TikTok TikTok accounts reliability checklist for teams facing compliance sensitivity
A purchased asset only helps if it behaves predictably inside your workflow. Avoid practices that misrepresent identity or ownership; keep your operations aligned with platform policies and applicable law. If a platform’s terms restrict transfers, treat that as a risk variable and choose conservative operational boundaries. Keep your team’s behavior boring: consistent logins, consistent roles, and no shortcuts that look like evasion. If a platform’s terms restrict transfers, treat that as a risk variable and choose conservative operational boundaries. If a platform’s terms restrict transfers, treat that as a risk variable and choose conservative operational boundaries. When you touch policies, focus on prevention: minimize violations by controlling what you run, how you message, and how you track consent. A stable asset has clear ownership, predictable permissions, and a path to rotate roles without breaking tracking or billing. Keep your team’s behavior boring: consistent logins, consistent roles, and no shortcuts that look like evasion.
This piece focuses on compliant, buyer-oriented checks: what to verify, how to document transfers, and how to keep your reporting honest when teams change hands. Build guardrails that reduce the blast radius: separate test spend from core budgets until the asset proves stable. A stable asset has clear ownership, predictable permissions, and a path to rotate roles without breaking tracking or billing. Treat every new asset as an onboarding project: collect evidence, store it, and only then attach campaign-critical dependencies. Treat every new asset as an onboarding project: collect evidence, store it, and only then attach campaign-critical dependencies. The simplest way to prevent chaos is to enforce one naming convention, one handoff note, and one place where credentials are tracked. Treat every new asset as an onboarding project: collect evidence, store it, and only then attach campaign-critical dependencies. Treat every new asset as an onboarding project: collect evidence, store it, and only then attach campaign-critical dependencies. The simplest way to prevent chaos is to enforce one naming convention, one handoff note, and one place where credentials are tracked.
Choosing ad accounts with a procurement rubric instead of gut feel (t20)
For ad accounts used in Facebook Ads, Google Ads, and TikTok Ads, selection should be evidence-based. https://npprteam.shop/en/articles/accounts-review/a-guide-to-choosing-accounts-for-facebook-ads-google-ads-tiktok-ads-based-on-npprteamshop/ Apply it as a gate: only graduate an account when the risk controls are in place and documented. The simplest way to prevent chaos is to enforce one naming convention, one handoff note, and one place where credentials are tracked. Start by writing down who needs admin-level control, who needs day-to-day access, and what you will do if that access is revoked unexpectedly. Treat every new asset as an onboarding project: collect evidence, store it, and only then attach campaign-critical dependencies. A stable asset has clear ownership, predictable permissions, and a path to rotate roles without breaking tracking or billing.
As an internal rule, don’t raise spend more than 35% per day until access, billing, and reporting have been stable for 5 consecutive days. Build guardrails that reduce the blast radius: separate test spend from core budgets until the asset proves stable. If you cannot explain how the asset will be managed in a month, you should not plan to scale it next week. You want a procurement record that a new operator could understand without calling the person who bought the asset. Keep your team’s behavior boring: consistent logins, consistent roles, and no shortcuts that look like evasion. Don’t confuse short-term deliverability with long-term stability; the latter comes from repeatable processes. When you touch policies, focus on prevention: minimize violations by controlling what you run, how you message, and how you track consent. Prefer transparent, documented authorization over informal arrangements that collapse under review or dispute. When you touch policies, focus on prevention: minimize violations by controlling what you run, how you message, and how you track consent.
TikTok TikTok account readiness: what to verify before you operationalize it
For TikTok TikTok account procurement, buyers should start with governance, not performance. buy TikTok TikTok account with stable access and clean handoff for multi-geo ops Prioritize clear admin mapping, documented billing responsibility, and a recovery plan that doesn’t depend on one person. Risk is rarely one thing; it is usually a pile-up of small ambiguities: unclear roles, undocumented billing, and ad hoc transfers. Build guardrails that reduce the blast radius: separate test spend from core budgets until the asset proves stable. When you touch policies, focus on prevention: minimize violations by controlling what you run, how you message, and how you track consent. You want a procurement record that a new operator could understand without calling the person who bought the asset. When you touch policies, focus on prevention: minimize violations by controlling what you run, how you message, and how you track consent. Keep your team’s behavior boring: consistent logins, consistent roles, and no shortcuts that look like evasion.
