DashboardOperations & SecurityConfidential 機密

09 · Security & Assets

Security & Assets

Data classification, keys, client data, and social-asset rules.

IT / Founder3 min readUpdated May 31, 2026

Tenten holds client data, API keys, and social accounts with 300K followers. This guide spells out: how data is classified, how passwords are managed, how client data is handled, and how to report incidents.

Security isn't IT's job alone — it's everyone's default habit. Tenten moves fast and isn't bureaucratic, but there are lines we must hold — because once client data leaks or social assets go out of control, it damages over a decade of trust. This guide pairs with the Offboarding SOP: one covers "how to protect while here," the other "how to hand over when leaving."

Data Classification

First learn to judge how sensitive what you're holding is, then decide how to handle it.

Level	Examples	How to handle
Public	Site content, published blog posts, marketing assets	Share freely.
Internal	This Brain, SOPs, internal processes, meeting notes	Team-only, in company spaces, not leaked.
Confidential	Passwords, API keys, financial data, compensation	1Password only; least privilege; the most sensitive held by the founder.
Client-Restricted	Client-provided data, backends, NDA documents	Per the client's security requirements; only those who need it; confirm authorization before feeding to AI.

Accounts & Passwords

All shared passwords go through 1Password.Don't send plaintext credentials over Slack, email or messages. To share, use the 1Password shared vault.

Turn on 2FA / MFA.Enable two-step verification wherever possible. Note: don't bind a shared-account authenticator to only your personal phone.

Use SSO when you can.Prefer Google Workspace SSO for services that support it — central management, easy to revoke on exit.

One person, one account — don't share personal accounts.Use team / service accounts for shared needs; don't hand your personal password to others.

Strong, unique passwords.Generate random passwords with 1Password; don't reuse one password everywhere.

Device Security

Laptop

Encryption + auto-lock

Turn on full-disk encryption (FileVault), auto-lock when away. Company asset — report loss to IT immediately.

Shared device

Mac Studio M3 Ultra

The local AI inference machine is a company physical asset. Log out of your personal session after use.

Remote

VPN / secure network

Use a secure network for sensitive data; avoid hitting client backends over public Wi-Fi.

Software

Trusted sources

Only install necessary software and extensions from trusted sources. Don't click suspicious links — verify first.

Client Data & NDA

Clients entrust their data to us — that's trust. Protecting it is our bottom line.

→

Least-privilege access.Take only the client access your work truly needs. Step back when the project ends.

→

Put client files in the right place.Use the designated shared space — don't download to personal devices or scatter across personal drives.

→

Judge before feeding to AI.Client NDA data, PII, undisclosed info — confirm authorization and compliance before any AI tool. When unsure, ask first.

→

Follow each client's security rules.Some clients have specific VPN, device or process requirements; handle per contract; return or revoke on handover.

When leaving a project / the company

Client-side delegated access (GA, Search Console, CMS, shared drives) is the most-forgotten to reclaim. Handover details in the Offboarding SOP · Client system access.

API Keys & Rotation

Keys are passes. Mismanaged, both billing and data go wrong.

Type	Principle
Personal keys	Tokens / PATs bound to a personal account — revoke directly on departure.
Shared keys	Anthropic, Cloudflare, Supabase and other shared keys are always rotated on personnel changes, with a billing / usage check.
Automation credentials	n8n flow credentials bind to a company service account, not a person — so disabling one person doesn't break the flow.
CI / deploy keys	GitHub Actions secrets and deploy keys reviewed regularly, handled on departure.

Rebind first, disable second

For any automation bound to a personal account, rebind the credential to a company account before disabling the personal account. Reverse the order and the whole line goes down instantly.

This is the company's highest-value intangible asset: a 300K+-follower AI content account group across platforms.

★

Ownership always at the company level.The primary owner of Meta Business and YouTube brand accounts must be the company, not any individual.

★

Revoke personal admin rights as soon as they're done.When someone leaves, revoke all personal admin rights, rotate passwords, leave no login or recovery path.

★

Audit scheduled content.Scheduled posts and email sequences that keep firing after departure must be inventoried at handover.

Why so strict

These accounts are over a decade of brand equity — once out of control, they can't be redone. Full handover rules in the Offboarding SOP · Social media assets.

Incident Reporting

Incidents aren't scary — hiding them is. If you spot any of the below, report immediately; we don't blame the reporter.

What to report

Lost or stolen device, phishing email / suspicious link, abnormal account login, accidentally posting confidential info in the wrong place, suspected key leak.

How to report

Find IT in Slack first; if finance or client data is involved, also notify the founder. Stop the bleeding first (change passwords, revoke keys), then investigate.

Reporting over saving face

The sooner you speak up, the smaller the damage. We care about patching the hole, not blaming who hit the wrong button.

Red Lines

Never do these

① Send credentials or keys in plaintext (Slack / email). ② Store company or client files only on a personal drive. ③ Feed client NDA data into an unapproved tool. ④ Execute money transfers, orders or payments yourself (always through the founder). ⑤ Keep any social-account login or admin rights after leaving. ⑥ Hard-code shared keys into code and commit them.

These six are Tenten's red lines. For anything else in doubt, ask IT or the founder in Slack — on security, asking is always cheaper than gambling.

Ways of Working

Operating principles, communication cadence, and an AI-native culture.

Offboarding SOP

A zero-loss handover process for accounts, access, client relationships and sensitive assets when someone leaves.

Company Overview

Who we are, what we believe, what we do, and our brand & product matrix.

