Offboarding Runbook

This runbook defines the minimum offboarding steps for users, seats, and tenant access in VaultCrux.

Offboarding triggers

• Employee/contractor departure.
• Role change requiring access reduction.
• Tenant closure or contract termination.
• Security incident requiring immediate revocation.

Immediate revocation steps

1. Revoke seat(s) in team management flow or API.
2. Invalidate active seat sessions.
3. Rotate affected API keys and shared credentials.
4. Confirm access denial on protected routes.

Tenant-level offboarding

1. Export required records/receipts for retention and audit.
2. Revoke remaining seats and API keys.
3. Disable automated integrations and webhooks.
4. Run data retention/deletion workflow per contract and policy.
5. Record closure evidence and approval chain.

Verification checks

• Revoked users cannot create authenticated sessions.
• Revoked users cannot access tenant-scoped routes.
• New API key issuance is blocked for closed tenants.
• Audit evidence includes actor, timestamp, and result.

Timing targets

• Critical revocations: immediate.
• Standard personnel offboarding: same business day.
• Full tenant closure package: by agreed contract timeline.

Related pages

• Compliance Summary
• DSAR Procedure
• Security Whitepaper