As an internal rule, don’t raise spend more than 25% per day until access, billing, and reporting have been stable for 8 consecutive days. Avoid practices that misrepresent identity or ownership; keep your operations aligned with platform policies and applicable law. Risk is rarely one thing; it is usually a pile-up of small ambiguities: unclear roles, undocumented billing, and ad hoc transfers. When you touch policies, focus on prevention: minimize violations by controlling what you run, how you message, and how you track consent. If you cannot explain how the asset will be managed in a month, you should not plan to scale it next week. If you cannot explain how the asset will be managed in a month, you should not plan to scale it next week. Treat every new asset as an onboarding project: collect evidence, store it, and only then attach campaign-critical dependencies. Avoid practices that misrepresent identity or ownership; keep your operations aligned with platform policies and applicable law.
TikTok verified TikTok Ads account: procurement checks that prevent costly handoff failures
To keep a TikTok verified TikTok Ads account stable, buyers should demand a boring, explicit operating model. TikTok verified TikTok Ads account with onboarding artifacts included for lead gen for sale Treat selection as risk management: verify access control, billing continuity, and a reporting baseline you can trust. Avoid practices that misrepresent identity or ownership; keep your operations aligned with platform policies and applicable law. When multiple clients share attention, governance needs to be explicit, or every urgent request becomes a policy exception. Don’t confuse short-term deliverability with long-term stability; the latter comes from repeatable processes. When multiple clients share attention, governance needs to be explicit, or every urgent request becomes a policy exception. Avoid practices that misrepresent identity or ownership; keep your operations aligned with platform policies and applicable law. The simplest way to prevent chaos is to enforce one naming convention, one handoff note, and one place where credentials are tracked.
A practical control is a 120-hour onboarding window where the asset runs only low-stakes tests; graduate it only after the checklist is signed off. Start by writing down who needs admin-level control, who needs day-to-day access, and what you will do if that access is revoked unexpectedly. Avoid practices that misrepresent identity or ownership; keep your operations aligned with platform policies and applicable law. The simplest way to prevent chaos is to enforce one naming convention, one handoff note, and one place where credentials are tracked. When you touch policies, focus on prevention: minimize violations by controlling what you run, how you message, and how you track consent. The simplest way to prevent chaos is to enforce one naming convention, one handoff note, and one place where credentials are tracked. Prefer transparent, documented authorization over informal arrangements that collapse under review or dispute. Avoid practices that misrepresent identity or ownership; keep your operations aligned with platform policies and applicable law.
Troubleshooting playbook: isolate causes before you change strategy (governance focus)
A stable asset has clear ownership, predictable permissions, and a path to rotate roles without breaking tracking or billing. When you touch policies, focus on prevention: minimize violations by controlling what you run, how you message, and how you track consent. The simplest way to prevent chaos is to enforce one naming convention, one handoff note, and one place where credentials are tracked. Risk is rarely one thing; it is usually a pile-up of small ambiguities: unclear roles, undocumented billing, and ad hoc transfers. You want a procurement record that a new operator could understand without calling the person who bought the asset. When you touch policies, focus on prevention: minimize violations by controlling what you run, how you message, and how you track consent. Don’t confuse short-term deliverability with long-term stability; the latter comes from repeatable processes. When you touch policies, focus on prevention: minimize violations by controlling what you run, how you message, and how you track consent. You want a procurement record that a new operator could understand without calling the person who bought the asset.
Decide what you will not do, then automate the rest
Example: a mobile app media buying team uses a scorecard to gate onboarding and avoids emergency resets during a seasonal push. If you cannot explain how the asset will be managed in a month, you should not plan to scale it next week. Risk is rarely one thing; it is usually a pile-up of small ambiguities: unclear roles, undocumented billing, and ad hoc transfers. Keep your team’s behavior boring: consistent logins, consistent roles, and no shortcuts that look like evasion. Treat every new asset as an onboarding project: collect evidence, store it, and only then attach campaign-critical dependencies. Keep your team’s behavior boring: consistent logins, consistent roles, and no shortcuts that look like evasion. Build guardrails that reduce the blast radius: separate test spend from core budgets until the asset proves stable. Don’t confuse short-term deliverability with long-term stability; the latter comes from repeatable processes. Build guardrails that reduce the blast radius: separate test spend from core budgets until the asset proves stable.
