Executive Assistant Confidentiality: What Serious Buyers Should Lock In

Why confidentiality is the purchase‑decider for executive assistants

Hiring an EA is different from hiring a task worker: you’re granting proximity to deals, communications, schedules, and personal data. For U.S. executives, the risks are reputational, regulatory (HIPAA, consumer financial laws), and commercial. Buyers should evaluate confidentiality across contract, operations, hiring, and onboarding: not as an afterthought.

What “confidentiality” means for an EA

For an EA, confidentiality includes three domains: the information itself (documents, PHI, privileged communications), systems access (email, calendar, payroll, CRM), and observed/spoken knowledge (meetings, introductions, informal conversations). Define these domains and examples in your contract so there’s no ambiguity.

• Trade secrets, transaction terms, fundraising and M&A details.
• Privileged legal communications and attorney work product.
• Regulated data (PHI under HIPAA; consumer financial data under Gramm‑Leach‑Bliley/CFPB rules).
• Personal information (addresses, family schedules, compensation).
• Operational plans (staffing changes, disciplinary records, unreleased products).

Minimum legal & contractual protections buyers should expect

Contracts must do more than say “keep confidential.” Expect clear definitions, duration and survival, permitted disclosures, remedies, audit rights, and incident‑notification commitments. For vendors, ask for signed individual NDAs for the people who will access your data and for vendorwide policies you can inspect.

Sample NDA excerpt (start here, have counsel adapt)

“Confidential Information” means non‑public business, technical, financial, regulatory, personal, and legal information disclosed orally, visually, or in writing, including but not limited to transaction terms, PHI, client lists, and privileged communications. Recipient shall: (a) use Confidential Information solely to perform services for Discloser; (b) restrict access to employees and contractors who need access and who are bound by written confidentiality obligations; (c) implement reasonable administrative, technical, and physical safeguards; (d) notify Discloser within 72 hours of any unauthorized disclosure and cooperate in mitigation. Confidentiality obligations survive termination for [3] years, except for trade secrets and privilege which survive indefinitely. Injunctive relief shall be available; parties agree to choice‑of‑law of [State] and exclusive venue in [County, State].”

Sample BAA excerpt (for PHI handling)

This is illustrative only: obtain counsel. Sample BAA language: “Vendor is a Business Associate. Vendor will: (a) only use and disclose PHI as required to perform services and as permitted by the HIPAA Privacy Rule; (b) implement safeguards required by the HIPAA Security Rule, including encryption in transit and at rest where feasible; (c) report to Covered Entity any use or disclosure of PHI not permitted by the BAA within 72 hours of discovery, including a description of mitigation; (d) permit Covered Entity to conduct reasonable audits; (e) require any subcontractors to implement equivalent safeguards and execute BAAs. Upon termination, Vendor will return or destroy PHI and certify such action to Covered Entity. Indemnification limited to breaches resulting from Vendor’s material breach.”

State and cross‑border enforceability: what to include

Include choice‑of‑law and venue clauses (many U.S. buyers select a state where they have operations or favorable enforcement). For cross‑border vendors, add service‑of‑process instructions, arbitration or court clauses, audit rights, and data‑transfer mechanisms (Standard Contractual Clauses or documented safeguards). Be realistic: enforcement against foreign defendants can be slow and expensive: so favor contractual remedies, insurance, and technical controls that reduce reliance on litigation.

Attorney‑client privilege: how an EA can affect it

Including an EA on lawyer communications can unintentionally waive privilege in some circumstances. Treat EAs as non‑privileged by default. If an EA must be part of privileged communications, document the reason and have counsel add privilege‑preservation language such as: “The inclusion of [EA name/role] is necessary for representation; communications including them are intended to remain privileged.” Always confirm with outside or in‑house counsel and set narrow access for privileged files.

Operational controls: design access to reduce risk

• Least‑privilege access: grant read‑only or delegated access unless send‑as/full access is justified and logged.
• Separate accounts: use business role accounts and avoid sharing personal credentials.
• MFA and enterprise SSO: require SSO with enforced MFA for vendor staff.
• Password vaults: use team password managers with role‑based sharing (not spreadsheets).
• Device security: require disk encryption, endpoint management, and up‑to‑date patching.
• Encrypted file sharing: enterprise file sharing with link expiration and DLP controls.
• Logging and retention: enable mailbox audit logs, calendar change logs, and retain access logs per your retention policy.

Quick platform how‑tos (practical start): • Google Workspace: use Gmail delegated access (Settings > Accounts and Import > Grant access) for read/delegate and ‘Send mail as’ for compose; enable Vault for retention and Admin audit logs for mailbox activity. • Microsoft 365: use Exchange mailbox delegation (Full Access, Send As, Send On Behalf) via Exchange Admin Center; enable mailbox audit logging and set retention in Security & Compliance. • Logging/retention: keep audit logs for at least 90 days for low‑risk roles and 1–3 years for highly sensitive roles; set alerts for unusual access patterns.

Examples (not endorsements): SSO providers: Okta, Azure AD, Google Workspace SSO. Team password managers: 1Password Business, Bitwarden (Enterprise), LastPass Enterprise. Use enterprise plans that provide role controls, logs, and exportable reports.

Hiring & vetting: what actually reduces risk

Get an executive assistant quote today.

Part-time or full-time support for calendar, inbox, travel, vendor follow-up, and personal logistics. Tell us what you need and we will scope the right plan.

Request quote

Professionals from top brands trust Aurora

Background checks and references are more predictive when paired with onboarding, role training, and contractual obligations. For vendors, require documented processes for vetting and rechecks.

