A comprehensive guide to building your startup's technology stack and business operating system
Starting a business requires making dozens of critical technology and operational decisions. This playbook provides opinionated, practical guidance for choosing the right tools, platforms, and frameworks to run your business—from infrastructure to compliance.
Whether you're a solo founder building an MVP or scaling a Series A startup, this playbook helps you:
- Choose the right tech stack for your infrastructure needs
- Select business tools that scale with your organization
- Build compliance frameworks from day one
- Implement security best practices without security theater
- Establish legal foundations to protect your business
- Create operational systems that enable growth
This is not vendor-neutral advice—we provide opinionated recommendations based on real-world experience, with clear guidance on when to use what.
- Technical Founders: Building your first startup and need infrastructure guidance
- CTOs/Engineering Leads: Establishing technical foundations for a growing team
- Operations Leaders: Implementing business systems and compliance frameworks
- Solo Founders: Need to make smart tool choices without analysis paralysis
- Scaling Startups: Moving from scrappy MVP to enterprise-ready systems
Each guide is standalone and focused on a specific problem domain. Start with what you need now:
- Just starting? → Begin with Business Operating System Framework and Legal & Compliance
- Building infrastructure? → Check Private Cloud Infrastructure and Security Tools
- Growing your team? → Explore CRM Solutions and LMS Solutions
- Need specific tools? → Jump directly to the relevant guide below
-
Business Operating System Framework
- Overall approach to building your BOS
- Startup stage recommendations (Pre-Seed → Series A+)
- Critical success factors and implementation roadmap
-
- Privacy Policy, Terms of Service, MSA
- CIIA/PIIA (Confidentiality & Invention Assignment)
- PII Management Plan
- ISMS Plan (Information Security Management System)
- PIMS, QMS, SMS, AI RMF
- Business formation (LLC, bank accounts)
-
- UmbrelOS
- Proxmox / LXC Containers
- OpenStack
- Docker / Kubernetes
- Decision matrices by organization size
-
Container Orchestration & Platform
- Docker vs. Docker Swarm vs. Kubernetes
- Managed vs. self-hosted
- K8s distributions (k3s, RKE2, OpenShift)
- Platform engineering tools
-
- Code security (Snyk, SonarQube, GitGuardian, Dependabot, CodeRabbit)
- Infrastructure security (Wazuh, Tetragon)
- Identity & Access Management (Keycloak, FreeIPA, M365)
- Network security (VPNs, zero-trust)
- Security monitoring & SIEM
-
- NetBird VPN
- Boundary (bound0)
- Tailscale / Headscale
- Pangolin
- Zero-trust architecture
-
- Keycloak (recommended for app auth)
- FreeIPA (Linux/Unix environments)
- Microsoft 365 / Azure AD
- OpenDesk.eu (EU sovereignty)
- SSO strategies
-
- ERPNext CRM
- Twenty CRM (open-source)
- HubSpot
- Salesforce
- Decision guide by company size and needs
-
- ERPNext / Frappe Cloud (recommended)
- Odoo
- SAP (enterprise)
- Decision criteria
-
- Jira / Atlassian Suite (recommended)
- Linear
- GitHub Projects
- Asana, Monday.com, ClickUp
- Learning Management Systems (LMS)
- Frappe LMS
- Moodle
- Canvas LMS
- Custom solutions
- When you need an LMS
-
Remote Monitoring & Management (RMM)
- When you need RMM
- Open-source options
- Commercial solutions
- MSP considerations
-
Multi-Cloud & Infrastructure Management
- Taikun.cloud
- Foreman
- Terraform / OpenTofu
- Infrastructure as Code
-
Inventory Management Solutions
- When you need dedicated inventory management
- ERPNext Inventory module
- Standalone solutions
- Asset tracking
-
- Carta
- Pulley
- AngelList
- When to implement equity management
- Automation & Workflow Tools
- n8n (recommended for self-hosted)
- ActivePieces
- Tines (security automation)
- Zapier, Make.com (cloud)
- When to automate
-
- Figma (industry standard)
- Penpot (open-source alternative)
- Design systems
-
- Formbricks (open-source)
- Product analytics
- Feedback loops
-
- Invoice Ninja
- ERPNext Accounting
- Stripe Billing
- Usage-based billing
-
Financial Tracking & Accounting
- QuickBooks
- Xero
- ERPNext Accounting
- Fintracker
- Scheduling & Calendar Tools
- Cal.com (open-source, recommended)
- Calendly
- Self-hosting considerations
- Application Monitoring & Observability
- Prometheus + Grafana
- Elastic Stack
- DataDog, New Relic (commercial)
- OpenTelemetry
- Compliance Automation
- TrustCloud.ai
- Vanta
- Drata
- SOC 2, ISO 27001 automation
Goal: Ship fast, stay lean, build foundations
- Business Operating System Framework - Understand the landscape
- Legal & Compliance Framework - LLC, CIIA, Privacy Policy, ToS
- Private Cloud Infrastructure - Choose Docker Compose on VPS
- Security Tools - Enable Dependabot, GitGuardian (free tier)
- Project Management - GitHub Projects or Linear
Timeline: Week 1
Goal: Professionalize systems, enable team collaboration
- All MVP Stage items above
- CRM Solutions - Implement ERPNext or Twenty CRM
- ERP Solutions - Deploy ERPNext for business ops
- Automation & Workflow - Set up n8n
- Identity & Access Management - Deploy Keycloak
- VPN & Secure Access - Implement Tailscale or Headscale
- Security Tools - Full security toolchain
- Compliance Automation - Start ISMS documentation
Timeline: Months 1-3
Goal: Enterprise-ready, compliance-focused, scalable
- All Seed Stage items above
- Container Orchestration - Migrate to Kubernetes
- RMM Solutions - Implement endpoint management
- LMS Solutions - Deploy employee training platform
- Monitoring & Observability - Full observability stack
- Compliance Automation - SOC 2 Type II, ISO 27001
- Multi-Cloud Management - Infrastructure as Code
- Share Management - Implement cap table management
Timeline: Months 3-12
We prioritize open-source, self-hostable solutions for:
- Cost control
- Data sovereignty
- Customization
- No vendor lock-in
But recommend cloud/commercial solutions when:
- Time-to-value matters more than cost
- Expertise gap is significant
- Compliance requirements demand it
Retrofitting compliance is expensive and painful. We emphasize:
- Legal foundations before first customer
- Security tooling from first commit
- Documentation as you build
- Privacy by design
Manual processes don't scale. We advocate for:
- Infrastructure as Code
- CI/CD from the start
- Workflow automation (n8n, etc.)
- Security automation
Don't over-engineer for scale you don't have. Our recommendations scale with you:
- Solo → Docker Compose
- Small team → Docker Swarm or Proxmox
- Scaling → Kubernetes
Free security tools exist. Use them:
- Dependabot (free)
- GitGuardian (free tier)
- Snyk (free tier)
- Code review requirements
- 2FA everywhere
This playbook is maintained based on real-world experience building and scaling startups. It's opinionated by design.
If you have suggestions, corrections, or want to add new guides, please open an issue or pull request.
This playbook provides general guidance and opinions. It is not:
- Legal advice (consult a lawyer for legal matters)
- Financial advice (consult an accountant/CFO)
- Compliance certification (consult compliance professionals)
- Vendor endorsement (we receive no compensation from mentioned tools)
Your specific situation may require different solutions. Use this as a starting point, not gospel.
This playbook is open source and available for use by the startup community.
Last Updated: 2025-11-16 Version: 1.0