Jump to a section +
Replace the ownership question with an asset register
“Do we own the website?” is too broad to produce a safe handoff. A business may control the domain but lack the platform account, possess exported HTML but not the editable project, own original copy but only license the photography, or receive analytics reports without administrative access. A good website design handoff identifies every asset and states what the business can do with it after the project. The register belongs with business continuity records, not only in an agency's project tool.
Secure the domain and DNS first
Domain and DNS ownership record
| Item | Record | Handoff evidence |
|---|---|---|
| Domain registrar | Provider, domain, account ID, registrant arrangement, expiration, renewal, lock, and transfer status | Business can sign in, receive notices, renew, recover, and obtain transfer information |
| Recovery | Recovery email and phone, MFA methods, backup codes, authorized contacts | Methods are current, securely stored, and not controlled by one departing person |
| Authoritative DNS | Provider, nameservers, zone ID, administrators, DNSSEC status if used | Business has access and a current export or complete record inventory |
| DNS records | Web, email, verification, security, and service records with values and purpose | Every critical record has an owner and can be recreated without guessing |
| Billing | Payer, payment method, renewal term, invoice destination, reimbursement arrangement | Renewal does not depend on a contractor's expired card or abandoned inbox |
ICANN publishes registrant information about renewal, expiration, and transfer processes for applicable generic top-level domains. Those resources help owners understand the registrar layer, but they do not replace the specific registrar agreement or decide a contract dispute. Keep the domain record separate from website hosting. The domain and hosting explainer shows why a website move can change a few web records while leaving registration, DNS authority, and email in place.
Map the platform, hosting, and billing relationship
- Record the hosting or platform company, workspace or organization, site ID, production domains, current plans, add-ons, capacity, billing term, and support tier.
- Identify business administrators, designers, developers, editors, billing managers, API users, and service accounts with the least privileges required.
- State whether the site is inside the business's account, an agency workspace, or another managed arrangement and how transfer works under current product rules.
- List backup scope, retention, restore authority, export formats, staging environments, deployment method, and custom-code locations.
- Record every recurring theme, plugin, app, font, form, search, localization, commerce, scheduling, analytics, or CDN charge tied to the public site.
- Document what happens to hosting, publishing, custom domains, features, and stored data when a plan is downgraded or canceled.
A vendor can administer a business-controlled account, or the business can have contractual rights to a site inside the vendor's account. These are different operating models. Neither should remain implicit. Confirm whether the site can transfer without rebuilding, whether a paid plan follows it, which workspace features will change, and who must accept the transfer. Save current platform documentation with the handoff because product capabilities and procedures can change.
Inventory code, design, and editable source
Technical deliverables to distinguish
| Asset | Questions |
|---|---|
| Editable website project | Where is the canonical project, who can edit and publish, and can it transfer to another account? |
| Source repository | Which organization owns it, what branches are production, who controls deploy keys, and is the history included? |
| Exported code | What does the export include or omit, is it current, and can it run independently without platform features? |
| Design source | Are Figma or other source files included, and do component libraries, fonts, images, and linked assets travel with them? |
| Custom scripts | Who authored them, where are they documented, what APIs and secrets do they depend on, and what rights are granted? |
| Build and deployment | Which services, environment variables, domains, commands, and credentials are needed to produce and publish the site? |
An export is not automatically a portable website. A hosted CMS, forms, search, user accounts, commerce, localization, animations, image processing, or server functions may not appear in an ordinary file export. A repository is not sufficient if the deployment account and environment configuration are missing. Ask the provider to demonstrate a clean build, export, restore, or transfer appropriate to the platform. Record known dependencies and what would need replacement outside the current service.

A login lets someone operate an account. It does not by itself transfer rights in code, writing, photographs, video, fonts, a theme, or another creative work. Review the actual agreements and licenses; obtain legal advice for disputed or high-value rights.
Separate original content from licensed assets
The U.S. Copyright Office explains that original authorship appearing on a website may include writing, artwork, photographs, and other protectable forms, and its Circular 66 discusses registration of website content. That does not mean every element on every website is owned by the business. Stock media, fonts, icons, templates, code libraries, music, video, testimonials, customer photos, and commissioned work can carry separate permissions and restrictions. This guide is operational, not a legal determination; review creation and licensing records with qualified counsel when rights matter.
Create a content and license ledger
Name the asset
Record the file, page, component, or collection and where the production version is stored.
