Skip to main content

Developer Offboarding Guide

Developer Offboarding Guide

Project: {{PROJECT_NAME}} Version: {{VERSION}} Date: {{DATE}} Author: {{AUTHOR}} Status: Draft | In Review | Approved Reviewers: {{REVIEWERS}}

Document History

Version Date Author Changes
0.1 {{DATE}} {{AUTHOR}} Initial draft

1. Offboarding Overview

Developer: {{DEVELOPER_NAME}} Last Day: {{LAST_DAY}} Manager: {{MANAGER}} Offboarding Coordinator: {{COORDINATOR}} Security Review: {{SECURITY_REVIEWER}}

Departure type: Voluntary / Involuntary

Handoff started: {{HANDOFF_START}} Access revocation deadline: {{LAST_DAY}} by {{REVOCATION_TIME}}

2. Access Revocation Checklist

Code & Version Control

  • GitHub / GitLab — remove from organization and all repositories
  • SSH keys — remove from all servers and deployment systems
    • ~/.ssh/authorized_keys on servers
    • GitHub SSH keys: Settings > SSH and GPG keys
  • GPG signing keys — revoke from keyserver if used for commit signing
  • Personal access tokens — revoke all tokens in GitHub/GitLab settings
  • Webhooks using personal token — identified and updated to service account

Cloud Infrastructure

  • {{CLOUD_PROVIDER}} IAM — remove user from all IAM groups and roles
  • {{CLOUD_PROVIDER}} console access — deactivate user account
  • SSH keys on cloud instances — remove from all EC2/GCE/VM authorized_keys
  • Cloud access keys / credentials — deactivate and delete

CI/CD & DevOps

  • {{CI_PLATFORM}} — remove from organization (GitHub Actions / GitLab CI / CircleCI)
  • Container registry — remove push/pull credentials
  • {{ARTIFACT_REGISTRY}} — remove user access
  • Kubernetes — remove kubeconfig entries, remove from RBAC

Secrets & Credentials

  • {{VAULT_TOOL}} (HashiCorp Vault / 1Password / Vaultwarden) — remove user, rotate any shared secrets they had access to
  • All shared secrets/passwords known to the developer — rotate immediately (DB passwords, API keys, etc.)
    • Database passwords: {{DB_CREDS}}
    • API keys accessed: {{API_KEYS}}
    • Any others: {{OTHER_CREDS}}
  • Environment variables / .env files — confirm no secrets taken/copied

VPN & Network

  • VPN — revoke VPN certificate / remove user account
  • Bastion host — remove from authorized users
  • IP allowlists — remove their IP if personal device was allowlisted

Third-Party Services

  • {{SERVICE_1}} (e.g., Sentry, Datadog, PagerDuty) — remove user
  • {{SERVICE_2}} (e.g., Slack, Jira, Confluence) — deactivate account
  • {{SERVICE_3}} (e.g., Stripe, AWS Marketplace) — remove user
  • Email / Google Workspace — deactivate account, set out-of-office, forward to manager
  • Password manager (shared vaults) — remove from shared vaults

Access revocation completion signed off by: {{SECURITY_REVIEWER}} on {{DATE}}

3. Knowledge Transfer

Active Projects & Ownership Transfer

Project / Area Current Status New Owner Handoff Complete
{{PROJECT_1}} {{STATUS}} {{NEW_OWNER}} Yes / No
{{PROJECT_2}} {{STATUS}} {{NEW_OWNER}} Yes / No
{{PROJECT_3}} {{STATUS}} {{NEW_OWNER}} Yes / No

Ongoing Work Documentation

Work Item Ticket Status Documentation New Owner
{{WORK_1}} {{TICKET}} {{STATUS}} {{LINK}} {{OWNER}}
{{WORK_2}} {{TICKET}} {{STATUS}} {{LINK}} {{OWNER}}

Documentation written during knowledge transfer:

  • All in-progress PRs reviewed and commented
  • Active branches documented and either merged or closed
  • Ongoing investigations/research notes written up
  • Architecture decisions currently being made: documented as ADRs
  • Pending operational tasks documented in runbooks

Key Contacts & Relationships

Contact Company / Role Relationship Transferred To
{{CONTACT_1}} {{ORG}} {{RELATIONSHIP}} {{NEW_OWNER}}
{{CONTACT_2}} {{ORG}} {{RELATIONSHIP}} {{NEW_OWNER}}

Undocumented Tribal Knowledge Capture

Knowledge transfer sessions scheduled:

Topic Date Format Notes Doc
{{TOPIC_1}} {{DATE}} 1:1 recording + notes {{LINK}}
{{TOPIC_2}} {{DATE}} Pair programming {{LINK}}

Capture questions to ask:

  1. What breaks in production that only you know how to fix?
  2. What shortcuts or workarounds exist in the codebase that aren't documented?
  3. What external services have non-obvious quirks?
  4. What technical debt exists that you've been meaning to address?
  5. Are there any upcoming risks or time bombs in the codebase?
  6. Are there any informal agreements or commitments with stakeholders?

4. Code Ownership Transfer

CODEOWNERS File Update

# Review current CODEOWNERS
cat CODEOWNERS | grep "{{DEVELOPER_HANDLE}}"

# Replace with new owner(s)
# CODEOWNERS update PR: {{PR_LINK}}
  • CODEOWNERS file updated and PR merged
  • New owners briefed on their additional responsibilities

PR Review Reassignment

  • Open PRs awaiting their review: reassigned to {{REVIEWER_REPLACEMENT}}
  • In-progress PR review responsibilities communicated to team

On-Call Rotation

  • Removed from on-call rotation in {{ONCALL_TOOL}}
  • On-call schedule updated and communicated
  • On-call runbooks updated to remove their contact information

5. Asset Return

Asset Serial / ID Return By Returned Condition
Laptop {{SERIAL}} {{LAST_DAY}} Yes / No
Monitor {{SERIAL}} {{LAST_DAY}} Yes / No
Access card / badge {{LAST_DAY}} Yes / No
{{OTHER_ASSET}} {{LAST_DAY}} Yes / No

IT returns coordinator: {{IT_CONTACT}}

6. Exit Interview Topics

Exit interview conducted by: {{INTERVIEWER}} Date: {{DATE}} Format: {{FORMAT}}

Topics to cover:

  • What did you enjoy most about working here?
  • What could we improve for future developers?
  • Were there any blockers or frustrations that weren't addressed?
  • What did you learn? What skills did you develop?
  • Would you recommend working here to others? Why / why not?
  • Any concerns about the team or codebase you want to flag before leaving?

Exit interview notes: {{NOTES_LINK}} (confidential — manager access only)

7. Final Checklist Sign-Off

Manager Sign-Off

  • All access revocation items completed
  • Knowledge transfer sessions completed
  • Code ownership transferred
  • All projects handed off with documentation
  • Assets returned
  • Exit interview conducted
  • Payroll and HR notified

Manager: {{MANAGER}} | Date: {{DATE}} | Signature: ___________

Developer Sign-Off

  • All work documented and handed off
  • All personal assets retrieved (personal items, any personal accounts)
  • No company data retained on personal devices
  • Exit interview completed

Developer: {{DEVELOPER_NAME}} | Date: {{DATE}} | Signature: ___________

Security Sign-Off

  • All access revocation items verified independently
  • Shared secrets rotated
  • Audit log reviewed for last 30 days — no anomalies

Security Reviewer: {{SECURITY_REVIEWER}} | Date: {{DATE}} | Signature: ___________

Approval

Role Name Date Signature
Author
Reviewer
Approver
Back to top