Before the First Payment
When your app has zero paying users, security feels optional. You are building, experimenting, iterating. Nobody is relying on you. Nobody has given you their credit card number. If your database gets wiped, you lose test data and nothing else.
This is the only time security is truly optional. Enjoy it. It ends the moment someone opens their wallet.
The Moment Everything Changes
Someone signs up. They enter their email. They give you their name. They enter a credit card number. They click "Subscribe."
Congratulations. You have revenue.
You also have legal obligations you did not have five minutes ago.
The moment someone gives you money or personal data, you are responsible for protecting it. This is not a suggestion. It is the law. In multiple countries. With real penalties.
What the Law Actually Says
PIPEDA (Canada)
Canada's Personal Information Protection and Electronic Documents Act applies to any organization that collects, uses or discloses personal information in the course of commercial activity. There is no minimum size requirement. If you are a one-person company selling a $10/month SaaS, PIPEDA applies to you.
Key requirements: you must protect personal information with security safeguards appropriate to the sensitivity of the information. You must notify the Privacy Commissioner of Canada and affected individuals if a breach creates a "real risk of significant harm." Failure to report a breach can result in fines up to $100,000 per violation.
GDPR (European Union)
If even one of your users is in the EU, GDPR applies. It does not matter where your company is located. It does not matter that you are one person. GDPR applies to any organization that processes personal data of EU residents.
Key requirements: you must implement appropriate technical and organizational measures to ensure security. You must notify the relevant supervisory authority within 72 hours of becoming aware of a breach. Fines can reach 20 million euros or 4% of global annual revenue, whichever is higher.
US State Laws
There is no single federal privacy law in the US. But California (CCPA/CPRA), Virginia, Colorado, Connecticut and other states have their own laws. If your users are in these states, their local laws apply. Most require breach notification and impose penalties for failure to protect personal information.
Breach Notification Is Not Optional
This is the part most solopreneurs do not know. When a breach happens, you cannot just fix it and move on. You are legally required to tell people.
In Canada, mandatory breach notification means you must report to the Privacy Commissioner and notify affected individuals if there is a real risk of significant harm. You must keep records of every breach for two years, even ones you determine do not require notification.
In the EU, you have 72 hours from the moment you become aware of a breach to report it. Miss that deadline and you face additional penalties on top of the breach itself.
In most US states, you must notify affected residents within 30-60 days depending on the state.
Can you imagine getting a payment from your first customer on Monday and dealing with a breach notification on Wednesday? It happens. We have seen it.
What Actually Gets You in Trouble
It is not the breach itself that destroys solo businesses. It is the cascade that follows.
Step 1: The breach. Attackers find a vulnerability. They download your user database. Or they access your Stripe dashboard. Or they find API keys in your client-side code.
Step 2: Discovery. You find out days or weeks later. Maybe a user tells you. Maybe your hosting bill spikes. Maybe you see unfamiliar data in your logs.
Step 3: Legal obligations. You need to assess the scope, determine if notification is required, draft notifications, report to regulators. You need a lawyer. Lawyers cost money.
Step 4: User fallout. You email your users to tell them their data was exposed. Some cancel immediately. Some post about it publicly. Your Product Hunt launch from last month now has a very different reputation.
Step 5: Remediation. You still need to fix the vulnerability, do a full security assessment to find other issues, and potentially offer credit monitoring to affected users.
Total cost for a small breach: $10,000-50,000 when you add legal, notification, lost revenue and remediation. For a solopreneur making $3,000 a month, that is catastrophic.
What To Do Right Now
If you have paying users and have never thought about security, here is your action plan.
Today (15 minutes): Enable MFA on your hosting, database and payment processor accounts. This prevents the most common account takeover attacks.
Today (30 minutes): Run our free hack tool on your site. Check the solopreneur security checklist. Fix anything obvious.
This week: Read your payment processor's security documentation. Stripe's security guide is excellent. Make sure you are following their best practices for API key storage and webhook verification.
This month: Get a Quick Audit. $1,500 CAD. A human security professional reviews your entire app and gives you a clear list of what needs fixing. Five-day turnaround.
The Math That Matters
Quick Audit: $1,500 CAD.
Average small business breach cost: $100,000+.
Lawyer consultation after a breach: $300-500/hour.
Privacy Commissioner fine: up to $100,000 per violation.
Rebuilding trust after a public breach: priceless. Actually, impossible. Your users will just leave.
The $1,500 audit is not an expense. It is the cheapest insurance you will ever buy. You spend more than that on hosting, design tools and coffee in a quarter.
You built something people are willing to pay for. That is rare and valuable. Protect it.