Employee Offboarding Checklist

People ops records the last working day and whether the departure is voluntary, involuntary, or end-of-contract. Involuntary terminations skip the standard two-week wind-down — access is cut on the termination date, not at end of business.

Engineers with prod AWS console, kubectl, or DB write access need a tighter offboarding path — break-glass credential rotation, IAM role review, and SOC 2 access-review evidence. Mark the level so downstream steps branch correctly.

Bulk-reassign in-flight tickets to the tech lead or named owners. Open PRs either get merged, closed, or handed off with a comment naming the new driver. Don't leave a draft PR sitting on a deactivated account — it becomes invisible.

Remove from CODEOWNERS in every repo where they appear (a quick org-wide grep), update PagerDuty/Opsgenie schedules, and reassign Backstage service ownership. A departing on-call who's still in the rotation is a 3am page nobody answers.

For any service where this engineer was the primary owner, capture: deploy quirks, known flaky tests, vendor contacts, and the runbook for the most common alerts. Drop into the service's Confluence/Notion page or the repo README.

Any shared secret the engineer could have viewed in 1Password/Vault gets rotated: prod DB passwords, third-party API keys (Stripe, Twilio, SendGrid), webhook signing secrets, break-glass IAM user credentials. Individual SSO sessions don't need rotation — those die with deprovisioning.

Suspend the user in Okta/Google Workspace/Azure AD on the last working day. SCIM should propagate to most SaaS apps within 15 minutes — verify in the SSO logs. For apps not behind SCIM (always a few), use the manual list maintained in the offboarding wiki.

Remove from the GitHub/GitLab org and audit their personal access tokens, SSH keys, and OAuth grants. Transfer ownership of any personal repos containing org code. Check if they authored any GitHub Actions workflows that use a PAT — those need a service account replacement.

AWS console + CLI access keys, GCP/Azure equivalents, Datadog, PagerDuty, Sentry, Vercel, Cloudflare, the registry (ECR/Docker Hub), and Terraform Cloud. Each has its own admin path; the offboarding wiki maintains the canonical list.

For remote employees, send a prepaid return box (most MDM vendors offer this) before the last day. For in-office, schedule a 15-minute desk handoff with IT. Include peripherals, YubiKeys, and any loaned monitors.

Trigger remote wipe through Jamf/Kandji/Intune the moment the device checks in. FileVault/BitLocker keys should already be escrowed; if not, you have an incident. Confirm wipe completion in the MDM audit log before reissuing.

State law dictates timing — California requires final pay on the termination day for involuntary departures. Include unused PTO per state policy; check the state's specific rules before assuming.

Federal COBRA notice must be sent within 14 days of the qualifying event. Most PEOs (Gusto, Rippling, Justworks) handle this automatically — verify the notice actually went out, don't assume.

Manager posts the announcement in #engineering and emails any external partners or customers who had a direct relationship. Keep it factual; for involuntary departures, follow the HR-approved language exactly.

People ops (not the direct manager) runs a 30-minute exit conversation. Standard prompts: what worked, what didn't, why now, would you boomerang. Aggregate themes quarterly — single data points are noise, patterns are signal.

HRIS, the public-facing about page (if applicable), and Backstage component owners. Stale ownership in Backstage is a leading cause of unanswered service questions six months later.