Home / Help / Reference

SOP implementation checklist

Checklist aligned with the digital operations SOP priorities.

← Site guide overview

This checklist maps the SOP to implementation work in the existing application.

Roadmap: The ordered priorities in NSVA-DIGITAL-OPERATIONS-SOP.md (Implementation priorities) define the plan. Sections Email and Domain through Audit and Governance are thematic trackers; closing items there satisfies the corresponding priority areas.

Email and Domain

  • Configure Microsoft 365 transactional sending from @nsva.org (SMTP credentials stored in Secret Manager: nsva-smtp-user, nsva-smtp-pass, nsva-email-from; see EMAIL.md) — confirm DNS/MX for inbound role mailboxes remains an ongoing IT task
  • Configure production env vars (wired via Cloud Run / cloudbuild.yaml; secrets supply SMTP_USER, SMTP_PASS, EMAIL_FROM):
    • EMAIL_PROVIDER=smtp
    • SMTP_HOST, SMTP_PORT, SMTP_SECURE, SMTP_USER, SMTP_PASS
    • EMAIL_FROM (e.g. NSVA <noreply@nsva.org>)
    • APP_URL / NEXTAUTH_URL
  • Remove any non-production-only EMAIL_OVERRIDE_TO in production
  • Restrict or remove /api/test-email in production

Office Mailbox Provisioning

  • Create mailbox/alias inventory for all role addresses in SOP (mailboxes map to NSVA_OFFICE_EMAILS / NSVA_OFFICE_EMAIL_<KEY> used by workflow routing)
  • Define owner(s) per mailbox (office holder + backup) (tracked operationally per shared inbox ownership; see EMAIL.md → Leadership transition)
  • Document forwarding rules and shared inbox ownership (see EMAIL.md → Leadership transition)
  • Establish rotation procedure for leadership transitions (see EMAIL.md → Leadership transition)

RBAC Alignment

  • Map SOP Levels 1–5 to platform roles and permissions
  • Require MFA for leadership/admin roles
  • Confirm role assignment and revocation process (see EMAIL.md → Email routing and in-app notifications)

Workflow Routing

  • Membership application routing (Chair, Secretary, Treasurer)
  • Event workflow routing (Events, Secretary, Treasurer-if-financial)
  • Donation workflow routing (Treasurer, Commander, Fundraising)
  • Ships Store workflow routing (Store, Treasurer)
  • Ensure each routing action triggers dashboard notification + email

Audit and Governance

  • Ensure approvals/rejections and high-impact admin actions create audit records (see Governance and Financial & compliance sections below; includes general-request updates, Can Do uploads, island admin edits)
  • Confirm financial state transitions are logged (orders, payments, donations — see Financial & compliance below)
  • Add dashboard views for executive oversight

Operational visibility

  • Add admin SOP routing inspection endpoint (/api/admin/operations/routing)

Executive oversight & commerce

  • Dashboards: add executive Operations Center view (/admin/operations)
  • Events system: route event workflow notifications to SOP office recipients
  • Ships Store integration: route store and donation workflow notifications to SOP office recipients

Analytics, island locator, sponsorship

  • Analytics API: operational pipeline counts (membership, payment, transfers, charters, sponsorship, new members 30d)
  • Analytics UI: Operational pipeline section on /admin/analytics overview
  • Island locator: map focus via ?state= / ?q=, search UI on /locations
  • Sponsorship: public /sponsorship, POST /api/sponsorship/inquiry, admin /admin/sponsorship pipeline
  • Admin home & Operations Center: sponsorship queue counts and links

Governance, audit, production hardening

  • Audit log: sponsorship inquiry submitted (public form) and admin status/notes updates
  • /api/test-email disabled in production unless ALLOW_TEST_EMAIL=true
  • Extend audit logging to high-risk workflows: island transfer submit + admin review; convention registration submit; admin store order status/tracking updates (payment transitions via webhooks and order/payment/donation audit events; island charter already audited in admin review)

Communication parity & production email

  • Ensure each routing action triggers dashboard notification + email where appropriate (including after completed payments; convention + island transfer office mail; calendar + donation in-app)
  • Production env: Microsoft 365 SMTP and EMAIL_FROM via Secret Manager — send a test (allowed flow or ALLOW_TEST_EMAIL per policy) to confirm delivery; remove EMAIL_OVERRIDE_TO in production when ready
  • Confirm role assignment and revocation process (documented in EMAIL.md; enforced through Admin → Roles)
  • Office mailbox inventory and owners (ties to SOP “Office Mailbox Provisioning” below) — organizational task

Financial & compliance logging

  • Ensure all approvals/rejections create audit records across workflows (includes duty-station request approval/rejection)
  • Confirm financial state transitions are logged (orders/payments/donations; Zeffy payment failed/refunded order transitions included)
  • Reconcile checklist with PII / retention policies (automated purge where configured, plus audit records for redaction and disposal)

Data continuity & leadership operations

  • Preserve office-based communication history during personnel changes (role-based “To:” routing stays stable; audit exports/archives preserve operational evidence)
  • Maintain exported records strategy (membership via Admin → Members Export, orders via /api/admin/orders/export, donations via /api/admin/donations/export, approvals via /api/admin/audit-log/export + /api/admin/maintenance/archive-old-data)
  • Validate backup/restore runbook for digital operations continuity (see DIGITAL-OPERATIONS-BACKUP-RESTORE.md)
  • Document forwarding rules, shared inbox ownership, rotation on leadership change (see EMAIL.md → Leadership transition)

Cross-cutting (email & domain)

See Email and Domain and Office Mailbox Provisioning sections above; close these as communication, financial, and continuity criteria are met.