Plain-language notes on how StackRefit handles access, credentials, client data, production safety, NDA/DPA expectations, and AI-assisted work.
StackRefit works on systems that may run bookings, orders, operations, customer portals, admin workflows, or revenue-critical websites. Access has to be handled carefully.
| Area | Examples |
|---|---|
| Application code | PHP, Laravel, WordPress themes/plugins, WooCommerce customizations, Symfony, CodeIgniter, custom modules. |
| Dependency files | composer.json, composer.lock, package.json, lockfiles, plugin lists, framework versions. |
| Hosting/server setup | Linux version, PHP runtime, web server, database version, control panel, cron jobs, queues. |
| CMS/admin configuration | WordPress/WooCommerce settings, plugin state, user roles, update posture, critical configuration. |
| Database metadata | Engine/version, schema overview, table structure, migrations, size, backup approach. |
| Deployment process | Repository, staging, CI/CD, manual deploy process, rollback notes, release habits. |
| Logs and monitoring | Error visibility, uptime monitoring, application logs, hosting logs, alerting tools. |
| Documentation | README files, handover notes, hosting notes, runbooks, client instructions. |
| Integrations | Payment, email, CRM, booking, analytics, webhooks, APIs, search, automation tools. |
Please do not paste or upload passwords, SSH keys, API keys, .env files, source code, screenshots containing sensitive data, database dumps, customer exports, production logs, payment details, private client documents, or personal data that is not needed for scoping.
Avoid shared admin accounts where possible. If a shared account is unavoidable, confirm who owns it, why it is being used, and when access will be rotated or revoked.
Temporary named accounts, role-based access, read-only audit access, password-manager sharing, key-based SSH, 2FA where supported, and documented revocation.
Unrestricted root access is usually unnecessary for audits. Broader access may be needed for upgrade or rescue work, but production changes still need approval and rollback thinking.
Schema-only export, read-only database user, hosting dashboard metadata, guided walkthrough, redacted examples, or sanitized staging database are preferred over production dumps.
AI tools may help with internal structure, checklists, note organization, documentation drafting, risk classification, and sanitized technical analysis.
StackRefit does not send client code, logs, credentials, personal data, customer data, or confidential system details to external AI tools without explicit written permission.
If AI processing is useful for a specific engagement, the scope should clarify what data may be processed, what is excluded, whether redaction is required, which providers are allowed, and whether the client or agency has internal AI policies.
Urgent fixes still need approval. Speed is useful, but uncontrolled production access creates avoidable risk.
Do backups include files and database?
Where are backups stored?
Who controls the backup account?
When was the last successful backup?
Has restore been tested?
How long would restore take?
Is there a staging copy?
Can changes be rolled back through Git, snapshots, database restore, or deployment tooling?
Contractual terms should be agreed in the relevant proposal, SOW, NDA, or DPA.
NDA before sensitive access
DPA where personal data processing is involved
Written statement of work
White-label agency arrangement
Client-approved named specialist arrangement
Internal-only technical review
For white-label work, the agency remains the client-facing owner unless agreed otherwise. StackRefit does not contact the end client without approval.
When sharing logs or screenshots, redact email addresses, tokens, customer names, order IDs, session identifiers, private URLs, payment details, authentication screens, and account-management screens where possible.
Document the issue clearly.
Notify the agreed agency or client contact.
Avoid public disclosure.
Avoid unilateral production changes unless emergency authority has been agreed.
Recommend a contained next step.
Separate immediate risk reduction from broader modernization work.
Most legacy-system risk is ordinary operational uncertainty: old versions, unclear ownership, missing documentation, untested backups, manual deploys, and people relying on memory.