DashboardOperations & SecurityConfidential 機密

09 · Security & Assets

Security & Assets

Data classification, keys, client data, and social-asset rules.

IT / Founder3 min readUpdated May 31, 2026

Data Classification

First learn to judge how sensitive what you're holding is, then decide how to handle it.

Level	Examples	How to handle
Public	Site content, published blog posts, marketing assets	Share freely.
Internal	This Brain, SOPs, internal processes, meeting notes	Team-only, in company spaces, not leaked.
Confidential	Passwords, API keys, financial data, compensation	1Password only; least privilege; the most sensitive held by the founder.
Client-Restricted	Client-provided data, backends, NDA documents	Per the client's security requirements; only those who need it; confirm authorization before feeding to AI.

Accounts & Passwords

All shared passwords go through 1Password.Don't send plaintext credentials over Slack, email or messages. To share, use the 1Password shared vault.

Turn on 2FA / MFA.Enable two-step verification wherever possible. Note: don't bind a shared-account authenticator to only your personal phone.

Use SSO when you can.Prefer Google Workspace SSO for services that support it — central management, easy to revoke on exit.

One person, one account — don't share personal accounts.Use team / service accounts for shared needs; don't hand your personal password to others.

Strong, unique passwords.Generate random passwords with 1Password; don't reuse one password everywhere.

Device Security

Laptop

Encryption + auto-lock

Turn on full-disk encryption (FileVault), auto-lock when away. Company asset — report loss to IT immediately.

Shared device

Mac Studio M3 Ultra

The local AI inference machine is a company physical asset. Log out of your personal session after use.

Remote

VPN / secure network

Use a secure network for sensitive data; avoid hitting client backends over public Wi-Fi.

Software

Trusted sources

Only install necessary software and extensions from trusted sources. Don't click suspicious links — verify first.

Client Data & NDA

Clients entrust their data to us — that's trust. Protecting it is our bottom line.

→

Least-privilege access.Take only the client access your work truly needs. Step back when the project ends.

→

Put client files in the right place.Use the designated shared space — don't download to personal devices or scatter across personal drives.

→

Judge before feeding to AI.Client NDA data, PII, undisclosed info — confirm authorization and compliance before any AI tool. When unsure, ask first.

→

Follow each client's security rules.Some clients have specific VPN, device or process requirements; handle per contract; return or revoke on handover.

When leaving a project / the company

Client-side delegated access (GA, Search Console, CMS, shared drives) is the most-forgotten to reclaim. Handover details in the Offboarding SOP · Client system access.

API Keys & Rotation

Keys are passes. Mismanaged, both billing and data go wrong.

Type	Principle
Personal keys	Tokens / PATs bound to a personal account — revoke directly on departure.
Shared keys	Anthropic, Cloudflare, Supabase and other shared keys are always rotated on personnel changes, with a billing / usage check.
Automation credentials	n8n flow credentials bind to a company service account, not a person — so disabling one person doesn't break the flow.
CI / deploy keys	GitHub Actions secrets and deploy keys reviewed regularly, handled on departure.

Rebind first, disable second

For any automation bound to a personal account, rebind the credential to a company account before disabling the personal account. Reverse the order and the whole line goes down instantly.

This is the company's highest-value intangible asset: a 300K+-follower AI content account group across platforms.

★

Ownership always at the company level.The primary owner of Meta Business and YouTube brand accounts must be the company, not any individual.

★

Revoke personal admin rights as soon as they're done.When someone leaves, revoke all personal admin rights, rotate passwords, leave no login or recovery path.

★

Audit scheduled content.Scheduled posts and email sequences that keep firing after departure must be inventoried at handover.

Why so strict

These accounts are over a decade of brand equity — once out of control, they can't be redone. Full handover rules in the Offboarding SOP · Social media assets.

Incident Reporting

Incidents aren't scary — hiding them is. If you spot any of the below, report immediately; we don't blame the reporter.

What to report

Lost or stolen device, phishing email / suspicious link, abnormal account login, accidentally posting confidential info in the wrong place, suspected key leak.

How to report

Find IT in Slack first; if finance or client data is involved, also notify the founder. Stop the bleeding first (change passwords, revoke keys), then investigate.

Reporting over saving face

The sooner you speak up, the smaller the damage. We care about patching the hole, not blaming who hit the wrong button.

Red Lines

Never do these

These six are Tenten's red lines. For anything else in doubt, ask IT or the founder in Slack — on security, asking is always cheaper than gambling.

Ways of Working

Operating principles, communication cadence, and an AI-native culture.

Offboarding SOP

A zero-loss handover process for accounts, access, client relationships and sensitive assets when someone leaves.

Company Overview

Who we are, what we believe, what we do, and our brand & product matrix.

Security & Assets

Data Classification

Accounts & Passwords

Device Security

Client Data & NDA

When leaving a project / the company

API Keys & Rotation

Rebind first, disable second

Why so strict

Incident Reporting

Reporting over saving face

Red Lines

Never do these

Related

Security & Assets

Data Classification

Accounts & Passwords

Device Security

Client Data & NDA

When leaving a project / the company

API Keys & Rotation

Rebind first, disable second

Why so strict

Incident Reporting

Reporting over saving face

Red Lines

Never do these

Related

When leaving a project / the company

Rebind first, disable second

Why so strict

Reporting over saving face

Never do these

lightbulb Related

When leaving a project / the company

Rebind first, disable second

Why so strict

Reporting over saving face

Never do these

lightbulb Related

Related

Related