TL;DR
Don't let your IT contractor, web designer, or MSP register your domain, email, or cloud accounts under their name. You should own your own logins — with them as a delegate, not the admin. Do a quick audit: can you log into your domain registrar, email admin portal, and cloud dashboard yourself, right now? If not, fix it before something goes wrong.
Let me tell you about a conversation I had last month.
A business owner in Calgary called me in a panic. Their outsourced IT contractor had just gone dark — stopped responding to emails, phone disconnected. And this contractor had:
- Admin access to the company's email system
- Control of the domain name registration
- Root access to their cloud environment
- The only copy of several account passwords
The business owner couldn't reset their own passwords. Couldn't access their own website. Couldn't even prove to the registrar that they owned their own domain, because everything was in the contractor's name.
It took weeks to sort out. Legal threats. Identity verification hoops. Lost business. Damaged client relationships.
And this isn't rare. I see variations of this story constantly.
The Pattern I Keep Seeing
When you're starting a business, everything feels urgent. You need a website, email, maybe some cloud storage. Hiring a full IT team doesn't make sense, so you do one of these:
- Hire a contractor or freelancer to "set everything up"
- Use an outsourced IT provider or managed service company
- Get a web design shop to handle your domain and hosting
- Let your "tech-savvy" employee figure it out
And in the moment, it works. Things get set up. You move on to running your business.
But here's what often happens behind the scenes:
- The domain gets registered under their account, not yours
- Email gets set up with them as the admin
- Cloud services are configured with their credentials
- You never get the master passwords — you just get "your" login
At the time, it seems fine. They're handling it. You're busy.
Then the relationship changes.
What Can Go Wrong (And Does)
I've seen all of these happen to real businesses:
The Contractor Disappears
They win the lottery, they get sick, they move on to a different career, they go out of business, they retire. Nobody plans to disappear — but life happens. And when it does, you discover you can't access your own systems without them.
The Relationship Breaks Down
Maybe you want to switch providers. Maybe there's a dispute over an invoice. Maybe you've outgrown them. Suddenly, getting access to your own assets becomes a negotiation — or worse, a hostage situation.
I've seen contractors say: "Pay the outstanding balance, and then we'll transfer the domain." Even when the balance was disputed.
The Outsourced IT Company Gets Acquired
Small IT shops get bought by bigger companies all the time. Your contact leaves. The new company has different pricing, different service levels, different priorities. And you're locked in because migrating away means untangling years of poorly documented access.
Someone Malicious Gets Access
I've seen cases where a contractor — or someone at a contractor's company — copied customer data on their way out the door. Client lists. Email archives. Financial information. Sometimes it's obvious theft. Sometimes it's just "keeping a backup" that they never delete.
The Provider Gets Hacked
This one is increasingly common, and it's terrifying. Hackers have figured out that instead of targeting individual small businesses, it's more efficient to target the IT contractors and managed service providers who have access to dozens or hundreds of companies at once.
One breach at an outsourced IT company = access to every customer they manage.
If your IT provider doesn't have strong security practices, their weakness becomes your vulnerability.
The Real Risk
These scenarios aren't hypothetical. I've seen every single one happen to real Alberta businesses. The common thread? Nobody planned for the relationship to change.
The "Free Email" Trap
Let's talk about email specifically, because it's where I see the most hidden risk.
When you use certain free or ultra-cheap email providers, you're not the customer — you're the product.
Many free email services make money by:
- Scanning your inbox to serve targeted ads
- Analyzing your data for marketing insights
- Selling aggregated information about user behavior
Read the terms of service. You'll often find language that gives them broad rights to your data. They're not doing it to be evil — it's their business model. You get free email; they get to monetize your information.
For personal email, maybe that's an acceptable trade-off.
For business email — where you're discussing client information, contracts, financial details — it's a different story. Your clients expect privacy. Some industries require it legally.
The rule is simple: if you're not paying, figure out how they're making money.
Quick Check
Read your email provider's terms of service. Look for words like "scan," "analyze," "monetize," or "advertising." If you can't find clear language protecting your data, that's a red flag.
The "Website Package" Lock-In
Here's another pattern I see constantly:
A business gets their website, email, and domain bundled through a web designer or a "website package" provider. At first, it's convenient — one company handles everything.
Then the business grows. They need:
- More email accounts than the package allows
- Better collaboration tools
- Custom applications or integrations
- Cloud storage that works for their team
And they discover they can't easily migrate. Their domain is registered through the provider. Their email is tied to the hosting package. Moving means rebuilding from scratch — if they can even get access to do it.
What seemed like the path of least resistance when starting becomes a constraint that limits growth.
This Isn't About Distrust — It's About Business Continuity
I want to be clear: most contractors and IT providers are honest professionals. They're not trying to hold you hostage. They're just trying to get the work done.
The problem isn't bad intentions. It's a lack of planning for what happens when things change.
In enterprise IT, we call this business continuity planning. Big companies have documented processes for:
- Who owns what accounts and credentials
- What happens when an employee or vendor leaves
- How to recover access if someone is unavailable
- Where critical documentation is stored
Startups and small businesses need the same thinking — just scaled appropriately.
The Golden Rule: You Are the Owner, They Are Guests
Here's how I frame it for every business I work with:
Your technology environment is your house.
Partners, contractors, and vendors are invited guests.
As the owner, you should:
- Hold the master keys (admin credentials) yourself
- Be the registered owner of your domain name
- Have your own admin account on email and cloud systems
- Invite contractors with specific, limited access for their role
- Be able to revoke that access at any time
Your contractors and partners should:
- Have their own accounts with appropriate permissions
- Document what they set up and how to access it
- Use their access only for agreed-upon work
- Return or destroy any credentials when the engagement ends
This isn't about micromanaging or distrust. It's about clarity. When everyone knows who owns what, transitions are smooth. When it's unclear, transitions become crises.
