MVP Development Checklist for Founders — 47-Item Pre-Launch Audit (2026)

Q: How many items should an MVP launch checklist have?

Our production checklist runs 47 items across nine categories. Anything fewer than ~30 misses critical compliance and observability work; anything past ~70 is over-scoped for an MVP and you should ship and iterate. The right cut is rigorous on security/billing/observability and ruthless on feature polish.

Q: What is the most commonly skipped item before MVP launch?

Production observability. Founders launch with no error tracking, no structured logs and no metrics, then discover in week two that 14% of users are silently hitting an error path. Sentry + a basic metrics stack (Datadog free tier or Grafana Cloud free tier) is non-negotiable. Cost: under $50/month for an MVP.

Q: Do I need a privacy policy for my MVP?

Yes. Even a small EU or US user base triggers GDPR and CCPA obligations. A serviceable privacy policy plus cookie consent banner plus a documented data-deletion flow costs $500–2,000 in legal review and 1–2 days of engineering — it is not optional in 2026.

Q: Should the MVP have an admin panel?

Yes — a simple one. Retool, Forest Admin or a 1-day in-app admin saves your support team 5–10 hours per week from day one. Without it, every ‘reset my password’ or ‘refund this charge’ ticket requires an engineer with a database client.

Q: How much testing does an MVP need?

Unit tests on payment, auth and tenant-isolation code. Playwright smoke tests on the 3–5 critical user flows (signup, payment, core action). Skip exhaustive E2E for an MVP — you will throw away half of it before v1. The aim is to ship safely, not to hit 90% coverage.

Q: What metrics should I instrument before launch?

Activation (did the user reach the value moment?), retention (D1/D7/D30), conversion (free to paid), engagement (sessions/week), and one product-specific metric that maps to value delivered. PostHog or Amplitude on the free tier covers all of this for an MVP. Don’t instrument 50 events — instrument 8 well-named ones.

Elena Marchetti Head of Product, YuSMP Group · 12+ years shipping B2B SaaS for US and EU teams

How to use the checklist

Every item is either required (do not launch without it), strong default (skip only with a written reason) or nice-to-have (defer to post-launch if needed). For each item, write down the owner (PM, engineer, founder, lawyer) and the evidence (URL, screenshot, link to test result). “Done” without evidence is not done.

You should be able to run this checklist end-to-end in 2–4 hours with the team in one room. If it takes longer, something is unclear and you are not ready.

Product (1–6)

One sentence positioning is written and tested. Required. The 8-word version a customer will repeat to a peer. Tested against 5 target users.
The core flow ships end-to-end without help. Required. Signup → activation → value moment → payment, with no manual ops in the middle.
Empty states are designed. Strong default. Every list, every dashboard, every feed has a meaningful empty state, not a blank screen.
Error states are designed and human. Strong default. “Something went wrong” is a failure of product, not an error message.
Onboarding completes in under 4 minutes. Strong default. Measured, not assumed. Time-to-value is the single most important MVP metric.
Pricing page reflects the actual billing implementation. Required. If the page says “cancel anytime” and the cancel flow takes 4 emails, you have a fraud claim waiting.

Engineering (7–14)

All environments use IaC. Strong default. Terraform, Pulumi or SST. Click-ops infra is a launch blocker by month three.
CI pipeline runs on every PR. Required. Lint, typecheck, unit tests, build. Below 10 minutes end-to-end.
Database migrations are forward-only and idempotent. Required. Sqitch, Flyway, Prisma Migrate or Drizzle Kit. No “run this SQL by hand on prod.”
Secrets are in a vault, not in env files. Required. AWS Secrets Manager, GCP Secret Manager, HashiCorp Vault, Doppler. Rotated.
Backups are tested. Required. Not just configured — restored at least once from production data to a fresh DB.
Rate limiting on auth and payment endpoints. Required. 100 req/min per IP at minimum; harder limits on signup, login, password reset.
Mobile builds signed with proper distribution certificates. Required if mobile. Lost certificate = lost ability to ship updates.
A staging environment exists and is used. Strong default. Same shape as prod, fed from anonymised data. PR previews are nice; staging is mandatory.

Security & compliance (15–22)

HTTPS everywhere with HSTS. Required. No mixed content. HSTS preload submitted.
Content Security Policy is set and tested. Strong default. Even a lax CSP catches whole classes of XSS.
Auth uses a managed provider. Required. Clerk, Auth0, Supabase Auth, WorkOS, FusionAuth — not hand-rolled.
Passwords are hashed with bcrypt/Argon2id. Required if you self-manage auth. Plaintext or MD5 in 2026 is unforgivable.
RLS enforces tenant isolation (multi-tenant SaaS). Required. See multi-tenant SaaS architecture.
Dependency scanning runs in CI. Strong default. Dependabot, Renovate, Snyk. Critical CVEs block merge.
An incident runbook exists. Required. Who is on call, how to declare an incident, how to communicate with customers, how to post-mortem.
GDPR/CCPA data-deletion flow works. Required if you have EU or California users. End-to-end test covers user-initiated deletion across DB, blob, analytics and logs.

