Skip to main content

Use least-privilege access

Give each staff member the access needed for their role and no more. Review membership when responsibilities change, and reassign active cases, tasks, and reminders before removing a departing user. A shared login makes ownership and auditability weaker; use individual accounts for every team member.

Keep staff and client surfaces separate

Use dashboard features such as internal notes, working drafts, and staff tasks for team-only work. Use the client portal, questionnaire invitations, document shares, and payment requests only for information the firm has intentionally made client-facing. Review visibility before you send a link.

Protect portal and external credentials

Staff sign in to government portals themselves before using a supported extension workflow. Do not store, send, or ask clients to send government portal passwords through VisaFlo chat, notes, or support messages. The same rule applies to API keys, access tokens, and private signing links.

Configure branding deliberately

The VisaFlo white-label settings screen for firm branding and custom-domain configuration. White-label settings can affect client-facing names, sender identity, and links where the workspace supports them. Configure DNS and branded sender settings with the domain owner, then test in a private browser before sharing a new client link. See Email & DNS setup.

Formal due diligence

For a security questionnaire, data-processing agreement, data residency request, or custom compliance requirement, contact VisaFlo support and ask for the current formal documentation. Do not treat a help article as a substitute for a signed security or legal commitment.