Offboarding Process
Offboarding is initiated via the Employee Offboarding form in Linear Asks (IT Ops team). The form creates a Linear issue with a full deprovisioning checklist. The CTO suspends the Google Workspace account immediately (90-day retention, scheduled for full deletion), triggers the access-provision.yml workflow for automated deprovisioning (GitHub, Supabase, Doppler), and completes manual steps. Manual steps remain for 1Password, Slack, Cloudflare, CrowdStrike, Backblaze, and GCP IAM.
Workflow: The access-provision.yml workflow is triggered via workflow_dispatch from the Linear issue checklist for the 6 automated systems.
The Linear issue is the audit record. 90-day Google account deletion is tracked via the issue’s due date (set to 90 days from suspension), with the issue moved to Waiting state until deletion.
SLA: Access revoked within 24 hours of departure. Involuntary terminations: within 1 hour.
Access Revocation
Section titled “Access Revocation”If the access-provision.yml workflow was used, automated deprovisioning has already handled GitHub, Supabase, and Doppler. Use the table below to verify automated steps completed and to complete the remaining manual systems (Google Workspace, 1Password, Slack, Cloudflare, CrowdStrike, Backblaze, GCP IAM).
Automated (via access-provision.yml)
Section titled “Automated (via access-provision.yml)”| # | System | Action | Responsible |
|---|---|---|---|
| 1 | GitHub | Remove from Meridian7-io organization | CTO |
| 2 | Supabase | Remove from organization | CTO |
| 3 | Doppler | Remove from workplace | CTO |
Manual
Section titled “Manual”| # | System | Action | Responsible |
|---|---|---|---|
| 4 | Google Workspace | Suspend account (do NOT delete — 90-day data retention). CTO suspends manually per Linear issue checklist. | CTO |
| 5 | GCP IAM | Revoke all IAM role bindings (Cloud Run, Cloud Monitoring) via GCP Console → IAM | CTO |
| 6 | Slack | Deactivate account | CTO |
| 7 | 1Password | Suspend account and remove from all vaults | CTO |
| 8 | Cloudflare | Remove from account (if applicable) | CTO |
| 9 | CrowdStrike | Remove host from console (after device recovery) | CTO |
| 10 | Backblaze | Revoke application keys associated with user (if applicable) | CTO |
| 11 | GitHub Project | Remove from all boards | CTO |
Credential Rotation
Section titled “Credential Rotation”| # | Action | Responsible |
|---|---|---|
| 14 | Identify all Doppler secrets the user had access to | CISO |
| 15 | Rotate identified secrets in Doppler (all affected environments) | CTO |
| 16 | Rotate any shared credentials the user had knowledge of | CTO |
| 17 | Verify rotated credentials are deployed and services are healthy | CTO |
BYOD Device Offboarding
Section titled “BYOD Device Offboarding”| # | Action | Responsible |
|---|---|---|
| 18 | Verify CrowdStrike sensor removed from departing employee’s device (or initiate remote uninstall via Falcon Console) | CTO |
| 19 | Confirm employee signed out of all company accounts | CTO |
| 20 | Confirm employee removed company data from local storage | CTO |
| 21 | Remove device from CrowdStrike host inventory | CTO |
Post-Offboarding Verification
Section titled “Post-Offboarding Verification”The verify runner confirms the departed user no longer appears in any system’s user list. Results are recorded in the Linear issue before it is moved to Done.
Related Documents
Section titled “Related Documents”- Access Control Policy
- Onboarding Process
- Monthly Access Review
- Information Security Policy
- BYOD Endpoint Security Policy
Meridian Seven — Confidential