Access And Credential Policy
Access And Credential Policy
Draft created: 2026-06-17
Provider: Arifur Rahman
This policy explains how access should be handled for CRM, website, ecommerce, LMS, membership, analytics, hosting, and automation work.
This draft is a practical starting point and is not legal advice.
No Passwords In Forms Or Chat
Do not send passwords through website forms, chat, email, documents, or marketplace messages.
Preferred Access Methods
Use official access methods where possible:
- Collaborator account.
- Staff user.
- Admin user with limited permissions where possible.
- Temporary user.
- Partner access.
- Read-only access for audits where possible.
- Screen share for audit-only work.
Approval Before Risky Changes
Written approval is required before destructive or high-risk changes, including:
- DNS changes.
- Billing/payment settings.
- Payment gateway changes.
- Bulk contact updates/deletions.
- Live CRM campaign/workflow changes.
- Email/SMS sending.
- Membership/course access changes.
- API token or webhook changes.
- Deleting assets, products, pages, workflows, users, or data.
Sensitive Data
Do not provide unnecessary sensitive data. Customer lists, payment information, API keys, private admin screenshots, and personal data should be limited to what is needed for the service.
After Delivery
Clients should remove temporary access or reduce permissions after delivery unless ongoing support has been agreed.