Secure Access Setup for Your Virtual Assistant: Step-by-Step
Setting up access for a new virtual assistant is a high-stakes moment. Done correctly, your VA has exactly what they need to work effectively. Done carelessly, you've created security vulnerabilities that are expensive to fix later.
This guide walks through a systematic approach to setting up VA access securely from day one.
See also: password management for VAs, 2FA setup for VA accounts, data security best practices.
The Least-Privilege Principle
Every secure access setup starts here: grant your VA the minimum access required to do their job - nothing more. This limits damage if their account is compromised and makes offboarding clean and complete.
Ask for each tool: What specific tasks will my VA perform in this system? Then grant only the permissions required for those tasks.
Pre-Access Checklist: Before You Set Anything Up
Before creating any accounts, complete this checklist:
- Contractor agreement signed and on file
- NDA signed and on file
- Data handling policy acknowledged
- VA confirmed they have a secure, encrypted device
- VA confirmed they have a password manager
- VA confirmed they have 2FA set up for their email and password manager
- You have a record of which accounts you're granting access to
Step-by-Step: Setting Up Each System
Email Access
Option A: Create a domain email (recommended) Create [email protected] or [email protected] on your Google Workspace or Microsoft 365 account. This gives you full control and a professional appearance.
Option B: Add as a delegate If the VA will manage your inbox, use Gmail's "Delegate Access" feature (Settings → Accounts → Grant access to your account). This lets them read and respond to email without having your password.
Option C: Share specific email aliases Use a tool like Front, Gorgias, or Help Scout to create shared inboxes the VA can access through their own account.
CRM and Customer Database
- Create a named user account with a role appropriate to their function
- Sales VA: opportunity view + edit; no admin access
- Customer service VA: contact view; no ability to delete records
- Admin VA: read-only access to relevant reports; no financial data
- Enable activity logging so all CRM actions are attributed to their account
Project Management (Asana, ClickUp, Notion, Trello)
Invite with the appropriate role:
- Member/Editor: Standard for most VA tasks
- Commenter: If they only need to review and comment
- Admin: Only if they're managing your workspace (rare)
Grant access to specific projects they're working on. Don't add them to everything.
File Storage (Google Drive, Dropbox, OneDrive)
Share specific folders, not your entire Drive:
- Create a "VA Work" folder or project-specific folders
- Share with "Editor" access for collaboration, "Viewer" for reference materials
- Do not share the root of your Drive
- Enable "Notify activity" so you see changes
Social Media Management
Use a social media management tool (Buffer, Hootsuite, Later, Sprout Social) rather than sharing account credentials directly. Most support multiple users with different permission levels. The VA gets access through the management tool, not through your personal Instagram/LinkedIn/Facebook login.
If direct account access is required:
- Use a password manager to share credentials without revealing the password
- Enable 2FA on the account so the VA needs both the password and the code (you control the 2FA device)
Communication Tools (Slack, Teams)
Invite to your workspace with member permissions. Create or assign them to only the channels relevant to their work. Do not add them to private strategy or finance channels.
E-commerce Platforms
Shopify: Settings → Users and Permissions → Add Staff. Select only the permissions needed (orders, products, customers - not billing, store settings, or apps).
WooCommerce: Users → Add New → Assign "Shop Manager" role (or a custom role with reduced permissions if you use a plugin like User Role Editor).
Amazon Seller Central: Settings → User Permissions → Invite a New User. Limit to their function (inventory, listings, or customer service - not bank account or business information).
Tracking What You've Given Access To
Maintain an access log - a simple spreadsheet works:
| System | VA Name | Access Level | Date Granted | Review Date |
|---|---|---|---|---|
| Google Workspace | Jane Smith | User account | 2025-01-15 | 2025-04-15 |
| Shopify | Jane Smith | Staff (Orders + Products) | 2025-01-15 | 2025-04-15 |
| HubSpot | Jane Smith | Sales Member | 2025-01-15 | 2025-04-15 |
Review this log quarterly and at offboarding.
Offboarding: Revoking Access Completely
When the VA engagement ends, work through your access log systematically:
- Deactivate their email account or remove delegate access
- Remove or deactivate their CRM user account
- Remove from project management tools
- Unshare Drive folders
- Remove from social media management tools
- Revoke their access in the password manager vault
- Change any shared passwords you're aware of
- Verify 2FA codes linked to their device are removed from accounts
Do this on the last day of the engagement, before or immediately after the final handoff.
Frequently Asked Questions
How long does secure access setup take?
For a well-organized setup, plan for 1–2 hours. Rushing this process creates errors that take much longer to fix.
Should I set up all accounts before the VA's first day?
Yes - have accounts ready and waiting on day one. First-day friction wastes time and leaves a poor impression. Send credentials and access links the evening before or morning of their start date.
What if I'm not sure what access a VA needs?
Start minimal and add access as specific needs arise. It's far easier to grant access you withheld than to revoke access after a problem occurs.
Ready to Hire?
Virtual Assistant VA matches you with vetted, professional VAs. Build a secure working relationship from day one.