Solo SaaS Operations Guide: Scaling Without a Team

where supported. 4. Centralized Secrets & Config: Never embed credentials. Use environment injection with secret rotation capabilities. 5. Budget-Aware Scaling: Set hard caps on compute, storage, and third-party API usage. Implement circuit breakers for external dependencies.

Step-by-Step Implementation

1. Infrastructure as Code & Deployment Pipeline

Define infrastructure declaratively. Use Terraform or Pulumi for reproducible environments. Pair with GitHub Actions for CI/CD.

# terraform/main.tf (simplified)
provider "aws" { region = "us-east-1" }

resource "aws_db_instance" "postgres" {
  engine               = "postgres"
  instance_class       = "db.t4g.micro"
  allocated_storage    = 20
  db_name              = "saas_db"
  username             = var.db_user
  password             = var.db_pass
  backup_retention_period = 7
  skip_final_snapshot  = true
  deletion_protection  = true
}

resource "aws_eip" "app" {
  instance = aws_instance.app.id
  tags     = { Name = "solo-saas-eip" }
}

2. Health Check & Observability Baseline

Implement structured logging, metrics, and a dedicated health endpoint. Route alerts to a single channel (Slack/Discord/PagerDuty).

// src/health.js
const express = require('express');
const router = express.Router();

router.get('/health', async (req, res) => {
  const checks = {
    db: await checkDatabase(),
    cache: await checkRedis(),
    uptime: process.uptime(),
    version: process.env.APP_VERSION
  };

  const healthy = Object.values(checks).every(Boolean);
  res.status(healthy ? 200 : 503).json({ status: healthy ? 'ok' : 'degraded', checks });
});

module.exports = router;

3. Automated Backup & Restore Verification

Schedule daily snapshots and run monthly restore drills. Verify integrity programmatically.

#!/bin/bash
# scripts/backup-verify.sh
BACKUP_FILE="/backups/saas-$(date +%F).sql.gz"
pg_dump -U $DB_USER -h $DB_HOST $DB_NAME | gzip > $BACKUP_FILE

# Verify restore in isolated container
docker run --rm -e POSTGRES_PASSWORD=test postgres:15 \
  sh -c "gunzip -c $BACKUP_FILE | psql -U postgres -d test_db && echo 'RESTORE_OK'"

4. Billing Automation & Dunning

Use Stripe/Paddle webhooks to handle subscription lifecycle, failed payments, and grace periods automatically.

// src/webhooks/stripe.js
app.post('/webhooks/stripe', express.raw({type: 'application/json'}), async (req, res) => {
  const sig = req.headers['stripe-signature'];
  let event;
  try {
    event = stripe.webhooks.constructEvent(req.body, sig, process.env.STRIPE_WEBHOOK_SECRET);
  } catch (err) {
    return res.status(400).send(`Webhook Error: ${err.message}`);
  }

  if (event.type === 'invoice.payment_failed') {
    const invoice = event.data.object;
    await handleDunning(invoice.customer_id, invoice.attempt_count);
  }

  res.json({ received: true });
});

5. Security & Compliance Baseline

Enforce HTTPS, CSP headers, rate limiting, and automated dependency scanning. Rotate secrets quarterly.

// src/middleware/security.js
const helmet = require('helmet');
const rateLimit = require('express-rate-limit');

app.use(helmet());
app.use(rateLimit({
  windowMs: 15 * 60 * 1000,
  max: 100,
  message: { error: 'Too many requests, please try again later.' }
}));

---

Pitfall Guide

1. Over-Engineering the Stack

Mistake: Adopting Kubernetes, service meshes, or multi-AZ architectures before product-market fit. Impact: 3–5x operational overhead, slower deployment cycles, higher cloud bills. Fix: Start with a single container or serverless function. Scale vertically until horizontal scaling is mathematically justified.

2. Ignoring Backup Restoration Testing

Mistake: Taking daily snapshots but never verifying they restore cleanly. Impact: False confidence. Data loss during incidents because backups are corrupted or schema-incompatible. Fix: Automate monthly restore drills in an isolated environment. Validate checksums and application-level data integrity.

3. Hardcoding Secrets or API Keys

Mistake: Embedding credentials in .env files committed to version control or baked into images. Impact: Credential leakage, compromised third-party accounts, compliance violations. Fix: Use secret managers (AWS Secrets Manager, Doppler, 1Password CLI). Inject at runtime. Rotate quarterly.

4. Skipping Rate Limiting & Abuse Prevention

Mistake: Assuming low traffic equals low abuse risk. Impact: API exhaustion, credential stuffing, webhook spam, unexpected third-party costs. Fix: Implement token bucket or sliding window rate limits at the gateway and application layer. Log and block anomalous patterns.

