Replace the ownership question with an asset register

“Do we own the website?” is too broad to produce a safe handoff. A business may control the domain but lack the platform account, possess exported HTML but not the editable project, own original copy but only license the photography, or receive analytics reports without administrative access. A good website design handoff identifies every asset and states what the business can do with it after the project. The register belongs with business continuity records, not only in an agency's project tool.

TermWhat to verify
OwnershipA legal right in a specific asset under applicable law and agreementWho created it, contract language, assignments, employment status, and third-party rights
LicensePermission to use an asset under stated conditionsWho is licensed, uses allowed, term, territory, seats, transfer, attribution, and renewal
Account controlAbility to administer a service, users, settings, billing, and recoveryBusiness administrator, recovery methods, MFA, support identity, and role limits
PossessionHaving a copy of a file, credential, or exportWhether the copy is complete, current, editable, licensed, and restorable
Contract rightA promised deliverable, service, access, or transfer under the agreementConditions, timing, payment, format, exclusions, and dispute process

Secure the domain and DNS first

Domain and DNS ownership record

ItemRecordHandoff evidence
Domain registrarProvider, domain, account ID, registrant arrangement, expiration, renewal, lock, and transfer statusBusiness can sign in, receive notices, renew, recover, and obtain transfer information
RecoveryRecovery email and phone, MFA methods, backup codes, authorized contactsMethods are current, securely stored, and not controlled by one departing person
Authoritative DNSProvider, nameservers, zone ID, administrators, DNSSEC status if usedBusiness has access and a current export or complete record inventory
DNS recordsWeb, email, verification, security, and service records with values and purposeEvery critical record has an owner and can be recreated without guessing
BillingPayer, payment method, renewal term, invoice destination, reimbursement arrangementRenewal does not depend on a contractor's expired card or abandoned inbox

ICANN publishes registrant information about renewal, expiration, and transfer processes for applicable generic top-level domains. Those resources help owners understand the registrar layer, but they do not replace the specific registrar agreement or decide a contract dispute. Keep the domain record separate from website hosting. The domain and hosting explainer shows why a website move can change a few web records while leaving registration, DNS authority, and email in place.

Map the platform, hosting, and billing relationship

  • Record the hosting or platform company, workspace or organization, site ID, production domains, current plans, add-ons, capacity, billing term, and support tier.
  • Identify business administrators, designers, developers, editors, billing managers, API users, and service accounts with the least privileges required.
  • State whether the site is inside the business's account, an agency workspace, or another managed arrangement and how transfer works under current product rules.
  • List backup scope, retention, restore authority, export formats, staging environments, deployment method, and custom-code locations.
  • Record every recurring theme, plugin, app, font, form, search, localization, commerce, scheduling, analytics, or CDN charge tied to the public site.
  • Document what happens to hosting, publishing, custom domains, features, and stored data when a plan is downgraded or canceled.

A vendor can administer a business-controlled account, or the business can have contractual rights to a site inside the vendor's account. These are different operating models. Neither should remain implicit. Confirm whether the site can transfer without rebuilding, whether a paid plan follows it, which workspace features will change, and who must accept the transfer. Save current platform documentation with the handoff because product capabilities and procedures can change.

Inventory code, design, and editable source

Technical deliverables to distinguish

AssetQuestions
Editable website projectWhere is the canonical project, who can edit and publish, and can it transfer to another account?
Source repositoryWhich organization owns it, what branches are production, who controls deploy keys, and is the history included?
Exported codeWhat does the export include or omit, is it current, and can it run independently without platform features?
Design sourceAre Figma or other source files included, and do component libraries, fonts, images, and linked assets travel with them?
Custom scriptsWho authored them, where are they documented, what APIs and secrets do they depend on, and what rights are granted?
Build and deploymentWhich services, environment variables, domains, commands, and credentials are needed to produce and publish the site?

An export is not automatically a portable website. A hosted CMS, forms, search, user accounts, commerce, localization, animations, image processing, or server functions may not appear in an ordinary file export. A repository is not sufficient if the deployment account and environment configuration are missing. Ask the provider to demonstrate a clean build, export, restore, or transfer appropriate to the platform. Record known dependencies and what would need replacement outside the current service.

VISUAL CHECKPOINT · TechnologyAdministrator access is not proof of copyright ownership

A login lets someone operate an account. It does not by itself transfer rights in code, writing, photographs, video, fonts, a theme, or another creative work. Review the actual agreements and licenses; obtain legal advice for disputed or high-value rights.

