email to workspace owner
14. Webhook URL updated to production app URL (not /version-test URL)
15. All 6 webhook events handled: checkout.completed, subscription.updated,
subscription.deleted, payment_failed, payment_succeeded, trial_will_end
16. Subscription status set ONLY by webhook events, never by redirect URL
17. A live end-to-end test completed with real card before any announcement
18. Stripe Customer Portal enabled for self-serve billing management
19. Cancelled workspaces: data preserved, read-only mode, reactivation visible
20. Plan limits enforced in both UI conditions AND Step 1 workflow guards
21. Seat limit and record limit checked before every creation workflow
22. Invoice.payment_failed sends urgent payment update email to workspace owner
⚡ Performance (10 items)
Verified to Load Fast at Scale
23. Zero :filtered by expressions anywhere in the application
24. All dashboard metrics read from pre-calculated Workspace fields
25. All repeating groups paginated to maximum 20 items
26. Dashboard page load tested under 2 seconds with 500+ records per type
27. All long-running operations use backend API workflows
28. All images compressed before storage; thumbnails used in list views
29. App deployed on Growth plan minimum (dedicated server)
30. Mobile page load tested on 3G connection under 3 seconds
31. No synchronous API calls blocking dashboard page render
32. Option Sets used for all static enumeration data
24. All dashboard metrics read from pre-calculated Workspace fields
25. All repeating groups paginated to maximum 20 items
26. Dashboard page load tested under 2 seconds with 500+ records per type
27. All long-running operations use backend API workflows
28. All images compressed before storage; thumbnails used in list views
29. App deployed on Growth plan minimum (dedicated server)
30. Mobile page load tested on 3G connection under 3 seconds
31. No synchronous API calls blocking dashboard page render
32. Option Sets used for all static enumeration data
📧 Communication & Operations (18 items)
Ready to Serve Real Customers
33. All 8 onboarding emails scheduled correctly on workspace creation
34. Transactional email sender domain verified (SPF, DKIM, DMARC configured)
35. All emails land in inbox (tested with Mail Tester; score > 9)
36. Password reset email tested end-to-end
37. Custom domain connected and SSL certificate active
38. Trial-ending email fires 3 days before trial_ends_at
39. Session recording installed (Hotjar or FullStory) for first users
40. Error logging active: every API failure creates an ErrorLog record
41. Admin dashboard shows at-risk customers, error log, and MRR overview
42. All new data types have workspace field, soft delete, and audit timestamp
43. is_deleted filter added to all existing searches for all data types
44. Architecture document complete and reviewed by client
45. Workflow dictionary: every key workflow documented with trigger and logic
46. Deployment process documented: branch strategy and pre-deploy checklist
47. Smoke test protocol defined and run against live environment post-deploy
48. Support contact visible in app (Intercom, Crisp, or email)
49. Privacy Policy and Terms of Service linked from footer and signup page
50. Founder personal announcement ready: first 10 customers contacted directly
34. Transactional email sender domain verified (SPF, DKIM, DMARC configured)
35. All emails land in inbox (tested with Mail Tester; score > 9)
36. Password reset email tested end-to-end
37. Custom domain connected and SSL certificate active
38. Trial-ending email fires 3 days before trial_ends_at
39. Session recording installed (Hotjar or FullStory) for first users
40. Error logging active: every API failure creates an ErrorLog record
41. Admin dashboard shows at-risk customers, error log, and MRR overview
42. All new data types have workspace field, soft delete, and audit timestamp
43. is_deleted filter added to all existing searches for all data types
44. Architecture document complete and reviewed by client
45. Workflow dictionary: every key workflow documented with trigger and logic
46. Deployment process documented: branch strategy and pre-deploy checklist
47. Smoke test protocol defined and run against live environment post-deploy
48. Support contact visible in app (Intercom, Crisp, or email)
49. Privacy Policy and Terms of Service linked from footer and signup page
50. Founder personal announcement ready: first 10 customers contacted directly
Work With a Bubble Architect
Most developers build Bubble apps. We architect them. Data models designed for scale, multi-tenant security built from day one, Stripe billing that never fails, and workflows engineered for performance. This is what a Bubble Architect delivers.
The Bubble SaaS Architecture Checklist We Use Before Every Launch
Simple Automation Solutions — Bubble Architects · sasolutionspk.com
