From time to time we may need to request access to your third-party online accounts. Whether it's to facilitate setup for your new website during onboarding or to help troubleshoot integrations within the limits of Novi, there are a few different reasons we might need this access.
QuickBooks access for connecting to Novi and for ongoing Novi-related support
MailChimp or Constant Contact access for troubleshooting group email syncs
When this type of access is required, we want to ensure that this information is shared with us safely and securely.
Whenever possible, we should be given "admin" or "delegate" access to the account - NOT given the actual login.
Why We Don't Accept Login Shares
Why won't we accept the username/password in Email/Asana/Intercom, you may ask?
There are several reasons - namely for security and your protection, even if sending the login seems more convenient at the time.
We are strongly customer-focused here at Novi - and by going with the approach described above, the power is always in your hands. You can revoke our access at any time if needed, as well as see what we've been up to in your account. Typically, we already have our own account with the third-party service, so having the actual login to your account isn't necessary anyway.
Accidental Loss of Access
If we simply have your login instead of access, and something happens to that login - like someone on your team requesting a password reset - we've lost our access and now need to contact you to access the account again.
Shared Logins = Limited Transparency
If Novi uses a login with a shared username/password amongst your staff - there is no real traceability in the third-party's audit log in case that is ever needed. For example, let's say that a new staff member you bring on to your team doesn't quite understand MailChimp or Constant Contact and accidentally deletes all of your lists. If everyone is sharing the same login, there's no way to pinpoint what happened.
Last but certainly not least, tools like email/Asana/Intercom are (for the most part) "unencrypted storage."
What this means is that in the rare event someone were to gain access to information in those platforms it would be easily human-readable (AKA not in code) and they would immediately have access to a wealth of client information.
While these platforms do take security precautions to keep data private - their primary uses are communication and project management and they simply don't raise their security to the level necessary to ensure the security of your important login information.
How to Correctly Give Novi Access
Preferred Method: Admin Access
Many of our common third-party providers have a delegate access feature that will allow you to give us access appropriately.
Click on the third-party name below for instructions on how to provide this type of access for common platforms, as well as the type of access that should be given to Novi.
Please contact us via Intercom for the specific email address that this access should be given to.
QuickBooks - Accountant Access
Stripe - Please see the linked article for instructions on setting up Stripe with Novi
*If you use QuickBooks Payments, having access to your QuickBooks account will automatically give us access.
Secondary Method: Create New Login for Novi Within Existing Account
If delegate access is not an option for the involved 3rd party provider, the next attempted method should be creating a new username/password specifically for the Novi team. Ideally, this new login would be shared via phone call.
While this method is less preferable than above due to the need to maintain multiple logins outside of the norm, this is a good secondary option because:
Our access is fully controlled by you - you can revoke or adjust our permissions at any time if needed.
Any actions performed by the team are logged in the third party as happening via the Novi team.
If Providing Your Original Login is the Only Option...
If the preferred approaches above are not possible because of restrictions on the 3rd party provider, then we may need to resort to the fallback method of exchanging your login. Of course, this fallback method should be avoided if at all possible.
For example, perhaps a situation arises where you have an older 3rd party DNS provider that does not allow more than one login per domain account. That would be an extenuating circumstance where this fallback would be acceptable.
In those situations, these steps should be taken:
Username/Password exchanged via phone call
At the time of the phone call, the Novi AMS team member will add the username/password to our secure password storage tool & verify that the login works correctly.
A phone call adds security to this process as it is less easily intercepted than email or other third-party services, and the password is directly entered into a secure storage location.