Separate original content from licensed assets

The U.S. Copyright Office explains that original authorship appearing on a website may include writing, artwork, photographs, and other protectable forms, and its Circular 66 discusses registration of website content. That does not mean every element on every website is owned by the business. Stock media, fonts, icons, templates, code libraries, music, video, testimonials, customer photos, and commissioned work can carry separate permissions and restrictions. This guide is operational, not a legal determination; review creation and licensing records with qualified counsel when rights matter.

Create a content and license ledger

01

Name the asset

Record the file, page, component, or collection and where the production version is stored.

02

Identify the source

State whether it came from the business, employee, contractor, customer, marketplace, stock library, open-source project, or platform.

03

Record permission

Attach the contract, assignment, license, release, terms, attribution requirement, or other basis for use.

04

Note restrictions

Capture limits involving account, client, seat, domain, media, modification, resale, geography, time, or transfer.

05

Set an owner and review date

Assign renewals and replacement decisions so a canceled subscription does not silently leave unlicensed or missing assets.

Keep analytics and marketing data in business reach

Record Google Analytics accounts and properties, tag managers, search tools, advertising accounts, call tracking, heatmaps, consent systems, dashboards, and data warehouses. Google Analytics documents account- and property-level roles and data restrictions; give the business appropriate administrators while limiting everyday access. Avoid a setup where the agency's personal login is the only administrator. Preserve property IDs, tags, linked products, filters, key-event definitions, retention settings, and change history. Access should be reviewed when employees or vendors leave.

Report accessAdministrative control
View dataCan read specified reports or dashboardsCan govern users, settings, links, and collection according to the platform role
Change measurementUsually cannot repair tags or definitionsCan approve or implement configuration changes within assigned permissions
Remove vendorMay lose access when a shared report disappearsBusiness administrators can remove the vendor while retaining the property
ContinuityPreserves a snapshot or limited viewPreserves control of the collection and account relationship

Trace forms, leads, and integrations

  • Every public form, destination, notification address, database, spam control, automation, and failure alert.
  • CRM account, objects, field mappings, workflows, owners, consent records, source rules, and duplicate handling.
  • Scheduling, payment, chat, phone, email marketing, review, map, and social integrations with administrators and billing.
  • API keys, OAuth connections, webhooks, service accounts, secrets, permitted scopes, rotation owner, and expiration behavior.
  • Privacy notices, consent controls, vendor agreements, retention, deletion, and incident contacts appropriate to the data.
  • A synthetic end-to-end test showing that a lead reaches the correct system and accountable human after handoff.

Do not place passwords or secret keys directly in the ownership spreadsheet. Store secrets in an appropriate password or secrets manager and link the register to the secure location, responsible role, and recovery process. The register can include account identifiers and roles without becoming a second unprotected credential store. Require multifactor authentication where supported, use business-managed email identities, and remove dormant users.

Run the handoff as an acceptance test

Prove the handoff works

01

Sign in as the business

Use business-controlled identities to reach registrar, DNS, platform, billing, analytics, forms, CRM, repositories, and support.

02

Perform a routine update

Edit content, replace an image, publish safely, submit a form, and verify the downstream record.

03

Recover an account

Confirm recovery addresses, MFA backups, authorized contacts, and provider support requirements without disrupting production.

04

Export or restore

Demonstrate the promised content export, code retrieval, backup preview, or recovery procedure and document omissions.

05

Remove project access

After acceptance, remove temporary users and rotate project credentials without breaking integrations or losing continuity.

Review the register quarterly and after a launch, employee departure, agency change, domain move, plan change, major integration, or security event. The article who owns your website after launch examines proposal and contract questions; this checklist turns the agreed answer into operational evidence. Use the platforms, hosting, and ownership hub for care, backups, hosting, portability, and provider-exit planning.

What website accounts should a business control?

At minimum, document the registrar, DNS, hosting or platform, billing, analytics, forms, CRM, repositories, licensed services, and recovery. The business should have appropriate access or clearly documented contractual control for each.

Does paying for a website mean I own all of it?

Not automatically. Payment, ownership, licensing, access, and deliverables depend on the agreement, creators, platform, and third-party assets. Review each category rather than relying on a broad assumption.

Is an exported website the same as source code?

Not always. An export may omit the editable project, CMS, databases, forms, commerce, user accounts, server functions, deployment configuration, or platform features. Verify what the promised format can actually reproduce.

Should an agency keep administrator access after launch?

Only when continuing work requires it and the business approves the role. Use least privilege, named identities, MFA, periodic reviews, and prompt removal when the relationship or responsibility ends.

Where should website passwords be stored?

Use an appropriate business password or secrets manager with controlled access and recovery. The ownership register should identify the secure location and role, not expose passwords or API keys in an ordinary document.