Mirror Mirror | Your data, your systems, your sovereignty.
Cycle: Capture >> Organize >> Protect >> Ship
Why Tiers Exist
Every person who touches your systems is a potential point of failure. Not because people are malicious -- because access sprawl is invisible until something breaks. Tiers give you deliberate control over who sees what, who changes what, and who can burn it all down.
Sovereignty means knowing exactly who has the keys at all times.
The Four Tiers
Tier 1: SOVEREIGN (Full Access)
Who: You. Your co-founder. No one else unless your operation requires it.
| Access Level |
Details |
| Systems |
All infrastructure, hosting, DNS, servers, databases |
| Credentials |
Master password vault, root accounts, API keys |
| Financial |
Bank accounts, payment processors, billing dashboards |
| Legal |
Contracts, licensing agreements, corporate documents |
| Data |
Full read/write/delete on all folders including /99_Archive |
Rule: Maximum 2 people at this tier. If you are a solo operator, this is you and only you. A trusted partner or spouse gets a sealed emergency envelope (see Emergency Access below).
Tier 2: OPERATIONAL (Role-Specific Systems)
Who: Your operations manager, project manager, VA, bookkeeper.
| Access Level |
Details |
| Systems |
Project management tools, CRM, email marketing, scheduling |
| Credentials |
Shared vault folder for their specific tools only |
| Financial |
Invoice tools, expense tracking (not bank accounts) |
| Legal |
None |
| Data |
/01_Active, /02_Projects, /03_Deliverables, /08_Comms |
Rule: Operational users get access to the tools they use daily. Nothing more. They never see /04_Licensing, /07_Finance root, or /06_Systems/credentials.
Tier 3: CREATIVE (Assets Only)
Who: Designers, photographers, videographers, freelance creatives, content writers.
| Access Level |
Details |
| Systems |
Design tools, asset libraries, content platforms |
| Credentials |
Individual logins to creative tools only |
| Financial |
None |
| Legal |
None |
| Data |
/05_Media, /03_Deliverables (upload only), project-specific subfolders |
Rule: Creatives upload to designated folders. They do not reorganize, rename, or delete. They work in their tools and deliver to your structure.
Tier 4: GUEST (View Only)
Who: Clients reviewing work, external auditors, advisory board, investors.
| Access Level |
Details |
| Systems |
None (shared links only) |
| Credentials |
None (time-limited share links) |
| Financial |
Reports only (if applicable) |
| Legal |
Their own contracts only |
| Data |
Specific shared folders or files via expiring links |
Rule: Guests never get logins to your systems. They get links that expire. Use Google Drive sharing, Dropbox shared links, or a client portal with view permissions.
Password Manager Setup Guide
A password manager is not optional. It is the foundation of access control.
Recommended Tools
- 1Password (Teams/Business): Best for teams. Vault sharing by group. $7.99/user/mo.
- Bitwarden: Open-source, self-hostable. Best sovereignty option. Free or $3/user/mo for teams.
- KeePassXC: Fully offline, local database file. Maximum sovereignty, manual sync required.
Vault Structure (Maps to Tiers)
Vault: Sovereign (Tier 1 only)
- Hosting / DNS / Registrars
- Bank accounts / Payment processors
- Root email accounts
- API keys / secrets
- Recovery codes
Vault: Operations (Tier 1 + Tier 2)
- Project management (Notion, Asana, etc.)
- CRM logins
- Email marketing (MailerLite, MailerLite/MailerSend)
- Scheduling tools
- Communication tools (Slack, Discord)
Vault: Creative (Tier 1 + Tier 3)
- Design tools (Figma, Adobe CC)
- Stock asset accounts
- Content platforms (YouTube Studio, social media)
- Media storage logins
Vault: Shared/Guest (Controlled distribution)
- Client portal credentials
- Shared Wi-Fi passwords
- Temp access tokens
Setup Steps
- Choose your password manager (Bitwarden for sovereignty, 1Password for team ease)
- Create the four vaults above
- Migrate all existing passwords into the correct vault
- Generate new passwords for anything currently weak or reused (20+ characters, random)
- Share vault access based on tier assignments
- Delete passwords from browsers, sticky notes, text files, and email drafts
- Store the master password recovery kit in a physical safe or safety deposit box
Two-Factor Authentication (2FA)
Every account that supports 2FA gets 2FA. No exceptions.
