Go-Live Checklist¶

Use this checklist to verify your Dxtra integration before deploying to production. Complete all items before launching to ensure security, compliance, and reliability.

Authentication and security¶

• API keys stored in secure environment variables (not hardcoded)
• .env files added to .gitignore
• JWT tokens refreshed before expiry (15-minute token lifetime)
• Error handling implemented for 401/403 authentication failures
• Separate API keys for development, staging, and production environments
• HTTPS enforced on all pages that embed Dxtra widgets or scripts
• Webhook URLs use HTTPS only
• No sensitive data (PII, API keys) logged to console or public logs

GraphQL API integration¶

• Using correct API endpoint: https://api.dxtra.ai/v1/graphql
• Using correct auth endpoint: https://auth.dxtra.ai/v1/signin/pat
• X-Hasura-Role header set appropriately (user, dataSubject, or anonymous)
• GraphQL error responses handled (check for errors array in response)
• Retry logic implemented with exponential backoff for transient failures
• Request timeout configured (recommended: 30 seconds)
• Query complexity validated (no n+1 queries or deeply nested queries)
• Pagination implemented for large result sets

Webhook integrations¶

• Webhook URLs configured with correct DID and DX Key
• Webhook signature verification enabled for each platform
• Test webhook events sent and verified in the Processing Activity Log
• Error handling for webhook failures documented
• Rate limits respected (1,000 events per minute for webhook endpoints)
• Webhook handlers implement idempotency (safe to process duplicate events)
• Failed webhooks are logged and monitored
• Webhook delivery retries configured appropriately

Transparency Center and widgets¶

• Transparency Center widget loading correctly on HTTPS pages
• Correct Data Controller UUID configured in widget data-controller-id attribute
• Widget script loaded: https://transparencycenter.dxtra.ai/assets/index.js
• Individual widgets (<dx-consents>, <dx-rights-management>, etc.) tested
• Widget appearance and branding configured in Dashboard
• Cross-browser testing completed (Chrome, Firefox, Safari, Edge)
• Mobile responsiveness verified
• Widget loading performance tested (< 2 second page impact)
• Accessibility (a11y) tested for widget components

Tag Manager¶

• Tag Manager script installed: https://tagmanager-edge.dxtra.ai/tm.js
• Tags configured and tested in staging environment
• Consent-based firing rules verified
• Tag revision finalized and deployed to production environment
• Debug mode tested: add #dxtra-debug to page URL
• Custom domain CNAME configured (if applicable)
• Tag Manager firing logic does not block critical page functionality
• Tag loading does not impact Core Web Vitals

Privacy compliance¶

• Privacy notices published and linked from your website
• Consent forms configured for all required categories
• Data subject rights request forms accessible and prominent
• DSRR (Data Subject Rights Request) workflow tested end-to-end
• Data retention policies configured in Dxtra
• Processing activities documented in the platform
• Data processor agreements executed
• DPA (Data Processing Addendum) updated with Dxtra as processor
• Privacy impact assessment (DPIA) completed if required

Data controller setup¶

• Data Controller DID generated and verified
• Organization details configured in Dashboard (legal name, address, contact)
• Operating regions selected accurately
• Team members invited with appropriate roles
• Billing and subscription confirmed and active
• DPO (Data Protection Officer) contact configured
• Two-factor authentication enabled for all admin accounts

Monitoring and alerts¶

• Processing Activity Log monitored for expected events
• Rights request notifications configured and tested
• DPA expiration alerts enabled
• Compliance monitoring dashboard reviewed
• Error monitoring configured (Sentry, DataDog, etc.)
• Uptime monitoring configured for critical endpoints
• API rate limit alerts configured
• Webhook failure alerts configured

Testing verification¶

• End-to-end test: new data subject created via webhook or API
• End-to-end test: consent form submission and preference storage
• End-to-end test: rights request submission and status tracking
• End-to-end test: Transparency Center loads and displays correctly
• Cross-browser testing for embedded widgets (Chrome, Firefox, Safari, Edge)
• Mobile device testing (iOS Safari, Android Chrome)
• Load testing completed (simulate expected traffic volume)
• Failure scenario testing (API down, webhook timeout, network error)
• Token refresh logic tested under production load
• Error messages tested for user clarity and security

Documentation¶

• API integration documented in your team wiki or repository README
• Webhook endpoint documentation complete
• Environment variables documented (without including actual values)
• Integration architecture documented with diagrams
• Troubleshooting guide created for common issues
• Runbook created for incident response

Performance¶

• API response times measured (target: < 500ms for queries)
• Webhook processing latency measured
• Database query optimization completed
• Caching strategy implemented where appropriate
• CDN configured for static assets
• Image optimization completed
• Bundle size analyzed and optimized

Security review¶

• Security penetration testing completed
• Dependencies scanned for vulnerabilities (npm audit, pip check, etc.)
• SQL injection prevention verified
• CSRF protection enabled
• XSS prevention configured
• Rate limiting implemented
• Input validation implemented for all user inputs
• Output encoding implemented
• Secrets rotation policy established
• Security headers configured (CSP, X-Frame-Options, etc.)

Rollback plan¶

• Rollback procedure documented
• Previous version deployable within 15 minutes
• Data migration rollback tested
• Communication plan for customer notification established
• Point-in-time backup available

Post-launch monitoring¶

• Set up daily monitoring dashboard review
• Configure alerts for anomalies
• Plan for 24/7 on-call support during first week
• Schedule post-launch review meeting (24-48 hours after launch)
• Document any issues discovered and remediation plan

Related documentation¶

• Developer Tools Overview — Introduction to Dxtra APIs and integrations
• Environment Setup — Initial setup and authentication
• GraphQL API Reference — Complete API documentation
• Webhook Integrations — Webhook events and signature validation
• Widget Embedding — Transparency Center widgets
• Tag Manager — Privacy-first analytics

Sign-off¶

Once all items are complete, obtain approval from:

• Lead Developer
• Security Lead
• Data Protection Officer (DPO) or Privacy Lead
• Product Manager

Document sign-off date and signatures for compliance audit trail.

All items complete? You're ready to deploy to production. Monitor closely during the first 24-48 hours and be prepared to rollback if critical issues emerge.

Have questions? Contact support@dxtra.ai or check the FAQ.