Practical Steps to Take Control
1. Audit What You Have
Start by answering these questions:
Your Ownership Audit
- Who is listed as the owner of your domain name? (Check at your registrar)
- Who is the admin of your email system?
- Who has admin access to your cloud services?
- Where are all your passwords stored? Who can access them?
- If your main IT contact disappeared tomorrow, could you still operate?
If you can't answer these confidently, that's your first priority.
2. Register Your Domain Under Your Own Account
Your domain name is your identity. It should be registered:
- Under your business name or your personal name
- With an email address you control (not your IT provider's email)
- With payment information you manage
If it's currently in someone else's name, get this fixed now — before you need to.
3. Own Your Email Admin Account
Whoever is the admin of your email system can:
- Read any email in your company
- Reset anyone's password
- Delete accounts or data
- Lock out other admins
You — or a trusted principal of your company — should have an admin account with full access. Your IT provider can have a separate admin account with appropriate permissions.
4. Use Proper Business Email
Pay for business email from an established provider with clear terms that protect your data, don't scan for advertising, and don't use your content to train AI models without consent.
The cost is typically $6-20 per user per month. That's a small price for:
- Clear data ownership
- Professional appearance ([email protected])
- Business-grade security and compliance
- The ability to migrate or grow later
5. Document Everything
Keep a secure record of:
- All accounts and services your business uses
- Admin credentials (in a password manager)
- Billing information and renewal dates
- Contact information for each provider
- What contractors have access to what
Store this somewhere safe that you control — not just in the contractor's documentation.
6. Put It In The Contract
When you engage IT contractors or vendors, your contract should include:
- Ownership clause: All accounts, credentials, and configurations created for you are your property
- Access requirements: You maintain admin/owner access at all times
- Transition obligations: They will provide documentation and assist with handoff when the engagement ends
- Data handling: What they can and can't do with your data
- Security standards: Minimum security practices they must follow (password management, two-factor authentication, encryption)
- Breach notification: They must notify you immediately if their systems are compromised
Don't assume any of this is implied. Put it in writing.
7. Review Your Outsourced IT Provider's Security
If you're using an outsourced IT company or managed service provider, ask them:
- How do you secure access to customer environments?
- Do you use multi-factor authentication for admin accounts?
- How do you vet employees who will have access to our systems?
- What happens when one of your employees leaves?
- Have you had any security incidents? How did you handle them?
- Do you carry cyber liability insurance?
Reputable providers will have clear answers. If they're vague or defensive, that's a red flag.
The Conversation I Have Over and Over
Here's how these situations usually unfold:
PHASE 1 Starting out: "We just need someone to set this up. Don't have time to learn all the technical stuff."
PHASE 2 Things are working: "It's fine, they manage everything. One less thing to worry about."
PHASE 3 Something changes: "Wait, we don't have access to our own domain? They're the only admin?"
PHASE 4 Crisis: "We need to switch providers, but we can't get our stuff. Our email is down."
The tragedy is that Phase 3 and 4 are entirely preventable. It just requires thinking about ownership from the beginning — or fixing it now, before something goes wrong.
This Isn't About Doing It All Yourself
I want to be clear: you don't need to become a tech expert. You don't need to manage everything yourself. Working with contractors, outsourced IT, and managed service providers is completely reasonable — often it's the smart choice for a growing business.
The point is to do it with eyes open:
- Maintain ownership of critical accounts
- Understand what access you're granting
- Have a plan for transitions
- Document enough to be resilient
- Choose partners with good security practices
You can delegate the work while keeping control of the assets.
The Quick Checklist
Business Technology Ownership Checklist
- ☐ Domain name is registered under my business/personal name
- ☐ I can log into the registrar myself and manage the domain
- ☐ I have an admin account on our email system
- ☐ I know where all business passwords are stored
- ☐ I could revoke contractor access today if needed
- ☐ Someone besides my IT provider knows how to access critical systems
- ☐ Our email is with a paid provider with clear data policies
- ☐ Contractor security expectations are in writing
- ☐ I know what happens to our access if our IT provider closes or is acquired
- ☐ We have documentation that doesn't live only with the contractor
If you can't check all of these boxes, you have work to do. The good news: it's all fixable, and it's much easier to fix now than after a crisis.
When to Get Help
Some of this is straightforward — you can audit your accounts and start documenting today.
But some situations need guidance:
- You don't know where to start or what questions to ask
- The current setup is complicated and undocumented
- You need to negotiate a transition away from a provider who isn't cooperating
- You want to set things up right from the beginning
- You work in a regulated industry with compliance requirements
This is one of the things a fractional CTO can help with. Not to take over your technology — but to help you establish ownership, document what exists, and set up the right structure so you're never locked out of your own business.
The goal is simple: you stay in control, and you can work with whatever partners make sense for your business, with clear boundaries and easy transitions.
The Bottom Line
Your domain is your identity. Your email is your communication. Your cloud environment is your operations. These aren't things to hand over casually.
Work with good partners. Delegate the technical work. But maintain ownership.
The time to think about this is now — when everything is working fine. Not the day your contractor stops returning calls.
About Code to Cloud
We're based in Alberta and work with startups and small businesses across Western Canada. If you're trying to figure out who owns what in your current setup, or you want to set things up right from the start — we can help.
We'll help you establish proper ownership, document what you have, and make sure you're never locked out of your own business. No jargon, no long-term contracts, just practical guidance.
Disclaimer: This article provides general information only and does not constitute legal, financial, or professional advice. Every business situation is different. Consult with qualified professionals for advice specific to your circumstances. Code to Cloud is not liable for any actions taken based on this content.