How We Share Credentials Securely With You
Passwords, API keys, database credentials, and access tokens are sensitive. How we share and store them matters for your security. This article explains our approach.
What We Never Do
- Send credentials in plain text via email
- Store passwords in documents, spreadsheets, or wiki pages
- Include credentials in code repositories or version control
- Use shared generic accounts without individual attribution
How We Share Credentials
We use a dedicated secrets management approach:
- Encrypted password managers: Credentials are shared via tools like 1Password, Bitwarden, or LastPass using secure vault sharing — never in chat or email
- Secure link sharing: Tools like One Time Secret for one-off credential sharing — the link expires after being viewed once
- Environment variables: Production secrets are stored as environment variables on the hosting platform, not in code
How You Should Store Credentials We Provide
We strongly recommend:
- Using a business password manager (1Password Teams, Bitwarden Business) to store all credentials
- Never sharing credentials in chat tools, email, or shared documents
- Rotating credentials when team members leave your organisation
- Using multi-factor authentication (MFA) on all critical accounts — particularly hosting, domain, and cloud platforms
Credential Handover at Project End
At project completion, we will provide a formal credential handover document listing all accounts, their current owners, and where credentials are stored. We then remove our own access to your systems within an agreed timeframe.