Credential & access charter
For this buyer, a €200 deposit is really a credentials decision. So here is every credential the kickoff checklist requests — its exact scope, why it is needed, where it lives, and the date it is revoked. Published before you pay, so the decision is an informed one. Nothing on this page is aspirational: each line is enforced mechanically (vault scoping, human-only deploy paths, a day-37 revocation cron).
| Credential | Exact scope | Why it is needed | Where it lives | Revoked |
|---|---|---|---|---|
| Scoped Envato API token | You create it yourself in your own Envato account, with read scopes for your item and sales data only. We never see or ask for your Envato password, and no automation ever logs into your Envato account. | Pull item and sales data; validate purchase codes for the redemption bridge. | Per-client vault collection, encrypted at rest, on an EU server. | Day 37: token deleted; you also revoke it on your side (instructions included). Confirmation posted to your status page. |
| Plugin zip or repository access | Read access to the plugin codebase — the one being migrated, nothing else. | Integrate the Freemius SDK and the update mechanism; run the PHP × WP × Woo sandbox matrix. | Per-client vault collection; working copies in an isolated sandbox. | Day 37: access removed, local copies deleted per the DPA. |
| Freemius team invite | A team invite you send, to one named address, at a role you choose. You can revoke it yourself at any moment. | Set up the product, deploy Freemius's free license-data import, wire the redemption bridge. | Held as an account invite inside your own Freemius account — never a shared password. | Day 37: access removed; the revocation checklist confirms it. |
| Email addresses you already hold | Only addresses you already lawfully hold. Migration emails go out under your sender identity; you approve every email before send. | Draft and sequence the migration emails to your existing buyers. | Encrypted at rest, processed under a GDPR Art. 28 data-processing agreement (you stay the controller). | Day 37: buyer data deleted per the DPA. 72-hour breach notice is in the DPA. |
| Target domain / hosting access | The minimum needed to put the new store and bridge live. Client production deploy keys exist only on the operator's machine — never on a server the automation can read. | Deploy the store and the redemption bridge; point DNS. | Production keys: operator's machine only. Everything else: per-client vault collection. | Day 37: access removed and confirmed. |
What we never ask for
- Never your Envato password. You create a scoped API token yourself — step-by-step instructions included.
- Never your Stripe login (or any payment-processor login). Your money rails stay yours.
- Never your wp.org credentials. Anything involving wp.org is done by you, with prepared materials.
- Never buyer payment data. Card numbers, PayPal accounts, billing details — the bridge captures an email with an explicit consent checkbox, nothing more.
If anyone claiming to be PluginExit asks for any of the four above, treat it as fraud and say no.
Enforcement, not promises
These rules hold because the system is built so breaking them is structurally hard, not because a policy document says so: automation cannot deploy to client production (the keys are not where the automation runs), cannot send email to new recipients without a logged human decision, and cannot touch Stripe at all. The day-37 revocation is a scheduled job whose output — the revocation checklist, completed — lands on your status page.
security.txt and a PGP key will be published at this domain at launch (placeholder until then). Related: verify the operator against third-party registries · hard questions