To-Do

Professionalize the business identity

Lock in the public-facing business email, phone number, and address (virtual, never personal). Then trace where all business records live and identify who keeps the company current with state and federal filings. The business must read as a professional, well-run operation from the outside, with a clear owner for every compliance touchpoint.

Build the brand identity pack

Refresh the logo set, gather all visual assets, and produce a complete identity kit so launch collateral is consistent everywhere.

Audit the domain

Confirm registrar, DNS, ownership, and renewal status for the primary domain. Plan any consolidation or migration before launch.

Stand up the business communications stack

Configure the CRM that captures every inquiry through to signed client, and the business suite (Google Workspace or equivalent) that powers email, calendar, and shared docs. Tie the phone, email, and address from item 01 into these tools so nothing falls through the cracks.

Develop the online presence

Ship the primary website and stand up consistent profiles across every relevant channel. Same brand, same voice, same contact details so trust compounds across surfaces.

Stand up a secured document vault

Build a local-first vault (likely Anytype) for sensitive records and logins. Device-level encryption, at-rest protection, and clear access protocols.

Map the business model

Document the revenue model, package definitions, pricing tiers, and the possible client funnels so the offer is repeatable.

Apply the mentor's funnel framework

Pull the funnel skill from the mentor program and adapt it to the consulting offer end to end.

Audit every form in the platform

Walk every form across the handbook and policies. Each one needs to open in a dedicated tab with the full form visible, be fillable end to end, and print cleanly with proper structure, headers, and field alignment.

Build a tech-enabled records system for clinics

Stand up secure cloud storage for patient and client files so clinics can run paperless by default. Keep physical copies only where law requires it, and document those exceptions clearly.

Create the AWS account and lock it down

With the business email, phone, and business credit card in place, create the AWS account as a Business-type account. Enable multi-factor authentication on the root user, configure billing alerts at $50, $100, $250, and $500, and create a separate admin IAM user for daily work. Full step-by-step is on the Compliance → AWS Setup Checklist page.

Sign the AWS Business Associate Agreement

Inside the AWS console, accept the templated Business Associate Addendum through AWS Artifact. This is the single legal document that brings every AWS service we use into our HIPAA chain. Record the signing date on the Compliance section so it lives where auditors will look for it.

Provision RDS Postgres for client intake data

Stand up an Aurora-compatible Postgres database on RDS with encryption at rest, automated backups, and a private subnet. Wire Drizzle to it from the Next.js app, and migrate the first real form (client intake) off the in-memory store. This is the first piece of regulated infrastructure to come online.

Configure S3 buckets for clinic file uploads

Create encrypted S3 buckets for clinic-uploaded documents with bucket policies that enforce per-clinic isolation. Build the application upload flow using signed URLs so files go straight from the browser to S3 without passing through the application server.

Migrate the AI extraction path to AWS Bedrock

Replace the current OpenAI gpt-4o-mini call routed through Vercel AI Gateway with an Anthropic Claude call routed through AWS Bedrock. This is the change that unlocks Protected Health Information flowing through the AI layer. Until this is in place, the AI extractor stays restricted to business operations content.