← All audit cases

Solo founder · First clients

I built my app alone —
how do I know if it's safe
to offer it to clients?

Solo-built applications almost always have the same blind spots: absent error handling, data exposed by default, no production monitoring. Before giving access to your first clients, eight points need to be checked. I go through them in 2 to 3 days.

Discuss my project → Frequently asked questions

The real problem

The blind spots of a solo-built application

Building your application alone means never having a second pair of eyes. Nobody to say "wait, this field is exposed in the public API", "this route isn't protected", or "do you know your app doesn't alert anyone when it crashes?"

This isn't a criticism — it's a structural reality. A solo developer can't have the same perspective as a team. Vibe coding tools (Claude Code, Cursor) amplify the problem: they generate functional code without awareness of systemic implications or security configurations.

The audit I offer isn't there to discourage you. It's there to give you certainty — or a short list of things to fix — before your clients experience the consequences of these blind spots.

The 8 critical points

What I check before your launch

These eight points are the minimum viable before exposing your data to real clients. Not exhaustive — what matters right now.

  • Authentication and authorisation Passwords are hashed. Each user only sees their own data. Admin routes are protected.
  • Error handling When a function fails, the application does not fail silently. Errors are logged somewhere you can check.
  • Data exposure API endpoints only return necessary data. No sensitive fields (password, token, API key) appear in responses.
  • Data backup Your clients' data is backed up automatically. You have tested restore at least once.
  • Monitoring You are notified when the application is down — not by a dissatisfied client.
  • Dependency security Your libraries have no known vulnerabilities (npm audit, composer audit, or equivalent for your stack).
  • Minimal GDPR compliance You collect the minimum necessary. Your users know what you store. There is a way to delete an account.
  • Basic load test The application handles 10 to 20 simultaneous users — the minimum for your first clients.

What it means

'Ready' doesn't mean perfect

A production-ready app for first clients isn't an app without bugs. It's an app where your clients' data is protected, where failures don't go unnoticed, and where no data leak is possible by inadvertence.

Perfect performance, exhaustive tests, complete documentation — all of that can come after. Build a solid foundation first, then iterate with real users: that's the right sequence.

My role is to tell you clearly: "you can go ahead, with these two fixes" or "not yet, here's why and how to fix it quickly".

Deliverable

What you receive

  • Audit report on all 8 points — status for each (OK / needs fixing)
  • For each issue: the reason for the risk and recommended fix
  • Effort estimate for each correction
  • Clear verdict: is your application ready to accept clients?
  • 45-minute debrief session
Timeline: 2 to 3 days. You have a clear answer before the end of the week.

Go further

Other audit cases

AI-built application SaaS technical debt Automated tests CI/CD pipeline Technical audit FAQ

First contact

Is your app ready?

30 minutes to assess your situation. I'll tell you honestly whether you can go ahead or what to fix first.

Book a discovery call → matthieu.viel.fr@gmail.com