← Back to Board 🗄️ Archive

SOP-001: Client Backend & Email Architecture

• Rule: NEVER default to a Centralized routing system for external services across multiple clients.
• Protocol: Always set up Decentralized backends for clients. Each client gets their own 100% free external account (e.g., at Resend.com) scoped exactly to their single custom domain and email inbox.
• Justification: This completely isolates security threats ("zero blast radius") and prevents overarching platform costs acting as overhead for the agency.
• Execution Workflow: Setup secure external access (OAuth) directly with the client. Build the site natively using serverless edge functions directly inside the root repository structure (e.g. api/submit.ts securely inside Vercel implementations).

Effective: April 21, 2026 · Owner: Janet Tolbert · Review: Quarterly

• Detection: Monitor GCP audit logs, nginx logs (journalctl -u nginx), and weekly GitHub Actions security scan alerts (Bandit + Safety + Gitleaks).
• P1 Containment: sudo ufw deny incoming → stop server → rotate ALL .env credentials → revoke Facebook & QuickBooks tokens in their developer consoles.
• Eradication: Rotate JWT_SECRET, DB_ENCRYPTION_KEY, and all API tokens. Redeploy: git pull && systemctl restart architect.
• Client Notification: If client data is involved, notify within 72 hours. Report to Intuit (security@intuit.com) and Meta (Developer Whitehat) per platform policy.
• Encryption at Rest: Facebook tokens are Fernet-encrypted in tasks.db. GCP disk provides AES-256 at the infrastructure layer.
• Vulnerability Scanning: GitHub Actions runs every Monday — failures auto-create a GitHub Issue tagged security.

Effective: April 21, 2026 · Owner: Heimdallr AI Agent · Supervised by: Janet Tolbert & Renee · Review: Monthly

Heimdallr is the autonomous SIEM module integrated into the Architect Dashboard. He operates continuously in the background and reports to deftechops@gmail.com daily.

• Low severity (P3/P4): Heimdallr flags via GitHub Issues tagged security — no human required to triage.
• High severity (P1/P2): Broadcasts alert to dashboard + emails Janet & Renee. Human approval required before any action.
• Blocked deployments: BLOCK_DEPLOYMENT creates a high-priority ticket for Janet or Renee to manually review.
• Critical NPM Vulnerabilities: Flags via GitHub Issues and creates a high-priority ticket for the engineering team to run npm audit fix.
• Reports delivered to: deftechops@gmail.com · Subject: "🛡️ Heimdallr SOC: Daily Threat Intelligence & Privacy Report"

Effective: April 22, 2026 · Scope: Agency White-Label Clients

• Do not sell the code: You are selling a subscription to a managed service. Treat this as an Enterprise SaaS deal.
• Setup Fee: Charge a one-time fee to duplicate the environment, connect custom domains, swap branding, and configure the DB.
• Monthly License Fee: Charge a recurring fee for hosting, database management, security, and uptime. Determine pricing by multiplying actual server/DB costs by 5x-10x.

• Virtual Machine Isolation: Host the client backend on a separate GCP VM (or isolated Docker container). Do not risk client spikes crashing internal agency instances.
• Database Isolation: Deploy a completely separate DB instance. This ensures total data security and allows easy data export if the client leaves.
• Infrastructure Ownership: The agency owns the GCP, Vercel, and DB accounts. The client only pays the managed fee.

• Contract Type: Use a White-Label SaaS Agreement (or Software Licensing Agreement), not just an NDA.
• IP Ownership: The agency retains 100% ownership of source code, architecture, and UI/UX. The client receives a revocable license.
• Data Ownership: The client retains 100% ownership of their customer data.
• Termination: Access is revoked if payment stops. Provide a raw CSV/JSON export of their DB data upon termination. No code is handed over.
• SLA & Features: Define support availability. Explicitly state that custom feature development is billed separately at the agency hourly rate.

Effective: April 23, 2026 · Owner: Janet Tolbert

• Pay Period 1 (1st - 15th): Time entries from the 1st through the 15th of the month are automatically calculated and processed. Payouts are made on the 28th of the month.
• Pay Period 2 (16th - End of Month): Time entries from the 16th through the final day of the month are automatically calculated and processed. Payouts are made on the 12th of the following month.

• Time Tracking: Design Techs log their time using the timer or "Add Time" button on project and ticket cards. Time must be logged accurately with the correct client, service, and description.
• Automated Gemma Reports: Gemma runs a background process to aggregate all logged time entries for each contractor at the end of every pay period.
• QuickBooks Integration: Gemma automatically generates a detailed time report and pushes a Bill directly to QuickBooks Online (QBO) for the contractor.

• Review: The system automatically posts the aggregated time report to the dashboard for review before the payout dates.
• Approval & Payment: Management reviews the autogenerated QuickBooks Bills and issues payment directly through QBO or designated payment methods on the 12th and 28th.
• Discrepancies: If there are missing hours, Design Techs must manually add them via the ticket cards before the reporting periods close.

Effective: April 24, 2026 · Owner: Thor (AI Agent) · Supervised by: Janet Tolbert · Review: Monthly

Thor is the unified SEO / AIO / GEO Master responsible for dominating search visibility across Google, ChatGPT, Perplexity, Gemini & AI Overviews. When a full audit is triggered from the SEO tab, the following 5-task sequential pipeline executes automatically.

• Scrape the client's website and extract core services & offerings
• Identify unique value proposition and target audience
• Discover competitors and existing SEO signals (title tags, meta descriptions, headings)
• Determine industry & location context

Score each dimension out of 10. Return overall score + prioritized fix list (High / Medium / Low):

Analyzes how AI assistants (ChatGPT, Perplexity, Gemini, Claude) understand the business:

• Entity Establishment: How AI models recognize this business
• Knowledge Panel Readiness: Is the business entity clear and verifiable?
• 10 AI-Optimized Q&A Pairs: Written specifically for AI citation
• E-E-A-T Improvements: Experience, Expertise, Authoritativeness, Trust gaps
• AI Citation Triggers: Content formats most likely to be cited by AI
• Competitive Positioning: How to dominate AI answers in the niche

GEO (Generative Engine Optimization):

• Topical Authority Map: 5 core topic clusters to own
• Content Pillars: 3 pillar pages + 5 cluster posts per pillar (30 total)
• AI Snippet Optimization: Bullet lists, bold definitions, comparison tables, numbered how-tos
• Citation Building: Target publications, directories, and platforms
• Local GEO: Google Business Profile, local schema, review strategy
• 90-Day Publishing Calendar: Prioritized by AI impact
• KPIs: Branded search, citation monitoring, AI visibility tracking

Keyword Research:

• 5–10 Primary keywords — high-volume, core service/product terms
• 15–20 Secondary keywords — supporting terms, category variations
• 20–30 Long-tail keywords — specific, buyer-intent phrases (3-5 words)
• Conversational/AI keywords — question-format queries AI systems answer
• Local keywords — "[service] near me", "[city] + [service]"
• Competitor gap keywords — terms competitors rank for that this business could win
• Each keyword includes: search intent, estimated difficulty, AI optimization priority, suggested target page

• Executive Summary: 3-4 sentences
• SEO Score & Top 5 Critical Fixes
• AIO Readiness Score & Top Recommendations
• GEO 90-Day Action Plan (condensed)
• Quick Wins: Actions completable in 48 hours
• Long-term Opportunities: 3-6 month strategy