1. Objective
This SOP governs how credentials, system access, and account security are managed throughout your engagement. As an EA, you will be granted access to systems containing sensitive business data, client information, and financial records. How you receive, store, use, and eventually relinquish that access directly affects the security of your executive's business. Poor credential hygiene is one of the most common and most preventable sources of business risk in small operations.
Where this SOP starts: Day 1 — during the access setup process.
Where this SOP ends: Last day of the engagement — when all access is formally revoked.Success looks like: Your executive's accounts are never compromised due to poor credential management. All access is properly granted, tracked, and revoked at the end of an engagement. You never share credentials in an insecure way. Your executive knows exactly what you have access to at any time.
2. Your Role & Boundaries
2a. What you handle independently
- Receiving credentials through secure channels and storing them in the approved password manager
- Maintaining the access log — updating it when new access is granted or revoked
- Ensuring your own devices are secured (password-protected, up to date)
- Flagging any suspicious account activity immediately
2b. What requires executive approval before acting
- Accessing any system or account not included in your initial access agreement
- Sharing any credential with a third party
- Creating new accounts on your executive's behalf using their information
- Resetting any password without your executive's knowledge and authorization
2c. What you never do
- You never receive or store credentials in unencrypted email, text, or chat messages
- You never share credentials with anyone — including other team members — without explicit authorization
- You never use your personal accounts for business access when a shared or business account is available
- You never leave credentials in a browser that's not secured by a master password
- You never retain access to accounts after an engagement ends
3. Receiving Access Credentials
Approved channels for receiving credentials:
- Password manager shared vault (preferred — see Section 4)
- Encrypted message (e.g., via a one-time secret link tool like onepassword.com/create-link)
- Direct verbal communication in a private setting
Never accept credentials via:
- Email (even "secure" email)
- Slack or Teams
- Text message
- Any platform that retains message history
When credentials are shared insecurely (which happens with new clients who don't have a system yet):
1. Acknowledge receipt
2. Store in the password manager immediately
3. Notify your executive: "I've received and stored those credentials securely. For future access sharing, I'd recommend using [method] to avoid sending credentials through email."
4. Password Manager Protocol
All credentials are stored in a dedicated password manager. This is non-negotiable.
Recommended tools: 1Password, Bitwarden, LastPass, Dashlane.
Setup in Week 1:
- Confirm which password manager your executive uses, or set one up if they don't have one
- Create a shared vault specifically for EA-relevant credentials
- Store only the access you actually need — not everything in their vault
What goes in the shared vault:
- Login credentials for platforms you actively manage
- API keys or access tokens you use directly
- Shared service account credentials
What stays out of the shared vault:
- Personal accounts (your executive's personal banking, personal email unrelated to your work)
- Credentials for systems you don't need access to
5. Access Log
Maintain a simple log of every account and system you have access to.
Format:
| Platform | Access Type | Granted Date | Access Level | Notes | Status |
|---|---|---|---|---|---|
| Gmail | Full email access | 2026-04-01 | Full read/send | Shared via password manager | Active |
| Google Drive | File management | 2026-04-01 | Edit | Specific folder only | Active |
| QuickBooks | Invoice management | 2026-04-15 | Limited | Invoicing only — no financial reporting | Active |
Review the access log monthly. Confirm that every access item is still needed. Remove access you no longer use — both from the log and from the system itself.
6. Account Security Practices
Your devices:
- Use a strong, unique password for every device you work from
- Enable screen lock with a short timeout (5 minutes max)
- Keep your operating system and browser up to date
- Use a VPN when working on public or shared networks
Browser security:
- Never let your browser save credentials for accounts that contain sensitive information
- Clear saved form data regularly
- Use private/incognito windows when accessing accounts on shared or temporary devices
Two-factor authentication:
- Enable 2FA on every business account where it's available
- Store 2FA backup codes in the password manager (not in email or unencrypted notes)
- If you use an authenticator app, ensure it's on a device you own and control
7. Suspicious Activity Protocol
If you observe any of the following, treat it as a security incident and notify your executive immediately:
- An unfamiliar login location or device shown in an account's security log
- Password change notifications you didn't initiate
- New email forwarding rules you didn't create
- Account access that looks unfamiliar in any way
Immediate action:
1. Do not attempt to manage the situation yourself
2. Notify your executive: "I've noticed suspicious activity in [account]. I haven't taken any action yet — please advise how you'd like me to proceed."
