Offboarding Policy

Owner: Security Officer · Approved by leadership · Version 1.0 · Effective 27 May 2026 · Next review 27 May 2027

1. Purpose

This policy defines what happens when a workforce member leaves Glassbreak — voluntarily or involuntarily. It ensures that access is revoked promptly, credentials with shared blast radius are rotated, assets are returned, knowledge is transferred, and post-termination obligations are clearly understood by both sides.

2. Scope

This policy applies to every workforce member departure regardless of employment classification (employee, contractor, advisor, intern) and reason for departure (resignation, redundancy, end of contract, dismissal). It applies equally to planned departures with notice and to immediate departures.

3. Notice period

  • Voluntary departures follow the notice period set in the individual's contract.
  • Immediate departures (dismissal for gross misconduct, safeguarding concerns, or business necessity) follow the expedited revocation procedure in section 5 below.
  • Notice is acknowledged in writing by the line manager within 1 business day of receipt.

4. Planning

On notification of a planned departure, the line manager and the Security Officer:

  • Agree the last working date and any handover plan.
  • Identify every system the departing member has access to, using the access register.
  • Identify every shared secret, signing key, or other credential whose blast radius includes the departing member.
  • Identify knowledge that must be transferred and to whom.
  • Identify physical assets (laptop, hardware keys, badges, documents) for return.
  • Schedule the exit interview.

5. Access revocation

5.1 Standard departure

On the last working day, before the member leaves the building or signs off:

  1. Sessions revoked across every Glassbreak system.
  2. SSO / IdP account suspended (where applicable).
  3. MFA devices unbound and disabled.
  4. Application accounts disabled (not deleted — disabling preserves the audit trail). Account deletion follows the standard data-retention schedule.
  5. API keys, personal access tokens, and developer credentials revoked.
  6. Source-code repository access removed (GitHub team membership revoked; outstanding pull-requests reassigned).
  7. Cloud-provider IAM roles, console access, and operator accounts removed (AWS, Scaleway, Fastly, Neon, Grafana Cloud, sub-processor admin consoles).
  8. Hardware keys retrieved and decommissioned.
  9. Workstation collected (or remote-wipe initiated for distributed teams) and the device wiped per the standard decommissioning procedure.
  10. Email forwarding rules removed; out-of-office message set redirecting to the relevant team alias.

5.2 Expedited departure

For dismissal for cause, suspected insider threat, or any other situation requiring immediate revocation, the Security Officer may authorise expedited revocation before the formal exit conversation:

  1. All sessions revoked immediately.
  2. All credentials disabled within 1 hour of authorisation.
  3. Workstation access disabled remotely.
  4. The departing member is informed in person or by direct contact as soon as access has been revoked.
  5. An incident record is opened under the Incident Response Policy if there is any suspicion of policy violation.

6. Credential rotation

Any shared credential, signing key, or sub-processor admin credential that the departing member had access to is rotated regardless of the reason for departure. This includes (where applicable):

  • Production-vertical EdDSA JWT signing keys (per the rotation runbook in docs/operator-jwt-per-vertical.md).
  • Cross-vertical sync HMAC keys.
  • Database administrator credentials.
  • Object-storage bucket access keys.
  • Sub-processor admin accounts (Stripe, Postmark/SES, Twilio, Grafana Cloud, GitHub Organisation Owner, etc.).
  • Refresh-token pepper / password pepper if the member had operational access to it.
  • Domain registrar accounts (Porkbun, Gandi, DNSimple).
  • DNS authority accounts (Route 53, Gandi LiveDNS, deSEC, Porkbun DNS).
  • Any cryptographic material the member helped generate.

The Security Officer maintains a checklist of rotatable credentials reviewed at every departure.

7. Asset return

  • Laptop, mobile devices, hardware keys, badges, and any physical documentation must be returned by the last working day.
  • Returned devices are wiped per the standard decommissioning procedure (factory reset, secure erase, re-imaging).
  • For remote workers, devices are shipped to the office or a designated address; tracked shipping is required.
  • Failure to return assets is logged and may result in deduction from final payments where contractually permitted.

8. Knowledge transfer

  • The departing member produces a written handover document covering: current responsibilities, in-flight work, pending decisions, and the people / systems that depend on their work.
  • Handover sessions are scheduled with successors and with the wider team for knowledge that has organisational value.
  • The Security Officer reviews handover for any operational runbook, key-rotation procedure, or sub-processor relationship that needs an explicit successor.

9. Exit interview

  • Conducted by the line manager and, where appropriate, by the Security Officer.
  • Covers reason for departure, feedback on Glassbreak as an employer, any concerns about security or compliance, and a reminder of post-termination obligations.
  • Records are retained in the workforce file.

10. Post-termination obligations

The following obligations survive termination and are explicitly reaffirmed at the exit interview:

  • Confidentiality. All Glassbreak information and customer data accessed during employment remains confidential indefinitely.
  • Intellectual property. All IP created in the course of work remains Glassbreak property.
  • Non-disclosure. Disclosure or use of Glassbreak information outside Glassbreak business is prohibited.
  • Return of materials. No copies of Glassbreak materials may be retained on personal devices or in personal accounts. The departing member confirms in writing that no such copies are retained.
  • Cooperation. The departing member agrees to cooperate reasonably with any subsequent investigation of incidents that occurred during their employment.

11. Communication

  • Internal: the departure is announced to the team in a timely manner appropriate to the circumstances.
  • External: customers with whom the departing member had a named relationship are informed and introduced to their new point of contact.
  • Suspended accounts continue to redirect to the relevant team alias for at least 90 days.

12. Records

  • The offboarding checklist (access revocation, asset return, credential rotation, knowledge transfer, exit interview) is completed and retained in the workforce file for at least 5 years post-termination.
  • The access register is updated to reflect every revocation with the date and the executor.
  • The credential-rotation log is updated for every key, secret, and account rotated.

13. Audit and assurance

  • Every completed offboarding is reviewed by the Security Officer within 30 days of the last working date to confirm the checklist was completed in full.
  • A sample of offboarding records is reviewed annually as part of the ISMS internal audit.
  • Discrepancies (missed revocations, un-returned assets, un-rotated credentials) are tracked as corrective actions until closed.

14. Review

This policy is reviewed at least annually and after every material change to offboarding practices. The next scheduled review is 27 May 2027.

15. Related documents

Counter-signed PDF copy available on request to compliance@glassbreak.io.

Stay Updated

Get product updates and security insights. No spam, unsubscribe anytime.

We respect your privacy. See our privacy policy.