What should you verify before the first spend hits the billing line? (governance focus)
You want a procurement record that a new operator could understand without calling the person who bought the asset. Prefer transparent, documented authorization over informal arrangements that collapse under review or dispute. Risk is rarely one thing; it is usually a pile-up of small ambiguities: unclear roles, undocumented billing, and ad hoc transfers. When you touch policies, focus on prevention: minimize violations by controlling what you run, how you message, and how you track consent. Don’t confuse short-term deliverability with long-term stability; the latter comes from repeatable processes. The simplest way to prevent chaos is to enforce one naming convention, one handoff note, and one place where credentials are tracked. When you touch policies, focus on prevention: minimize violations by controlling what you run, how you message, and how you track consent. You want a procurement record that a new operator could understand without calling the person who bought the asset. A stable asset has clear ownership, predictable permissions, and a path to rotate roles without breaking tracking or billing.
Define the access model before you define the budget
Example: a mobile app media buying team uses a scorecard to gate onboarding and avoids emergency resets during a seasonal push. When multiple clients share attention, governance needs to be explicit, or every urgent request becomes a policy exception. If a platform’s terms restrict transfers, treat that as a risk variable and choose conservative operational boundaries. Risk is rarely one thing; it is usually a pile-up of small ambiguities: unclear roles, undocumented billing, and ad hoc transfers. Avoid practices that misrepresent identity or ownership; keep your operations aligned with platform policies and applicable law. Risk is rarely one thing; it is usually a pile-up of small ambiguities: unclear roles, undocumented billing, and ad hoc transfers. The simplest way to prevent chaos is to enforce one naming convention, one handoff note, and one place where credentials are tracked. Treat every new asset as an onboarding project: collect evidence, store it, and only then attach campaign-critical dependencies. If you cannot explain how the asset will be managed in a month, you should not plan to scale it next week.
Governance and handoff: the part most teams underfund (governance focus)
Risk is rarely one thing; it is usually a pile-up of small ambiguities: unclear roles, undocumented billing, and ad hoc transfers. Start by writing down who needs admin-level control, who needs day-to-day access, and what you will do if that access is revoked unexpectedly. Treat every new asset as an onboarding project: collect evidence, store it, and only then attach campaign-critical dependencies. A stable asset has clear ownership, predictable permissions, and a path to rotate roles without breaking tracking or billing. The simplest way to prevent chaos is to enforce one naming convention, one handoff note, and one place where credentials are tracked. Prefer transparent, documented authorization over informal arrangements that collapse under review or dispute. When you touch policies, focus on prevention: minimize violations by controlling what you run, how you message, and how you track consent. The simplest way to prevent chaos is to enforce one naming convention, one handoff note, and one place where credentials are tracked.
Keep a clean handoff log when multiple operators touch the asset
Start by writing down who needs admin-level control, who needs day-to-day access, and what you will do if that access is revoked unexpectedly. When multiple clients share attention, governance needs to be explicit, or every urgent request becomes a policy exception. Prefer transparent, documented authorization over informal arrangements that collapse under review or dispute. Prefer transparent, documented authorization over informal arrangements that collapse under review or dispute. Risk is rarely one thing; it is usually a pile-up of small ambiguities: unclear roles, undocumented billing, and ad hoc transfers. Start by writing down who needs admin-level control, who needs day-to-day access, and what you will do if that access is revoked unexpectedly. If you cannot explain how the asset will be managed in a month, you should not plan to scale it next week. If you cannot explain how the asset will be managed in a month, you should not plan to scale it next week.
- Verify creative QA rules that match your compliance tolerance.
- Confirm a folder where evidence lives (role exports, receipts, screenshots).
- Record handoff notes that a new buyer can execute without guesswork.
- Limit a cadence for weekly audits and monthly deep checks.
- Test billing responsibility and escalation contacts.
- Test handoff notes that a new buyer can execute without guesswork.
