Free resource
Is your AI-built app ready for a security review?
A plain-English checklist for builders shipping with Lovable, Replit, Cursor, and Claude Code — so the first hard question from a customer’s security team doesn’t catch you flat-footed. No jargon, no 80-page framework. Just what to check before someone else checks it for you.
Get the checklist
The full checklist below, plus Field Notes — low-volume, high-signal.
What’s inside
Seven areas, one honest pass.
01 Map your system
You can’t secure what you can’t see.
- Write a one-page description of what your app does and who uses it.
- List every place data is stored — database, file storage, third-party tools.
- Diagram how data flows in, through, and out of the app.
- Identify which parts are AI/LLM-powered and what they can access.
- Note what runs in the browser vs. on the server.
02 Data & privacy
Know exactly what you touch.
- Inventory the data you collect (personal, payment, health, etc.).
- Confirm you only collect what you actually need.
- Document where data lives and how long you keep it.
- Make sure you can delete a user’s data on request.
- Check whether any data leaves your region or country.
03 Access & authentication
Decide who can get in — and to what.
- Require strong auth (passwordless or MFA) for all users.
- Enforce row-level security so users only see their own data.
- Use least-privilege roles for admins and service accounts.
- Remove default, test, and demo credentials.
- Log who accessed what, and when.
04 Secrets & configuration
Close the leaks that sink most vibe-coded apps.
- No API keys, tokens, or passwords in client-side code or the repo.
- Store secrets in environment variables or a secrets manager.
- Rotate any key that has ever been exposed.
- Lock down public storage buckets and database tables.
- Turn off verbose error messages in production.
05 Third-party & model risk
You inherit your vendors’ risk.
- List every external service and AI model your app calls.
- Check each vendor’s data-use and retention terms.
- Confirm customer data isn’t used to train third-party models — or disclose it.
- Have a fallback if a vendor goes down or changes terms.
- Add basic input and output guardrails on AI features.
06 Evidence & documentation
What turns “trust me” into a passed questionnaire.
- Keep a current architecture and data-flow diagram.
- Write a short security overview you can hand to a buyer.
- Document your incident-response steps: who, what, how.
- Track your subprocessors and where data is hosted.
- Keep a changelog of security-relevant changes.
07 Governance & oversight
Keep it true after launch day.
- Assign an owner for security and compliance decisions.
- Map your obligations (SOC 2, HIPAA, GDPR, state laws) to your reality.
- Review access and vendors on a set cadence.
- Have a plan for AI model updates and drift.
- Decide what you’ll do when something goes wrong.
Want this as a printable checklist?
Get the PDF plus Field Notes — or, if you’d rather not DIY it, bring me the tangled version.