Employee & Contractor Offboarding Policy

Access revocation

• Disable email and SSO accounts; revoke all OAuth tokens.
• Revoke admin role in the application database (user_roles table) and any subscriber-level entitlements.
• Revoke API keys, personal access tokens, deploy keys, and CI/CD credentials issued to the Departing Person.
• Remove from third-party services: Stripe, email provider, cloud-provider console, source-control, project-management tools, support tooling, password manager.
• Rotate any shared secrets the Departing Person had access to (DB passwords, webhook secrets, API keys for connected services).
• Revoke physical access (office key, building badge) where applicable.

Asset recovery

• Inventory of all company-issued hardware (laptop, phone, hardware MFA key, external drives) — recovered and wiped.
• Inventory of any printed or downloaded materials containing Gear Wave Data — returned or certified destroyed.
• Source code, designs, customer lists, financial data, and other work product copied off company systems — confirmed deleted, with attestation in writing.
• Personal devices used under any BYOD arrangement — Gear Wave data wiped via MDM or attested-destroyed.

IP & confidentiality confirmation

• Re-affirm IP assignment of all work product to Gear Wave (per the IP Policy and the Departing Person's underlying agreement).
• Re-affirm continuing confidentiality obligations.
• Confirm no Gear Wave Data, trade secrets, or customer data will be retained or used after departure.
• Reminder of any non-solicitation obligations (where lawful in the applicable jurisdiction).

Knowledge transfer

• Documentation of in-flight work, open tickets, vendor relationships, and tribal knowledge.
• Reassignment of ownership for any systems, repos, or accounts where the Departing Person was the sole owner.

Recordkeeping

• The completed checklist is signed by the Incident Commander (or founder) and the Departing Person where possible, and retained for at least 7 years.
• An entry is written to the admin audit log noting role revocation and the date.

For terminations for cause, suspected misconduct, or any case where the Departing Person may have an incentive to misuse access, all access-revocation steps are executed before notice is delivered. Forensic preservation of the Departing Person's account activity is initiated immediately.

Within 7 days of departure, a post-offboarding audit confirms (a) no active sessions or tokens remain for the Departing Person, (b) all listed systems show access removed, and (c) all assets are accounted for. Any gaps trigger immediate remediation.

This checklist is reviewed at least annually and updated when Gear Wave adopts new systems or vendors.