• Typical consumer‑reporting agency (CRA) searches: SSN trace, county criminal records, national criminal database, global watchlists, employment verification, education verification, and motor vehicle records where relevant.
• FCRA compliance: if you use a CRA, obtain written candidate consent, provide adverse‑action notices if you rely on the report to disqualify, and follow notice requirements. Vendors should confirm FCRA‑compliant processes when they run checks.
• What to ask vendors for: scope of checks, redaction policy, summary results (not full reports unless necessary), identity verification evidence, and cadence for rechecks (annually for higher risk).
• Social media checks for public behavior; professional references focused on discretion and tenure; identity and right‑to‑work documentation appropriate to jurisdiction.

Incident response and insurance: contractual and practical expectations

Require a clear incident response plan, notification SLA, and cyber liability insurance limits. These reduce practical loss and speed remediation when breaches occur.

• Sample notification SLA: Vendor will notify Buyer of confirmed or reasonably suspected unauthorized access within 24 hours of discovery and provide a full written incident report within 72 hours, plus immediate containment steps and ongoing remediation updates.
• Insurance benchmark: require vendor cyber liability insurance with a minimum of $1M per occurrence for routine engagements; consider $2M+ for high‑sensitivity roles (PHI, privileged materials). Check policy coverages (breach response, regulatory fines, defense costs).
• Sample contractual breach remedies: injunctive relief, indemnity for losses caused by the vendor’s breach, and a liquidated‑damages floor for failure to meet notification SLA (draft with counsel: liquidated damages must be reasonable under applicable state law).
• Include audit rights and remediation timelines; require vendor cooperation with forensic investigations and third‑party auditors.

Service‑model signals that indicate a trustworthy EA provider

Prioritize documented evidence over marketing language. Useful signals: written confidentiality policies, signed NDAs for individuals, sample BAA, background‑check program details, cyber insurance certificate, incident‑response runbooks, SSO and password‑vault evidence, and vendor references from comparable U.S. executives.

Red flags and deal‑breakers

• Vendor or candidate refuses individual NDAs or only points to platform TOS.
• No audit rights or refusal to provide references who can vouch for discretion.
• Anonymous/rotating assistants on gig platforms with no identity guarantees.
• No incident response plan or no cyber insurance for vendor engagements.
• Requests for blanket access to personal banking or accounts without a clear business need.
• Inability to explain PHI handling or privilege‑preservation processes, or refusal to provide a sample BAA.

Quick checklist: what to ask before you sign

1. 1Can you provide a signed NDA for the individual(s) who will work on my account? May I review it in advance?
2. 2Do you run background checks (scope) and can you provide summary evidence and identity verification for the assigned EA?
3. 3Exactly what access will the EA have (email role, calendar visibility, file shares)? Can we limit it to least privilege?
4. 4What technical controls protect my data (SSO/MFA, password vaults, encryption at rest/in transit)?
5. 5Do you maintain mailbox and access logs and can I request periodic access reports?
6. 6Do you have cyber insurance (minimum limits) and an incident response plan? What is your notification SLA?
7. 7If PHI or privileged communications are involved, can you provide a BAA or privilege‑preservation protocol and share it for counsel review?
8. 8Where will data be stored or processed? If outside the U.S., what data‑transfer and enforcement protections do you offer (SCCs, audit rights)?

Onboarding and internal policies to adopt when you bring an EA on board

• Establish account patterns: role‑based mailboxes and shared folders; do not share executive personal credentials.
• Set calendar defaults: start with busy/free and expand only as workflows prove necessary.
• Device & software whitelist: require approved, managed devices and endpoint protections for any device accessing business systems.
• Schedule 30‑, 90‑day and annual access reviews to confirm privilege still matches job needs.
• Document handling procedures for sensitive categories (PHI, privileged, payroll) and store the procedure in an internal policy repository.
• Offboarding checklist: revoke access, rotate shared credentials, confirm return/destruction of files, and certify the steps in writing.

Two anonymized case studies (what can go wrong and how controls help)

Case 1: The leaked term sheet: An EA left an in‑house role with a competing firm. Because the company used a shared executive inbox and had minimal device controls, a draft term sheet surfaced externally. The company mitigated impact by proving in the vendor contract that the EA had signed an NDA, quickly securing injunctive relief, and replacing compromised credentials. Lessons: favor role‑based mailboxes, endpoint controls, and rapid offboarding checklists.

Case 2: PHI exposure avoided by BAA: A healthcare executive explored remote support and required a vendor BAA before sharing schedule details for patient‑related meetings. When the vendor’s initial config exposed calendar details via a public link, the incident response process and contractual SLA forced immediate containment, reconfiguration, and a written remediation report with forensic evidence. Lessons: insist on a BAA, test vendor configurations before sharing PHI, and demand clear notification SLAs.

How this guide connects to practical hiring steps

Use this confidentiality checklist alongside role design resources: What Does an Executive Assistant Do? The Complete 2026 Guide, How to Hire an Executive Assistant Who Actually Frees Up Your Time, and Remote Executive Assistant: How It Works and Why It Often Works Better. For pricing/control tradeoffs, see Executive Assistant Pricing Guide: What You Are Really Paying For, and for operational delegation patterns consult Inbox Management for Executives: How an EA Takes Control and Calendar Management for Executives: What to Delegate.

Final notes: templates and external guidance are starting points. For BAA language, HIPAA basics, and enforcement guidance see HHS HIPAA resources (https://www.hhs.gov/hipaa), Practical Law or your state bar templates for NDAs, and the FTC guidance on data security. Always have counsel review contracts and state‑specific issues (California and New York have additional privacy and employment nuances; FCRA governs consumer reports).