5. Manual Billing Reconciliation

Mistake: Relying on spreadsheets or dashboard checks for subscription lifecycle events. Impact: Revenue leakage, failed dunning, customer disputes, audit failures. Fix: Automate via webhook-driven state machines. Reconcile daily with idempotent scripts. Flag mismatches automatically.

6. Alert Fatigue & No Error Budget

Mistake: Configuring every metric to trigger an alert without severity tiers or suppression rules. Impact: Ignored alerts, missed critical incidents, decision paralysis. Fix: Define SLOs (e.g., 99.5% uptime, <500ms p95 latency). Route only breach-level events to paging. Implement alert deduplication and quiet hours.

7. Treating Support as Reactive Only

Mistake: Waiting for tickets instead of instrumenting proactive feedback loops. Impact: High churn, missed product signals, repetitive troubleshooting. Fix: Embed in-app feedback, track error sessions with replay metadata, and route common patterns to self-service docs or automated fixes.

---

Production Bundle

Action Checklist

• Enable 2FA on all infrastructure, payment, and communication accounts
• Configure automated daily backups with monthly restore verification
• Implement structured logging + centralized log retention (30–90 days)
• Set up Stripe/Paddle dunning automation with grace period policies
• Deploy health check endpoint + uptime monitoring with SMS/Slack alerts
• Create a 1-page incident runbook (detection → triage → rollback → postmortem)
• Configure budget alerts and hard caps on compute, storage, and API usage
• Automate SSL/TLS renewal and verify certificate chain validity

Decision Matrix

Category	Option A	Option B	Option C	Solo Recommendation
Hosting	Vercel/Netlify	Fly.io/Railway	AWS Lightsail	Fly.io/Railway (stateful-friendly, predictable pricing)
Database	Supabase	Neon/Turso	RDS/Aurora	Neon (serverless Postgres, free tier, point-in-time recovery)
Monitoring	UptimeRobot	Datadog	Grafana Cloud	Grafana Cloud (free tier, Prometheus-compatible, alerting)
Billing	Stripe	Paddle	Lemon Squeezy	Stripe (webhook maturity, dunning control, global payout)
Secrets	.env files	Doppler	AWS Secrets Manager	Doppler (developer-friendly, CI/CD integration, rotation)

Configuration Template

# docker-compose.prod.yml
version: '3.8'
services:
  app:
    build: .
    ports:
      - "8080:8080"
    environment:
      - NODE_ENV=production
      - DATABASE_URL=${DATABASE_URL}
      - STRIPE_WEBHOOK_SECRET=${STRIPE_WEBHOOK_SECRET}
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:8080/health"]
      interval: 30s
      timeout: 5s
      retries: 3
    restart: unless-stopped
    deploy:
      resources:
        limits:
          memory: 512M
          cpus: '0.5'

  nginx:
    image: nginx:alpine
    ports:
      - "443:443"
    volumes:
      - ./nginx.conf:/etc/nginx/nginx.conf:ro
      - certs:/etc/nginx/certs
    depends_on:
      app:
        condition: service_healthy
    restart: unless-stopped

volumes:
  certs:

# nginx.conf
events { worker_connections 1024; }
http {
  include /etc/nginx/mime.types;
  server {
    listen 443 ssl;
    server_name yourdomain.com;
    ssl_certificate /etc/nginx/certs/fullchain.pem;
    ssl_certificate_key /etc/nginx/certs/privkey.pem;

    location / {
      proxy_pass http://app:8080;
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
    }

    location /health {
      proxy_pass http://app:8080/health;
      access_log off;
    }
  }
}

Quick Start Guide

1. Initialize Infrastructure: Run terraform init && terraform apply to provision a single-region database, compute instance, and managed DNS. Set budget alerts immediately.
2. Deploy Application: Use the provided docker-compose.prod.yml and nginx.conf. Push to your container registry and pull to the host. Verify /health returns 200 OK.
3. Wire Observability: Connect Grafana Cloud to your container logs. Create a dashboard tracking uptime, error rate, and p95 latency. Configure an alert for error_rate > 5% over 5 minutes.
4. Automate Billing & Backups: Install the Stripe webhook handler and test with CLI mock events. Schedule the backup script via cron (0 2 * * *) and verify the restore pipeline monthly.
5. Publish Runbook: Document detection thresholds, rollback commands, and escalation contacts. Store in your repository root as RUNBOOK.md. Review quarterly.

---

Solo SaaS operations succeed when you treat infrastructure as a product, automation as a requirement, and observability as a contract. The stack should be boring, the alerts meaningful, and the recovery path rehearsed. Ship features, but never at the expense of operational predictability.