3. Document what you observed with timestamps
8. Offboarding Access Revocation
When an engagement ends:
1. Remove your access from every system in the access log — platform by platform
2. Provide your executive with a list of every account you had access to so they can confirm revocation is complete
3. Delete credentials from your password manager
4. Confirm with your executive that all access has been revoked
Timeline: All access should be revoked within 48 hours of the engagement end date.
Do not retain access "just in case." If your executive needs you to help with a specific task after engagement end, they can grant access specifically for that task.
9. Escalation Protocol
Escalate when:
- You discover a security incident (suspicious login, unauthorized access)
- You're asked to share credentials with a third party
- You're asked to access a system that's not in your access agreement
Security escalation format:
URGENT — Security concern:
[What you observed, when, in which platform]
I haven't taken action yet and haven't logged in since noticing this.
Please advise on next steps.
10. Tools & Access
| Tool | Purpose |
|---|---|
| [Password manager — 1Password / Bitwarden / etc.] | Secure credential storage and sharing |
| [Authenticator app] | Two-factor authentication management |
| Access log spreadsheet | Tracking all granted access |
11. Changelog
| Date | Notes |
|---|---|
| April 2026 | Initial release |
How to Use This Document
Your Certified Executive Assistant needs access to specific platforms and tools to do their job. This worksheet documents exactly what access you're granting, how credentials will be shared securely, and what your EA is authorized to do within each system.
Every question shows our recommended default in bold. If it works for your business, check it and move on. If you want something different, mark your preference.
This document becomes your EA's access and authorization reference — and Levrly's record on file.
Section 1: Credential Sharing Method
1.1 — How will you share credentials and system access with your EA?
- ☐ Password manager shared vault (recommended) — 1Password, Bitwarden, or LastPass
- ☐ Platform delegation (Google Calendar, Gmail delegation — no password sharing required)
- ☐ Encrypted one-time link
- ☐ Other: _____
1.2 — Do you currently use a password manager?
- ☐ Yes — platform: _____
- ☐ No — Levrly recommends setting one up in Week 1
1.3 — If using a shared vault, confirm your EA has been added to it:
- ☐ EA added to shared vault
- ☐ Vault setup is pending — EA will assist in Week 1
Section 2: Platform Access Authorization
Complete this table for every system your EA will touch. Be specific about access level.
2.1 — Email:
| Item | Detail |
|---|---|
| Platform | Gmail / Outlook / Other |
| Access method | Delegation / Shared login |
| Access level | Full (read/send) / Draft only / Read only |
| Shared via | Password manager / Delegation / Other |
| Notes |
2.2 — Calendar:
| Item | Detail |
|---|---|
| Platform | Google Calendar / Outlook / Other |
| Access method | Delegation / Shared login |
| Access level | Full (view/edit) / View only |
| Specific calendars shared | |
| Notes |
2.3 — Task / Project Manager:
| Item | Detail |
|---|---|
| Platform | Asana / ClickUp / Monday / Notion / Other |
| Access level | Full / Editor / Viewer |
| Specific workspaces or projects | |
| Notes |
2.4 — Cloud File Storage:
| Item | Detail |
|---|---|
| Platform | Google Drive / Dropbox / OneDrive / Other |
| Access level | Full / Editor / Viewer |
| Specific folders shared | |
| Notes |
2.5 — Communication / Messaging:
| Item | Detail |
|---|---|
| Platform | Slack / Teams / Other |
| Access level | Full member / Guest / Specific channels only |
| Channels included | |
| Notes |
2.6 — Finance / Invoicing (if in scope):
| Item | Detail |
|---|---|
| Platform | QuickBooks / FreshBooks / Wave / Other |
| Access level | Full / Invoice management only / View only |
| Specific permissions | |
| Notes |
2.7 — CRM (if in scope):
| Item | Detail |
|---|---|
| Platform | HubSpot / GoHighLevel / Salesforce / Other |
| Access level | Full / Contact management only / View only |
| Specific permissions | |
| Notes |
2.8 — Any other platforms:
| Platform | Access Level | Access Method | Notes |
|---|---|---|---|
Section 3: Access Restrictions
3.1 — Are there areas within any of the above platforms your EA should NOT access?