Identify the source
State whether it came from the business, employee, contractor, customer, marketplace, stock library, open-source project, or platform.
Record permission
Attach the contract, assignment, license, release, terms, attribution requirement, or other basis for use.
Note restrictions
Capture limits involving account, client, seat, domain, media, modification, resale, geography, time, or transfer.
Set an owner and review date
Assign renewals and replacement decisions so a canceled subscription does not silently leave unlicensed or missing assets.
Keep analytics and marketing data in business reach
Record Google Analytics accounts and properties, tag managers, search tools, advertising accounts, call tracking, heatmaps, consent systems, dashboards, and data warehouses. Google Analytics documents account- and property-level roles and data restrictions; give the business appropriate administrators while limiting everyday access. Avoid a setup where the agency's personal login is the only administrator. Preserve property IDs, tags, linked products, filters, key-event definitions, retention settings, and change history. Access should be reviewed when employees or vendors leave.
Trace forms, leads, and integrations
- Every public form, destination, notification address, database, spam control, automation, and failure alert.
- CRM account, objects, field mappings, workflows, owners, consent records, source rules, and duplicate handling.
- Scheduling, payment, chat, phone, email marketing, review, map, and social integrations with administrators and billing.
- API keys, OAuth connections, webhooks, service accounts, secrets, permitted scopes, rotation owner, and expiration behavior.
- Privacy notices, consent controls, vendor agreements, retention, deletion, and incident contacts appropriate to the data.
- A synthetic end-to-end test showing that a lead reaches the correct system and accountable human after handoff.
Do not place passwords or secret keys directly in the ownership spreadsheet. Store secrets in an appropriate password or secrets manager and link the register to the secure location, responsible role, and recovery process. The register can include account identifiers and roles without becoming a second unprotected credential store. Require multifactor authentication where supported, use business-managed email identities, and remove dormant users.
Run the handoff as an acceptance test
Prove the handoff works
Sign in as the business
Use business-controlled identities to reach registrar, DNS, platform, billing, analytics, forms, CRM, repositories, and support.
Perform a routine update
Edit content, replace an image, publish safely, submit a form, and verify the downstream record.
Recover an account
Confirm recovery addresses, MFA backups, authorized contacts, and provider support requirements without disrupting production.
Export or restore
Demonstrate the promised content export, code retrieval, backup preview, or recovery procedure and document omissions.
Remove project access
After acceptance, remove temporary users and rotate project credentials without breaking integrations or losing continuity.
Review the register quarterly and after a launch, employee departure, agency change, domain move, plan change, major integration, or security event. The article who owns your website after launch examines proposal and contract questions; this checklist turns the agreed answer into operational evidence. Use the platforms, hosting, and ownership hub for care, backups, hosting, portability, and provider-exit planning.
What website accounts should a business control?
At minimum, document the registrar, DNS, hosting or platform, billing, analytics, forms, CRM, repositories, licensed services, and recovery. The business should have appropriate access or clearly documented contractual control for each.
Does paying for a website mean I own all of it?
Not automatically. Payment, ownership, licensing, access, and deliverables depend on the agreement, creators, platform, and third-party assets. Review each category rather than relying on a broad assumption.
Is an exported website the same as source code?
Not always. An export may omit the editable project, CMS, databases, forms, commerce, user accounts, server functions, deployment configuration, or platform features. Verify what the promised format can actually reproduce.
Should an agency keep administrator access after launch?
Only when continuing work requires it and the business approves the role. Use least privilege, named identities, MFA, periodic reviews, and prompt removal when the relationship or responsibility ends.
Where should website passwords be stored?
Use an appropriate business password or secrets manager with controlled access and recovery. The ownership register should identify the secure location and role, not expose passwords or API keys in an ordinary document.
Evidence behind the guide
Sources and further reading
- Renewing Domain NamesICANN
- FAQs for Registrants: Transferring Your Domain NameICANN
- Copyright Registration of Websites and Website Content — Circular 66U.S. Copyright Office
- Access and Data-Restriction ManagementGoogle Analytics Help
Continue on Web Respawn
Pages that actually connect to this decision.
These links are selected for the subject of this guide. They are not a generic service dump.
Explore the strategy, content, design, build and launch foundation.
Open page ↗RELEVANT PAGEPremium Business DomainsReview current domain availability and the ownership-transfer process.
Open page ↗RELEVANT PAGEWebsite Care PlansKeep hosting, monitoring, updates and technical responsibility defined after launch.
Open page ↗