2FA Method Ranking (Best to Worst)
| Method |
Security |
Recommendation |
| Hardware key (YubiKey) |
Highest |
Use for Sovereign tier accounts (email, hosting, bank) |
| TOTP authenticator app |
High |
Use for everything else (Authy, Egnyte, or built-in to password manager) |
| SMS codes |
Low |
Acceptable only when nothing else is available. SIM-swap vulnerable. |
| Email codes |
Low |
Backup method only |
Recommended Setup
- YubiKey 5 NFC ($50) -- Buy two. One for daily use, one locked in your safe as backup.
- Authy -- Cloud-synced TOTP codes across devices. Encrypted backup.
- Password manager TOTP -- 1Password and Bitwarden both support storing TOTP codes alongside passwords. Convenient but puts both factors in one place.
Priority Accounts for Hardware Keys
- Primary email (this is the master key to everything)
- Password manager itself
- Domain registrar / DNS
- Hosting provider
- Bank / financial accounts
Onboarding Checklist (Adding Someone)
When you bring someone onto your team at any tier:
- [ ] Determine their tier -- What do they need access to and nothing more?
- [ ] Create their password manager account -- Invite to the correct vault(s) only
- [ ] Generate unique credentials -- Never share your login. Create theirs.
- [ ] Enable 2FA on their accounts -- Require it before they start work
- [ ] Document access granted -- Log in your access register: Name, Tier, Systems, Date Granted
- [ ] Brief them on the rules -- No password sharing, no saving credentials in browsers, no screenshots of sensitive data
- [ ] Set a review date -- When does this access get re-evaluated? (90 days max)
Offboarding Checklist (Removing Someone)
When someone leaves or a contract ends:
- [ ] Revoke password manager access -- Remove from shared vaults immediately
- [ ] Change shared credentials -- If they had access to any shared login, rotate that password now
- [ ] Deactivate their accounts -- Remove from all tools (project management, email, CRM, etc.)
- [ ] Revoke API keys -- If they had access to any integrations or automations
- [ ] Remove from shared drives/folders -- Revoke Google Drive, Dropbox, NAS permissions
- [ ] Audit recent activity -- Check logs for any unusual downloads or changes in their last 7 days
- [ ] Update access register -- Log: Name, Date Revoked, Systems Removed
- [ ] Confirm with them -- Acknowledge the transition professionally. No ambiguity.
Rule: Offboarding happens the same day access ends. Not tomorrow. Not next week. Today.
Quarterly Access Audit (20 Minutes)
- [ ] Pull your access register -- Who has access to what right now?
- [ ] Verify every person still needs their current tier -- Roles change. Projects end.
- [ ] Check for orphaned accounts -- Old freelancer logins still active? Deactivate.
- [ ] Review shared links -- Any client review links still live? Expire them.
- [ ] Rotate sensitive credentials -- Change API keys and shared passwords quarterly minimum
- [ ] Confirm 2FA is active -- Spot-check 5 critical accounts for active 2FA
- [ ] Update this document -- Add new systems, remove deprecated ones
Emergency Access Protocol
If you are incapacitated, someone trusted needs to access Tier 1.
- Emergency Kit: Your password manager generates a recovery PDF. Print it.
- Sealed Envelope: Place the recovery PDF in a sealed, signed envelope.
- Trusted Person: Give the envelope to one trusted person (spouse, attorney, business partner). They open it only if you are unable to operate.
- Safe Deposit Box (Optional): Second copy in a bank safe deposit box.
- Annual Verification: Confirm the emergency kit is still current once per year. Password manager updates invalidate old recovery kits.
Mirror Mirror Data Sovereignty Course | Template 4 of 9
Your data, your systems, your sovereignty.