Don’t confuse short-term deliverability with long-term stability; the latter comes from repeatable processes. When multiple clients share attention, governance needs to be explicit, or every urgent request becomes a policy exception. If you cannot explain how the asset will be managed in a month, you should not plan to scale it next week. Build guardrails that reduce the blast radius: separate test spend from core budgets until the asset proves stable. You want a procurement record that a new operator could understand without calling the person who bought the asset. Build guardrails that reduce the blast radius: separate test spend from core budgets until the asset proves stable. A stable asset has clear ownership, predictable permissions, and a path to rotate roles without breaking tracking or billing. Don’t confuse short-term deliverability with long-term stability; the latter comes from repeatable processes. Don’t confuse short-term deliverability with long-term stability; the latter comes from repeatable processes.
Prefer boring workflows that survive staff changes
Example: a mobile app media buying team uses a scorecard to gate onboarding and avoids emergency resets during a seasonal push. When you touch policies, focus on prevention: minimize violations by controlling what you run, how you message, and how you track consent. Start by writing down who needs admin-level control, who needs day-to-day access, and what you will do if that access is revoked unexpectedly. Prefer transparent, documented authorization over informal arrangements that collapse under review or dispute. The simplest way to prevent chaos is to enforce one naming convention, one handoff note, and one place where credentials are tracked. You want a procurement record that a new operator could understand without calling the person who bought the asset. Avoid practices that misrepresent identity or ownership; keep your operations aligned with platform policies and applicable law. When you touch policies, focus on prevention: minimize violations by controlling what you run, how you message, and how you track consent. When you touch policies, focus on prevention: minimize violations by controlling what you run, how you message, and how you track consent.
Stability is the first KPI; every other KPI depends on it.
Closing guardrails: protect continuity without slowing the team (governance focus)
If a platform’s terms restrict transfers, treat that as a risk variable and choose conservative operational boundaries. When multiple clients share attention, governance needs to be explicit, or every urgent request becomes a policy exception. If a platform’s terms restrict transfers, treat that as a risk variable and choose conservative operational boundaries. Treat every new asset as an onboarding project: collect evidence, store it, and only then attach campaign-critical dependencies. Don’t confuse short-term deliverability with long-term stability; the latter comes from repeatable processes. If a platform’s terms restrict transfers, treat that as a risk variable and choose conservative operational boundaries. The simplest way to prevent chaos is to enforce one naming convention, one handoff note, and one place where credentials are tracked. You want a procurement record that a new operator could understand without calling the person who bought the asset. Treat every new asset as an onboarding project: collect evidence, store it, and only then attach campaign-critical dependencies.
Align creative approvals with account-level risk tolerance
Example: a SaaS team documents roles and billing responsibility so a client handoff doesn’t turn into downtime. Risk is rarely one thing; it is usually a pile-up of small ambiguities: unclear roles, undocumented billing, and ad hoc transfers. Treat every new asset as an onboarding project: collect evidence, store it, and only then attach campaign-critical dependencies. Start by writing down who needs admin-level control, who needs day-to-day access, and what you will do if that access is revoked unexpectedly. When multiple clients share attention, governance needs to be explicit, or every urgent request becomes a policy exception. When you touch policies, focus on prevention: minimize violations by controlling what you run, how you message, and how you track consent. Avoid practices that misrepresent identity or ownership; keep your operations aligned with platform policies and applicable law. When you touch policies, focus on prevention: minimize violations by controlling what you run, how you message, and how you track consent. Don’t confuse short-term deliverability with long-term stability; the latter comes from repeatable processes.
Set up escalation paths before something breaks
A stable asset has clear ownership, predictable permissions, and a path to rotate roles without breaking tracking or billing. Build guardrails that reduce the blast radius: separate test spend from core budgets until the asset proves stable. If you cannot explain how the asset will be managed in a month, you should not plan to scale it next week. You want a procurement record that a new operator could understand without calling the person who bought the asset. You want a procurement record that a new operator could understand without calling the person who bought the asset. Build guardrails that reduce the blast radius: separate test spend from core budgets until the asset proves stable. Risk is rarely one thing; it is usually a pile-up of small ambiguities: unclear roles, undocumented billing, and ad hoc transfers. Risk is rarely one thing; it is usually a pile-up of small ambiguities: unclear roles, undocumented billing, and ad hoc transfers.
- Define a reporting baseline with named metrics and definitions.
- Limit a change log for credentials, roles, and payment method updates.
- Test handoff notes that a new buyer can execute without guesswork.
- Align admin vs operator access for the TikTok TikTok account.
- Map a cadence for weekly audits and monthly deep checks.
- Verify a change log for credentials, roles, and payment method updates.
