Mirror Mirror Data Sovereignty Course — Template
Purpose: Bring a new person into your ecosystem safely and deliberately. Every access grant is a trust decision. This runbook ensures nobody gets more access than they need, and nothing is forgotten when they leave.
When to use: Any time you add a team member, contractor, collaborator, intern, or service provider to any system you control.
Pre-Onboarding (Before Day 1)
- [ ] Define role clearly — What will this person do? Write it in one sentence.
- Example: "Event photography and gallery curation for RoseCourt events"
- Example: "Bookkeeping and invoice processing for all brands"
- [ ] Assign access tier (see access-tiers.md)
- Sovereign: Full admin (owner only)
- Operational: Day-to-day tools (managers, bookkeepers)
- Creative: Content and design tools (photographers, designers)
- Guest: View-only or single-project access (one-time contractors)
- [ ] Prepare credentials — Create accounts BEFORE their first day
- Password manager: Create vault entry with generated password
- 2FA: Set up if required for their tier
- Shared drives: Create their folder or grant access
- Tools: Invite to Airtable, n8n, Discord, etc. as needed
Day 1 Onboarding
1. Welcome + Context (15 min)
- [ ] Share the ecosystem overview (what brands exist, what tools are used)
- [ ] Explain their role and what success looks like
- [ ] Introduce the sovereignty philosophy: "We own our data. We document our systems."
2. Tools + Access (20 min)
- [ ] Walk through each tool they'll use
- [ ] Confirm they can log in to every system
- [ ] Show them where to find help (runbooks, Discord channel, contact info)
| Tool |
Access Level |
Credential Location |
Confirmed |
| Airtable |
[view/edit/admin] |
Password manager |
[ ] |
| n8n |
[viewer/editor] |
Password manager |
[ ] |
| Discord |
[member/moderator] |
Invite link |
[ ] |
| Google Drive |
[viewer/editor] |
Google account |
[ ] |
| Cloudflare |
[none/viewer] |
N/A |
[ ] |
3. Key Documents (10 min)
- [ ] Share relevant runbooks for their role
- [ ] Share naming conventions (naming-conventions.md)
- [ ] Share folder structure (folder-structure.md)
- [ ] Share weekly review ritual if they'll participate (weekly-review-ritual.md)
4. Confirm Understanding
- [ ] Can they find the files they need?
- [ ] Do they know who to contact for help?
- [ ] Do they understand the naming convention?
- [ ] Do they know what NOT to touch?
Post-Onboarding
- [ ] Log the access grant in your decision log
Date: YYYY-MM-DD
Person: [name]
Role: [role description]
Tier: [Sovereign/Operational/Creative/Guest]
Access granted: [list of systems]
Granted by: [your name]
Review date: [30/60/90 days from now]
[ ] Set a review date — Reassess access in 30-90 days
[ ] Add to team roster — Update your team/contacts list
Offboarding Checklist
When someone leaves or a project ends:
- [ ] Revoke all tool access (Airtable, n8n, Discord, Drive, etc.)
- [ ] Remove from shared vaults in password manager
- [ ] Transfer ownership of any files they created
- [ ] Archive their work folder (don't delete — move to
/99_Archive/)
- [ ] Disable or delete their accounts
- [ ] Remove from email lists and notification channels
- [ ] Update team roster
- [ ] Log the offboarding in decision log
Access is a privilege you grant deliberately and revoke promptly.