01 Limited access to scope
Credentials are used exclusively for the agreed analysis in the internal Diagnosis. We do not access information outside scope: private messages, personal data of employees or clients beyond aggregated metrics.
SECURITY
How we handle your credentials.
When you move to the internal Diagnosis (Phase 3), you give us credentials to your accounts for deep analysis. These are the 6 operational guarantees we apply before and during the process.
Why this matters
If you are about to pay for an internal Diagnosis and hand us credentials to your accounts (Meta Ads Manager, GoHighLevel CRM, Google Ads, GA4, email server), you deserve to know exactly how they are handled. Not in legalese. Operationally.
When does this apply?
NOT in the External audit (Phase 1). That uses 100% public data. No credentials, no access to your accounts.
NOT in the Strategic session (Phase 2). That is a conversation, optional screen-share, no credential sharing.
YES in the internal Diagnosis (Phase 3). Here you share credentials for deep analysis. We charge $1,200 USD refundable against Implementation. Before receiving any credential we sign NDA and apply what follows.
YES in the Implementation (Phase 4). During setup we keep access. At the end, all accounts stay in YOUR name and our users are removed.
The 6 clauses
02 Secure storage
Credentials are kept in a password manager with end-to-end encryption. Never via email, WhatsApp, plain files, or messaging. Each team member accesses only from their personal manager account with mandatory 2FA.
03 Deletion at closure
When we deliver the internal Diagnosis report, we delete all credentials within 72h and email you confirmation with timestamp. If you later contract Implementation, we ask for credentials again (we do not reuse).
04 Mutual written NDA
We sign a confidentiality agreement before receiving any credential. Anything we see about your business is not shared with third parties, not used as public example, not appearing on social media or case studies without your explicit written authorization.
05 Access audit log
We maintain a log of which account was accessed by whom, when, and why. We deliver it as an annex to the final Diagnosis report. You can audit the log before paying for Implementation.
06 Responsibility if something goes wrong
If by our action a credential is compromised, we cover remediation costs and invite your security auditor to verify. This is in the NDA, not a verbal promise.
Step by step process
01 Pre-Diagnosis (post-Strategic session)
After the Strategic session, if you proceed, you receive the NDA by email. You review it with your legal team if you want. Sign digitally.
02 Credential onboarding
We send invitation to the password manager. You create entries with read-only permissions where possible. You never give us your personal password. Separate users.
03 Internal analysis (5-7 days)
We do the work. We maintain automatic access log. We do not touch data outside agreed scope. If we need anything extra, we ask in writing.
04 Delivery + deletion
You receive PDF with analysis + actionable plan + exact Implementation quote. Within the next 72h we delete all credentials and email you confirmation. Access log as annex.
Operational guarantee
If at any point in the process you see a violation of any of the 6 clauses, we refund the $1,200 USD of the internal Diagnosis plus a security audit paid by us with any auditor of your choice. We do not sign what we cannot uphold.
Frequently asked questions
About security and credentials
Do I need to sign an NDA before the internal Diagnosis?
Yes, mutual written NDA before receiving any credential. Sent by digital mail, you sign with your legal team if you want. If you do not sign NDA, we do not move to internal Diagnosis. To protect both you and us.
Can I use my own NDA terms instead of the one you propose?
Of course. If your company has a standard NDA (common in clinics, law firms, large B2B), we review and sign it. We only verify that it covers critical points: mutual confidentiality, credential deletion, access log, responsibility if something goes wrong.
What happens to my credentials if I decide not to proceed to Implementation after the Diagnosis?
Same process: we delete all credentials within 72h post-delivery of the report and email you confirmation. You keep the report + plan + quote. If you return within 12 months for Implementation, the $1,200 USD applies as deposit and we ask for new credentials (no reuse).
What tools do you use to store credentials?
Any manager with end-to-end encryption + mandatory 2FA (1Password Business, Bitwarden Enterprise, or whatever your company already uses). Never plain files, never via chat, never shared docs.
Are there credentials you do NOT receive even with NDA?
Yes, several: passwords for owner personal accounts (we prefer separate users), passwords giving access to financial information outside scope (banking, accounting), accesses without 2FA (we always ask for 2FA on our side). If your critical account does not have 2FA, we first help you activate it.
Ready for the internal Diagnosis?
Start with the free external audit (Phase 1). If it makes sense, move to the 45-min Strategic session (Phase 2). If we fit, we sign NDA there and start the internal Diagnosis with all the guarantees on this page.
No card. No commitment. Credentials only enter the picture once we are strategically aligned.