| Platform | Restricted Area | Reason |
|---|---|---|
3.2 — Are there any platforms you want your EA to know exist but NOT have access to?
3.3 — Should your EA have any financial account access?
- ☐ No financial accounts — EA handles invoicing tools only
- ☐ Yes — specify: _______________
- ☐ Bank / payment accounts are strictly off limits
Section 4: Two-Factor Authentication
4.1 — How will 2FA be handled for shared accounts?
- ☐ EA uses their own authenticator app where accounts support it (recommended)
- ☐ Shared 2FA codes stored in password manager
- ☐ I'll handle 2FA myself — EA will ask me when needed
- ☐ Other: _____
4.2 — Should backup codes for shared accounts be stored in the password manager?
- ☐ Yes — stored in the shared vault for emergency access (recommended)
- ☐ No — I'll manage backup codes myself
Section 5: Account Creation Authority
5.1 — Is your EA authorized to create new accounts on your behalf using your business information?
- ☐ Yes — with my explicit approval for each new account
- ☐ No — EA requests; I create the account myself (recommended)
- ☐ Yes — for any tool we've agreed to add to the stack
5.2 — Is your EA authorized to sign up for free trials or exploratory tools?
- ☐ Yes — with notification to me
- ☐ Only if I've approved the tool first (recommended)
- ☐ No — I handle all account creation
Section 6: Access Log
6.1 — Should your EA maintain an access log tracking every platform they have access to?
- ☐ Yes — maintained in your ops folder and reviewed monthly (recommended)
- ☐ No — I'll track access myself
6.2 — Who should be able to see the access log?
- ☐ EA + me
- ☐ EA only
- ☐ Me only — EA updates, I have the copy
6.3 — How often should the access log be reviewed?
- ☐ Monthly — EA confirms all access is still needed and current (recommended)
- ☐ Quarterly
- ☐ Only when something changes
Section 7: Suspicious Activity Protocol
7.1 — If your EA notices unusual account activity, what should they do?
- ☐ Notify me immediately without taking action (recommended)
- ☐ Attempt to change the password and then notify me
- ☐ Other: _____
7.2 — How should a security alert be delivered?
- ☐ Immediate message on my primary channel with URGENT flag (recommended)
- ☐ Text
- ☐ Other: _____
Section 8: Offboarding & Access Revocation
8.1 — When the engagement ends, what is the expected timeline for revoking your EA's access?
- ☐ Within 48 hours of the last day (recommended)
- ☐ Within 1 week
- ☐ I'll manage it myself
8.2 — At offboarding, should your EA provide a full list of every account they had access to?
- ☐ Yes — complete list with confirmation that access has been revoked (recommended)
- ☐ No — I'll verify myself
8.3 — Should password manager access be removed and credentials deleted from your EA's vault at offboarding?
- ☐ Yes — EA removes credentials and confirms deletion (recommended)
- ☐ I'll remove shared vault access myself
Section 9: Anything Else
9.1 — Are there any security policies in your business that your EA should be aware of?
9.2 — Have you had any prior security incidents with shared access that have informed how you manage this?
9.3 — Is there anything else about how you manage system access that your EA needs to understand?
Sign-Off
By completing this document, you confirm that your EA is authorized to access the systems listed above within the boundaries you've defined. Levrly will keep this on file and reference it if questions arise.
| Client Name | _____ |
| Date Completed | _____ |
| VA Name | _____ |
| Levrly Account Manager | _____ |
To update any decision in this document, contact your Levrly account manager or submit a change request through your client portal.