- Verify handoff notes that a new buyer can execute without guesswork.
You want a procurement record that a new operator could understand without calling the person who bought the asset. If you cannot explain how the asset will be managed in a month, you should not plan to scale it next week. The simplest way to prevent chaos is to enforce one naming convention, one handoff note, and one place where credentials are tracked. If you cannot explain how the asset will be managed in a month, you should not plan to scale it next week. Keep your team’s behavior boring: consistent logins, consistent roles, and no shortcuts that look like evasion. Keep your team’s behavior boring: consistent logins, consistent roles, and no shortcuts that look like evasion. Keep your team’s behavior boring: consistent logins, consistent roles, and no shortcuts that look like evasion. If you cannot explain how the asset will be managed in a month, you should not plan to scale it next week.
What does “compliant” look like in day-to-day account operations? (governance focus)
Treat every new asset as an onboarding project: collect evidence, store it, and only then attach campaign-critical dependencies. If a platform’s terms restrict transfers, treat that as a risk variable and choose conservative operational boundaries. When multiple clients share attention, governance needs to be explicit, or every urgent request becomes a policy exception. The simplest way to prevent chaos is to enforce one naming convention, one handoff note, and one place where credentials are tracked. Keep your team’s behavior boring: consistent logins, consistent roles, and no shortcuts that look like evasion. A stable asset has clear ownership, predictable permissions, and a path to rotate roles without breaking tracking or billing. A stable asset has clear ownership, predictable permissions, and a path to rotate roles without breaking tracking or billing. Avoid practices that misrepresent identity or ownership; keep your operations aligned with platform policies and applicable law. Risk is rarely one thing; it is usually a pile-up of small ambiguities: unclear roles, undocumented billing, and ad hoc transfers.
Document ownership and roles like you would for a production system
Example: a mobile app media buying team uses a scorecard to gate onboarding and avoids emergency resets during a seasonal push. When you touch policies, focus on prevention: minimize violations by controlling what you run, how you message, and how you track consent. Risk is rarely one thing; it is usually a pile-up of small ambiguities: unclear roles, undocumented billing, and ad hoc transfers. If a platform’s terms restrict transfers, treat that as a risk variable and choose conservative operational boundaries. If a platform’s terms restrict transfers, treat that as a risk variable and choose conservative operational boundaries. Don’t confuse short-term deliverability with long-term stability; the latter comes from repeatable processes. Keep your team’s behavior boring: consistent logins, consistent roles, and no shortcuts that look like evasion. Start by writing down who needs admin-level control, who needs day-to-day access, and what you will do if that access is revoked unexpectedly. If you cannot explain how the asset will be managed in a month, you should not plan to scale it next week.
Build a decision tree that makes go/no-go obvious (governance focus)
Start by writing down who needs admin-level control, who needs day-to-day access, and what you will do if that access is revoked unexpectedly. If you cannot explain how the asset will be managed in a month, you should not plan to scale it next week. Start by writing down who needs admin-level control, who needs day-to-day access, and what you will do if that access is revoked unexpectedly. Start by writing down who needs admin-level control, who needs day-to-day access, and what you will do if that access is revoked unexpectedly. Treat every new asset as an onboarding project: collect evidence, store it, and only then attach campaign-critical dependencies. Prefer transparent, documented authorization over informal arrangements that collapse under review or dispute. Don’t confuse short-term deliverability with long-term stability; the latter comes from repeatable processes. When multiple clients share attention, governance needs to be explicit, or every urgent request becomes a policy exception.
Use a scorecard so the team argues about evidence, not opinions
If a platform’s terms restrict transfers, treat that as a risk variable and choose conservative operational boundaries. Avoid practices that misrepresent identity or ownership; keep your operations aligned with platform policies and applicable law. If a platform’s terms restrict transfers, treat that as a risk variable and choose conservative operational boundaries. Don’t confuse short-term deliverability with long-term stability; the latter comes from repeatable processes. Don’t confuse short-term deliverability with long-term stability; the latter comes from repeatable processes. You want a procurement record that a new operator could understand without calling the person who bought the asset. Start by writing down who needs admin-level control, who needs day-to-day access, and what you will do if that access is revoked unexpectedly. Build guardrails that reduce the blast radius: separate test spend from core budgets until the asset proves stable. Avoid practices that misrepresent identity or ownership; keep your operations aligned with platform policies and applicable law.
