levrly Standard Operating Procedures
Home Universal Universal SOP-CEA-TOOLS-04
Print Print-ready PDF
CEA — Tools & Professional Standards
SOP-CEA-TOOLS-04: Sensitive Information Handling Protocol
Applies To: Certified Executive Assistants — Levrly Client Placements
Updated: April 2026

1. Objective

This SOP governs the specific operational practices for handling sensitive information — beyond the general confidentiality standard in SOP-CEA-TOOLS-03 and SOP-CEA-COMM-06. Where those SOPs establish the values and intent, this SOP defines the specific behaviors: how information is stored, transmitted, shared, accessed, and protected in day-to-day operations. Sensitive information handling is where confidentiality values become operational discipline.

Where this SOP starts: Any time you encounter, access, or transmit sensitive information — financial data, client details, legal documents, personal information, and credentials.
Where this SOP ends: When the information has been handled securely and the appropriate records have been updated.

Success looks like: Sensitive information never ends up in the wrong hands. Your executive never has to wonder whether a sensitive document was shared securely. Client data is accessible to exactly who needs it and no one else. If a security or privacy incident occurs, you notice it immediately and escalate before it becomes a larger problem.

2. Your Role & Boundaries

2a. What you handle independently

  • Applying secure handling practices to every piece of sensitive information you encounter
  • Recognizing when information crosses into the "sensitive" category and acting accordingly
  • Storing, filing, and transmitting sensitive documents using only approved secure channels
  • Alerting your executive immediately if sensitive information may have been exposed

2b. What requires executive approval before acting

  • Sharing any sensitive document with any third party — even an existing client or vendor
  • Printing any document containing sensitive information (confirm approved printing environment)
  • Accessing any sensitive file outside of your regular scope of work

2c. What you never do

  • You never transmit sensitive information via email (unless encrypted or via secure sharing link)
  • You never share sensitive information in Slack, text, or any platform that retains unencrypted message history
  • You never share a sensitive file using "Anyone with the link" permissions
  • You never leave sensitive documents open on screen when stepping away from your workspace
  • You never discuss sensitive matters in public spaces, on shared calls, or where others may overhear

3. Categories of Sensitive Information

Financial information: Revenue, profit/loss, pricing, contracts, invoices, bank details, tax documents. Treat all financial information as sensitive — no exceptions.

Client information: Client names in combination with any business details, contract terms, health information (if relevant), personal contact details, and anything a client shared in confidence.

Legal documents: Contracts, NDAs, agreements, anything with legal signatures, any document related to a dispute or legal matter.

Credentials: Passwords, API keys, access tokens, 2FA backup codes. These are always sensitive. See SOP-CEA-TOOLS-02 for full credential handling protocol.

Personal information: Your executive's personal financial situation, health details (if shared), family matters, or any information clearly personal in nature.

Strategic information: Business plans, product development details, competitive strategy, partnership discussions, proposed acquisitions or sales.

4. Secure Transmission Standards

When you need to share a sensitive document with an external party:

Use secure file sharing links:
- Google Drive: Share with specific person access only — not "Anyone with the link"
- Dropbox: Use specific user sharing, not public links
- OneDrive: User-specific sharing with view-only permissions where possible

Never transmit via:
- Email attachments (even with a PDF — use a secure link instead)
- Slack, Teams, or any messaging platform
- Text or WhatsApp
- Public-facing tools (Trello, Notion pages without access controls)

Before sharing any document:
1. Confirm with your executive that this document is authorized to be shared with this recipient
2. Confirm the correct access level (view, comment, edit)
3. Share with the specific recipient's email — not a generic link
4. Log the access in the access tracker (SOP-CEA-OPS-05)

5. Secure Storage Standards

All sensitive documents stored in:
- Cloud storage with proper access controls (see SOP-CEA-OPS-05)
- Password manager for credentials (see SOP-CEA-TOOLS-02)

Never stored in:
- Personal devices without encryption
- Personal Google Drive or Dropbox accounts
- Email drafts or sent items
- Shared documents without access controls
- Desktop of a shared computer

Encryption: Sensitive financial documents, contracts, and client information should be stored in a cloud platform with encryption at rest (Google Drive, Dropbox, and OneDrive all provide this by default).

6. Workspace and Screen Security

Physical security:
- Lock your screen whenever you step away — even briefly
- Do not work on sensitive documents in public places (coffee shops, shared workspaces, public transport)
- If you must work in a shared environment, use a privacy screen filter
- Do not leave printed sensitive documents unattended — ever

Digital security:
- Close sensitive browser tabs when not actively using them
- Do not keep multiple sensitive documents open simultaneously if not needed
- Clear your browser history and cache regularly if working on a shared device

7. Responding to Information Requests

You will occasionally be asked — by clients, contacts, or others — to provide information that may be sensitive.

The default response to any information request you haven't been explicitly authorized to fulfill:

"Let me confirm with [Executive] before sharing that — I want to make sure I'm giving you the right information. I'll follow up shortly."

Do not attempt to assess "how sensitive" the request is in the moment. If you weren't explicitly told this information can be shared with this person — don't share it.

For legal requests (subpoenas, formal legal notices, regulatory requests):
→ Do not respond. Notify your executive immediately. "I've received a [formal request] from [sender]. I haven't responded. You'll need to involve legal counsel."

8. If Sensitive Information Is Accidentally Exposed

If you believe sensitive information has been shared with an unintended party:
1. Stop. Don't attempt to contain or manage the situation yourself.
2. Notify your executive immediately. "I need to tell you something urgently: [brief description of what happened]. I've taken no further action."
3. Document what happened. What information, which party, when, through which channel.
4. Follow your executive's instructions for next steps — which may include notifying the affected party, changing credentials, or involving legal counsel.

Speed is critical. The faster the exposure is reported, the more options exist for mitigation.

9. Escalation Protocol

Escalate immediately when:
- A sensitive document has been sent to the wrong person
- You believe account credentials have been compromised
- A third party has requested information that clearly falls outside what you're authorized to share
- You discover sensitive information in a location that isn't secure (e.g., an unprotected shared document accessible to anyone)

Escalation format:

URGENT — Sensitive information concern:

[Brief, factual description of what happened or what was found]

I have not taken further action. Please advise immediately.

10. Tools & Access

Tool Purpose
[Cloud storage — access-controlled] Secure document storage and sharing
[Password manager] Credential protection
Access log spreadsheet Tracking who has access to what

11. Changelog

Date Notes
April 2026 Initial release
© Levrly. All rights reserved.
Not for distribution outside Levrly membership without written permission.
SOP-CEA-TOOLS-04