Billing & payments (23–28)

Stripe in production mode, webhooks verified. Required. Test mode = no revenue.
Webhook handler is idempotent. Required. Stripe retries; without idempotency you bill twice.
Failed payments trigger dunning. Required. Smart Retries on, dunning emails configured.
Cancellation flow respects the law. Required. EU law and US FTC click-to-cancel rules require parity with the signup flow.
VAT/sales tax handled. Required for EU sales. Stripe Tax or Quaderno covers most cases.
Refund flow has a documented runbook. Strong default. Even MVPs get refund requests in week one.

Observability & reliability (29–34)

Error tracking with stack traces. Required. Sentry, Rollbar, Bugsnag. Linked to releases for source-mapped traces.
Structured logging. Required. JSON logs, request ID propagated end-to-end, tenant ID on every log line for multi-tenant.
Basic metrics dashboard. Strong default. Latency, error rate, throughput. Datadog free tier, Grafana Cloud free tier, or self-hosted Prometheus.
Uptime checks from outside your infra. Required. Better Uptime, Healthchecks.io, Pingdom. Two regions minimum.
Alerts go to a human, not just a Slack channel. Required. PagerDuty, OpsGenie, or a phone number. Channels get muted; humans get woken up.
Status page exists. Strong default. statuspage.io, Instatus, BetterStack Status. Customers will trust you more for admitting downtime than for hiding it.

Analytics & growth (35–39)

Product analytics instrumented with 5–10 named events. Required. PostHog or Amplitude. Activation, retention, conversion, engagement, plus product-specific value events.
Funnel from landing page to paid is measurable. Required. You should be able to answer “how many of last week’s visitors paid?” in 60 seconds.
UTM tagging is consistent across channels. Strong default. Otherwise attribution is fiction.
Marketing site has Schema.org markup and a sitemap. Strong default. See technical SEO & growth.
A feedback loop exists in product. Strong default. Linear feedback widget, Canny, or a simple email. Use it from day one.

Legal (40–42)

Privacy policy + cookie consent + DPA template. Required. Lawyer-reviewed for any EU traffic. Don’t copy from another site.
Terms of service. Required. Limit of liability, governing law, acceptable use, refund policy.
Cookie consent banner properly blocks non-essential cookies until consent. Required for EU. Klaro, Cookiebot, Iubenda. “Accept all” only is no longer compliant.

Marketing & launch (43–45)

Landing page passes Core Web Vitals. Strong default. LCP < 2.5s, CLS < 0.1, INP < 200ms on mobile. PageSpeed score 90+.
Open Graph and Twitter Cards configured. Strong default. Test with the actual cards debuggers, not just dev tools.
Launch comms drafted. Strong default. Email to waitlist, social posts, Product Hunt draft, founder LinkedIn post. Drafted, not just intended.

Post-launch ops (46–47)

Support intake is staffed. Required. A real human responds within 4 hours during business days, 24 hours otherwise. Email + in-app at minimum.
The roadmap has a “week one”, “month one” and “quarter one” bucket. Required. Pre-allocated capacity for the inevitable bugs and small fixes. Without it, the team burns out by week three.

MVP launch dashboard with go/no-go checklist — 47 items. 2–4 hours with the team in one room. If any required item is red, you don’t launch.

FAQ

How many items should an MVP launch checklist have?

Our production list is 47 across nine categories. Fewer than ~30 misses critical work; more than ~70 is over-scoped.

What is the most commonly skipped item before MVP launch?

Production observability. Founders launch with no error tracking and discover in week two that 14% of users hit an error path silently.

Do I need a privacy policy for my MVP?

Yes. Even small EU/US user bases trigger GDPR/CCPA obligations. Not optional.

Should the MVP have an admin panel?

Yes — a simple one. Retool, Forest Admin or a 1-day in-app admin. Saves 5–10 support hours per week.

How much testing does an MVP need?

Unit tests on payment, auth and tenant-isolation. Playwright smoke tests on 3–5 critical flows. Skip exhaustive E2E.

What metrics should I instrument before launch?

Activation, retention (D1/D7/D30), conversion (free to paid), engagement, and one product-specific value metric. Free PostHog or Amplitude tier covers it.

Get a launch audit before you ship

One day of senior engineering. Tick-list with red/amber/green, the riskiest fixes prioritised, written go/no-go opinion. Useful before launch, before fundraising, before enterprise pilots.

Last updated 26 May 2026.