Ownership Checklist: what an SMB must be able to walk away with at agency separation

The practical deliverable from Research brief: Owning your stack — why agency-managed platforms cost more than they save (piece 4 of 15). At agency separation, an SMB should be able to walk away with all of the following, with no agency cooperation required:

Domain & DNS

• Registrar account login under the business's own credentials (not agency master account)
• Registrant listed as the business or business owner — not the agency (see ICANN: listed Registrant is the legal owner of a domain — admin/technical contact is NOT ownership)
• Auto-renew enabled with billing card under the business's name
• DNS provider login under business credentials (if separate from registrar)
• Documented list of all DNS records (A, AAAA, MX, CNAME, TXT, CAA)

Email

• Google Workspace / Microsoft 365 tenant owned by the business (super admin = business email, not agency email)
• At least two super admins in the business
• Mailbox export procedure documented (Workspace Takeout / Microsoft Compliance Export)
• See Google Workspace: cannot transfer file ownership to external accounts; client separation requires IMAP+DNS migration for why this is hard to fix after the fact

Code

• Git repository hosted under business's own account (GitHub Org, GitLab Group) — not agency's
• Business has owner-level access to the repo
• README documents build/deploy steps
• No private/proprietary agency npm or Composer dependencies without source access
• License terms for any agency-developed code clearly assign IP to the business

Content

• Database export procedure documented AND tested (see RULE: Require a working database export on Day 1 of any engagement. Test it. Re-test quarterly.)
• Media library export (full-resolution, not optimized thumbnails) accessible
• Content stored in standard formats (Markdown, HTML, JSON) or a documented schema
• No page-builder shortcodes / proprietary JSON in critical content (or a clean export path exists)

Infrastructure

• Hosting account billed to the business (not the agency)
• SSH / admin credentials transferable
• Backup procedure runs to a location the business controls (S3 with business's keys, not agency's)

Analytics & Search

• GA4 property under business's Google account (with agency as delegated user, not the other way around)
• Google Search Console verified by DNS TXT or HTML file controlled by the business — owner = business
• Google Business Profile owned by the business email, not the agency
• Meta Business Manager assets (pixel, ad account) owned by the business

Customer relationships

• CRM / email-list / customer database export under business control
• Payment processor (Stripe, Shopify Payments, etc.) account in business's name
• Reviews on platforms tied to a business-controlled email

Red flags — you're already hostage if:

• Your domain WHOIS shows the agency name as Registrant
• You can't log into Google Search Console without the agency
• Your hosting bill is paid by the agency
• Your site uses an agency-proprietary CMS with no documented export
• You can't get a database dump on request
• Your email is on the agency's Workspace tenant