Software Engineer Onboarding Checklist

Pull the countersigned offer from the ATS (Greenhouse, Lever, or Ashby) and confirm the start date matches the calendar invite People Ops sent. Confirm work authorization status — H-1B transfers, OPT, and STEM extensions all have different I-9 timelines and the People Ops lead needs lead time.

The engineer's discipline drives access provisioning downstream — DevOps/SRE engineers need cloud admin and PagerDuty from day 1; product engineers usually do not. Capture the role here so later steps can branch.

Default loadout: 16" MacBook Pro for product engineers, Linux laptop on request for platform/SRE. Confirm shipping address — remote hires need 5+ business days lead time. Include monitor, dock, keyboard, and YubiKey if SSO requires hardware MFA.

Buddy is a peer engineer (not the manager) who handles informal questions for the first 30 days. Avoid assigning someone who is on-call, mid-launch, or about to take PTO during week 1. Buddy schedules a 30-min coffee on day 2.

I-9 Section 2 must be completed within 3 business days of start; remote hires use an authorized representative. People Ops handles the forms via Rippling/Gusto/Justworks — engineering manager just confirms the engineer received the email and finished the workflow.

Required for SOC 2 evidence — the auditor will sample new-hire packets and look for both signatures. Acceptable-use covers the BYOD policy (if any), production-data handling, and the no-personal-cloud rule for code.

Confirm the device shows up in Jamf or Kandji with disk encryption (FileVault), screen lock, and OS up to date. Unenrolled laptops are the #1 SOC 2 finding for engineering teams. Install 1Password or the team password manager before any other software.

Cover the named cases — production data does not leave the prod VPC, no customer PII in screenshots posted to Slack, secrets go through Vault or AWS Secrets Manager and never into git. Reference the most recent incident if there's a relevant one so the policy is concrete, not abstract.

SCIM-provision downstream apps (GitHub, AWS, Datadog, Jira, Linear) from Okta groups rather than creating accounts directly — keeps offboarding clean and prevents the dangling-account problem auditors flag every cycle.

Add to the engineer's product team in the GitHub org so CODEOWNERS routes reviews correctly. Default to least-privilege — read on archived/legacy repos, write on the team's active repos. Admin on any repo is reserved for tech leads.

Add to the appropriate AWS SSO permission set (developer-readonly for product engineers, developer-write on staging only by default). Production write access is break-glass and goes through a separate approval — do not provision it at onboarding.

Add to the team's PagerDuty schedule as shadow only for the first 30 days — paged but not primary. Confirm the engineer has installed the mobile app and tested an alert. Share the runbook repo and on-call expectations doc before any shadow rotation begins.

Add to the team's project board, the #engineering and #incidents channels, and the team-specific channel. Confirm the engineer can see the active sprint and has a default assignee identity in the issue tracker.

Cover branch protection rules, the PR template, required status checks, and CODEOWNERS. Point out the architectural decision records (ADRs) folder so the engineer knows where the team's design history lives.

Buddy pairs through the README — Docker Compose stack up, seed data loaded, test suite green, IDE configured with the team's linter and formatter. Track time-to-first-green-test as a leading indicator of onboarding friction; anything over 4 hours is a docs bug.

Goal is to exercise the full pipeline — clone, branch, commit signed, push, open PR, get review, pass CI, merge, see deploy. Pick a docs typo, a test improvement, or a small refactor. The point is the round trip, not the line count.

Pair with the release captain through a full release — canary at 5%, watch error-rate dashboard, gradual rollout, post-deploy smoke test. Reference the rollback runbook in case the deploy goes sideways during the shadow.

Weekly 30-min 1:1 with the manager, biweekly 30-min with the tech lead for the first quarter. Share the team's 1:1 doc template so the engineer knows the format. Skip-level with the director is scheduled for week 4, not week 1.

Cover SEV definitions, the IC/comms/scribe roles, the status-page update flow, and the blameless PIR expectation. Confirm the engineer has shadowed at least one on-call week before being added to the primary rotation.

Cover what's working, what's blocking, and whether the buddy assignment is productive. Common 30-day blockers: missing access to a downstream system, unclear team priorities, or a local dev environment that still doesn't work end-to-end.

Triggered when the 30-day check-in flagged concerns. Document specific blockers, owner, and target resolution date in the engineer's 1:1 doc. Loop in skip-level if the blocker is structural (team scope, role mismatch, missing access that IT can't resolve).

Triggered for engineers hired into on-call-eligible roles. Confirm shadow rotation is complete, runbooks have been exercised in at least one real or game-day incident, and the engineer is comfortable being paged primary. Add to the rotation only after this gate.

Formal review against the role rubric — code quality, code review participation, project ownership, collaboration. Confirm the engineer has shipped meaningful work as primary owner of at least one ticket, not just paired contributions. Document the conversion-to-tenured-employee decision in the HRIS.