Data security

Is it safe to give a VA access to your systems?

It is the question every business asks before handing a virtual assistant the keys to their inbox, their Xero or their customer list. The honest answer is that safety comes from how access is controlled, not from a promise that nothing will ever go wrong. Below is exactly how we control it, the legal framework you sit inside, and where our responsibility ends and yours begins. We would rather be straight about the boundaries than oversell.

How access is controlled

01

Credentials live in 1Password, never in email

Every credential a VA needs is shared through 1Password, our single non-negotiable tool. Passwords are never sent over email, Slack or a Google Doc, and a VA can use a login without ever seeing the password in plain text. Access is granted per vault, so a VA gets exactly the logins their role needs and nothing else. This is the single most common security mistake other engagements make, and it is the first thing we get right.

02

Least-privilege, view-only where possible

We provision access per tool, scoped to the task. A bookkeeping VA reconciles in Xero on a bank feed rather than logging into your bank. A support VA works inside your help desk, not your billing system. Wherever a role can be done with read-only or limited-permission access, that is what we set up. The principle is simple: grant only what the work genuinely needs, so the blast radius of any mistake stays small.

03

A signed confidentiality agreement before day one

Every DotVA virtual assistant signs a confidentiality agreement before they start working with any client. It covers what they can access, how they must handle your information, that they must not use it for anything outside the work, and what happens on termination. This is a baseline requirement for everyone we place, not an upgrade you have to ask for.

04

Access provisioned per tool, revoked instantly on offboarding

When a VA joins your engagement we set up their accounts deliberately, tool by tool. When an engagement ends, or a VA moves on, that access is removed immediately: vaults closed, accounts de-provisioned, sessions ended. Because nothing was ever shared in plain text, offboarding is clean rather than a scramble to remember what was sent where.

05

You keep the master controls

You stay in control of your own MFA on every account, your own audit logs, and the ability to revoke any access at any time without asking us. Data minimisation is yours to set too: you decide what each VA can touch. If you ever want to pull access immediately, you can do it yourself in seconds, and you do not need our permission to do it.

What we do not do (the honest boundaries)

Trust is built on being clear about the limits, not just the features. Here is what we are not.

We are not a substitute for your own security

Your obligations under the Privacy Act stay with you. Our controls help you meet your reasonable-steps duty, but they do not transfer it. Keep your MFA on, your software patched and your access reviews happening.

We do not hold your passwords outside 1Password

Credentials live in a shared 1Password vault you can see and revoke. We do not keep a separate copy of your logins on a spreadsheet, in an inbox, or anywhere a password could leak from.

We do not claim certifications we don’t hold

No ISO 27001, no SOC 2 badge. We are a small Australian agency and we will not pretend otherwise. What we show you instead is the actual practice, which you can audit.

We do not need access we are not given

You grant access; you are not handing over a master key. If a role does not need your bank, your VA does not get your bank. Least privilege is the default, not a setting you have to request.

Want to walk through your specific setup?

Book a 30-minute discovery call. We will map out exactly what access a VA in your role would and would not need, and how the controls above apply to your tools.

Book a discovery call →

Data security FAQ

Can a VA access my business bank account?

Only if you decide they should, and almost no client does. For bookkeeping, the standard is read-only access: bank feeds flow into Xero or MYOB automatically, so your VA reconciles and codes transactions without ever logging into your bank or being able to move money. Where a VA needs to prepare a payment, the workflow is to draft it for you to authorise inside your own banking, with your own MFA. We never ask for your banking password and we never hold it.

What happens to a VA’s access when they leave?

It is revoked immediately as part of offboarding. Credentials shared through 1Password are removed from the VA’s vault, per-tool access (email, CRM, Xero, project tools) is de-provisioned, and we recommend you rotate any password they could have memorised and end their sessions. Because credentials were shared through 1Password rather than told to them in plain text, there is nothing left in an inbox or chat history to clean up.

Where is my data stored?

In your own systems. DotVA does not run a central data warehouse that copies your customer records. Your VA works inside the tools you already use (your email, your CRM, your accounting software, your project tools), so your data stays where it already lives and under your control. We do not export or retain copies of your business data outside those systems.

Do VAs work on personal or managed devices?

VAs work on their own computers, which is normal for remote contractors worldwide. We are honest that we are not a managed-device fleet with locked-down corporate laptops, and we do not claim to be. What we do require is the basics done properly: a password manager so credentials are never stored in plain text, device security kept current, and confidentiality obligations in writing. For genuinely sensitive workloads, you can layer your own controls on top, such as virtual desktops or IP restrictions, and we will work within them.

Is using an offshore VA allowed under the Privacy Act?

Yes. Australian Privacy Principle 8 permits disclosing personal information to an overseas recipient, but it keeps you accountable for that data. In practice that means taking reasonable steps to ensure the data is handled consistently with the Australian Privacy Principles, disclosing in your privacy policy that data may be handled overseas, and using a written confidentiality and data-handling clause. Our confidentiality agreements and access controls are built to support that, but the accountability under the Act stays with you. This is general information, not legal advice.

Are you ISO 27001 or SOC 2 certified?

No, and we will not claim a certification we do not hold. DotVA is a small Australian agency, not an enterprise security vendor, and we would rather be straight with you than badge ourselves with a standard we have not been audited against. What we can show you is the actual practice: signed confidentiality agreements, 1Password for every credential, least-privilege access and instant offboarding. If your business genuinely requires a certified provider, we will tell you that up front.