Complete Software Handover Checklist
This guide explains what a complete software handover includes, what questions to ask your software agency, and the red flags that indicate poor handover practice.
| Item | What It Is | Why It Matters | ClickMasters Standard |
|---|---|---|---|
| Source code repository | GitHub/GitLab/Bitbucket repository with full commit history | Without the code, you cannot modify the software or hire another agency | Client has admin access from Day 1 — not at handover |
| Architecture documentation | System design: cloud infrastructure, database design, API design, integration architecture | New developers cannot understand the system without it | Architecture document delivered at Sprint 1, updated at each sprint |
| Deployment runbooks | Step-by-step instructions for: deploying new versions, rolling back, restarting services | Without this, any engineer can deploy — with it, any competent engineer can | Runbooks written during development, verified in final sprint |
| Infrastructure access | AWS/Azure/GCP console access, DNS management, domain registrar access | Cannot manage infrastructure without access | Client added as account admin before final payment |
| Third-party API credentials | API keys, OAuth credentials, service accounts for all integrations | Cannot operate the system without API credentials | Credentials migrated to client accounts — not ClickMasters accounts |
| Environment variables and secrets | All production configuration (not hardcoded in source code) | Missing env vars = system does not run | AWS Secrets Manager / environment variables document delivered |
| Database documentation | Entity relationship diagram, data dictionary, migration history | Cannot query or modify database structure without it | Database docs generated automatically from schema + delivered |
| UK GDPR documentation | Privacy Notice, DPIA, Article 28 DPA, Article 30 ROPA entries | GDPR compliance documentation is legally required | All GDPR documentation delivered as part of compliance pack |
| Knowledge transfer sessions | 2 sessions: architecture walkthrough + operational walkthrough | Documentation alone is not enough — engineers must ask questions | 2× 90-minute sessions included in all ClickMasters projects |
| IP transfer schedule | Written document confirming all IP assigned to client | Clarifies exactly what IP has been transferred | IP Transfer Schedule signed at final invoice settlement |
Red Flags — Poor Handover Practice
Code in agency repository only — client cannot access without the agency's permission.
No documentation — "the code is self-documenting" is a red flag. Code is not operational documentation.
API credentials in agency accounts — you cannot operate the service without the agency.
No knowledge transfer sessions — a document without context is useless.
IP transfer only on final payment — should be contractual, not conditional on full payment (partial IP exposure).
"Maintenance contract required" for basic operation — sign of deliberate vendor lock-in design.
These indicate an agency is not prepared to hand over properly:
UK GDPR Handover Obligations
Article 28 DPA: if you are taking over data processing responsibility, a new DPA with your hosting provider is required.
Article 30 ROPA: the Record of Processing Activities must be updated to reflect the new controller/processor arrangements.
DPO notification: if a DPO is appointed, they should review the handover for new processing activities.
Data migration: if data is migrated to a new system, this may be a new processing activity requiring DPIA assessment.
If your software processes personal data, the handover has specific UK GDPR implications: