Managing Credentials

How credentials work in Finalizo

The credentials section of a handover pack is where you store and transfer all logins your client needs to take ownership of their project: CMS admin, hosting control panel, domain registrar, analytics, email, and any third-party tools connected to the site.

Finalizo encrypts credentials at rest. They are not displayed to the client until after they have signed the handover form. This ensures there is a formal record of handover before access is transferred.

Adding credentials to a pack

Inside your pack, navigate to the **Credentials** section. Click **Add credential** to add a new row. For each entry you can record:

• **Platform** — the name of the tool or service (e.g. "Webflow", "Cloudflare", "Google Analytics")
• **URL** — the login page or admin URL
• **Username / email** — the login identifier
• **Password** — the current password for the account
• **Notes** — optional context, such as "Two-factor authentication is enabled on this account — client must use the backup codes in the folder shared via Google Drive"

You can add as many credential rows as needed. Most web projects have between five and twelve.

Password best practice

Before adding credentials to a handover pack, we recommend:

1. **Change all passwords to fresh ones** — do not hand over your own working passwords. Create account-specific passwords for the client transfer. 2. **Remove yourself from shared accounts** — remove your email from admin roles and transfer ownership properly where the platform supports it (Google Analytics, for instance, allows ownership transfer directly). 3. **Document two-factor authentication** — if an account has 2FA enabled, include instructions for how the client can access or reset it.

When credentials are revealed

The client cannot see credentials until they have digitally signed the handover form. Once signed, the credentials section unlocks and they can view all entries. This protects you: it means access was transferred at the same moment the client formally acknowledged receipt of the project.

If you need to share credentials before sign-off for any reason (for example, during a testing phase), do so outside of Finalizo via a separate secure method such as 1Password, a temporary shared link, or an encrypted note.

Updating credentials after sending

If you send a pack and then discover a password needs updating, you can:

1. Go to **Projects → [Project Name] → Pack** 2. Click **Edit pack** 3. Update the credential row 4. Click **Resend** to notify the client that the pack has been updated

If the client has already signed, updating a credential does not require them to re-sign — only structural changes to the pack (scope, support terms) trigger a re-sign requirement.

Removing credentials from your records

Once a project is marked complete and the sign-off certificate has been issued, you should remove your own copies of client credentials from any personal password managers or notes. Finalizo stores the credential record as part of the project archive, but you should not maintain a live copy once ownership has transferred.

To help with this, the **Your records** checklist in the default handover template includes a reminder: "Credentials removed from personal password manager." Tick this as part of your own close-out process.

Security and encryption

All credentials stored in Finalizo are encrypted at rest using AES-256 encryption. Access is restricted to authenticated users and is tied to the specific project. Finalizo staff cannot access the plaintext content of your credential fields.

For questions about our security practices, see the [Security Policy](/legal/security) or email [security@finalizo.com](mailto:security@finalizo.com).

← Back to Help Centre