| Check | What to look for | Evidence to store | Decision |
|---|---|---|---|
| Access roles | clear admin/operator split | role export + internal roster | proceed only if rotation is possible |
| Billing owner | documented payer responsibility | invoice/receipt + change log | avoid ambiguous payers |
| Recovery path | known recovery contacts/process | steps + timestamps | pause if recovery is unclear |
| Tracking baseline | events fire consistently | test log + screenshots | isolate if incomplete |
| Change management | one owner for edits | change log | escalate if multiple people edit |
| Creative QA | approval process defined | QA checklist | tighten claims before scaling |
| Reporting spec | metrics definitions stable | dashboard spec | lock spec before expanding team |
A stable asset has clear ownership, predictable permissions, and a path to rotate roles without breaking tracking or billing. The simplest way to prevent chaos is to enforce one naming convention, one handoff note, and one place where credentials are tracked. Risk is rarely one thing; it is usually a pile-up of small ambiguities: unclear roles, undocumented billing, and ad hoc transfers. Start by writing down who needs admin-level control, who needs day-to-day access, and what you will do if that access is revoked unexpectedly. Risk is rarely one thing; it is usually a pile-up of small ambiguities: unclear roles, undocumented billing, and ad hoc transfers. When multiple clients share attention, governance needs to be explicit, or every urgent request becomes a policy exception. Start by writing down who needs admin-level control, who needs day-to-day access, and what you will do if that access is revoked unexpectedly. If you cannot explain how the asset will be managed in a month, you should not plan to scale it next week.
Separate onboarding checks from optimization work
Example: a SaaS team documents roles and billing responsibility so a client handoff doesn’t turn into downtime. You want a procurement record that a new operator could understand without calling the person who bought the asset. Avoid practices that misrepresent identity or ownership; keep your operations aligned with platform policies and applicable law. When you touch policies, focus on prevention: minimize violations by controlling what you run, how you message, and how you track consent. Don’t confuse short-term deliverability with long-term stability; the latter comes from repeatable processes. Keep your team’s behavior boring: consistent logins, consistent roles, and no shortcuts that look like evasion. Keep your team’s behavior boring: consistent logins, consistent roles, and no shortcuts that look like evasion. Risk is rarely one thing; it is usually a pile-up of small ambiguities: unclear roles, undocumented billing, and ad hoc transfers. Risk is rarely one thing; it is usually a pile-up of small ambiguities: unclear roles, undocumented billing, and ad hoc transfers.
Final operating rules that keep the account layer calm
Keep the workflow simple: one owner, one checklist, one evidence folder, and one escalation path. Build guardrails that reduce the blast radius: separate test spend from core budgets until the asset proves stable. When multiple clients share attention, governance needs to be explicit, or every urgent request becomes a policy exception. The simplest way to prevent chaos is to enforce one naming convention, one handoff note, and one place where credentials are tracked. If a platform’s terms restrict transfers, treat that as a risk variable and choose conservative operational boundaries. Don’t confuse short-term deliverability with long-term stability; the latter comes from repeatable processes. The simplest way to prevent chaos is to enforce one naming convention, one handoff note, and one place where credentials are tracked. Start by writing down who needs admin-level control, who needs day-to-day access, and what you will do if that access is revoked unexpectedly. When multiple clients share attention, governance needs to be explicit, or every urgent request becomes a policy exception. Avoid practices that misrepresent identity or ownership; keep your operations aligned with platform policies and applicable law.
You want a procurement record that a new operator could understand without calling the person who bought the asset. You want a procurement record that a new operator could understand without calling the person who bought the asset. Don’t confuse short-term deliverability with long-term stability; the latter comes from repeatable processes. You want a procurement record that a new operator could understand without calling the person who bought the asset. Treat every new asset as an onboarding project: collect evidence, store it, and only then attach campaign-critical dependencies. The simplest way to prevent chaos is to enforce one naming convention, one handoff note, and one place where credentials are tracked. You want a procurement record that a new operator could understand without calling the person who bought the asset. The simplest way to prevent chaos is to enforce one naming convention, one handoff note, and one place where credentials are tracked. The simplest way to prevent chaos is to enforce one naming convention, one handoff note, and one place where credentials are tracked.
