Contractor Offboarding Checklist

Offboarding checklist for departing Maelstrom AI contractors covering compliance and security

Public

Contractor Offboarding Checklist

Purpose: This checklist supports secure, compliant offboarding for contractors leaving Maelstrom AI, protecting company assets while respecting contractor privacy rights under the HR Privacy Notice.

Responsible Party: Security Lead (unless otherwise specified)

Document Integration: This checklist implements requirements from:

  • HR Privacy Notice - Data retention (1 year work product, 7 years financial), deletion after retention periods
  • Access Control Policy - Access revocation procedures
  • Information Security Policy - Security during departures
  • Australian Privacy Act - Data protection and retention compliance

Pre-Departure Notification

Timeline: Upon notice of termination or contract expiration

Termination Notification

  • Notify contractor of termination (or receive contractor’s resignation)

  • Responsible. Security Lead

  • Timeline. Per contract notice period (typically 2-4 weeks)

  • Method. Written notice (email or formal letter)

  • Documentation. Store termination notice with contractor file

  • Outcome. Clear departure timeline established

  • Schedule final day and handover

  • Responsible. Security Lead and contractor

  • Timeline. Immediately upon termination notice

  • Activities. Knowledge transfer, handover of responsibilities, final deliverables

  • Duration. Based on role complexity and notice period

  • Outcome. Smooth transition plan

  • Document final payment details

  • Responsible. Security Lead

  • Timeline. Before final day

  • Information. Final invoice amount, payment date, outstanding expenses

  • Outcome. Clear financial settlement plan

Knowledge Transfer and Handover

Timeline: During notice period, before final day

Work Product Handover

  • Complete handover of all work in progress

  • Responsible. Contractor completes, Security Lead verifies

  • Timeline. During notice period

  • Activities. Finish or document incomplete work, transfer project ownership

  • Outcome. No orphaned projects

  • Document tribal knowledge and context

  • Responsible. Contractor documents, Security Lead reviews

  • Timeline. During notice period

  • Method. Written documentation, knowledge base updates, architecture decision records

  • Outcome. Critical knowledge preserved

  • Transfer ownership of active GitHub issues and pull requests

  • Responsible. Contractor reassigns, ISMS Owner approves

  • Timeline. Before final day

  • Outcome. Ongoing work assigned to remaining team members

  • Conduct exit interview (optional, if contractor willing)

  • Responsible. ISMS Owner conducts

  • Timeline. Final week or final day

  • Topics. Reasons for leaving, feedback on processes, suggestions for improvement, experiences with security policies

  • Documentation. Exit interview notes (stored securely, anonymized if used for analysis)

  • Outcome. Lessons learned for future improvements

  • Note. Optional - contractor may decline

Access Revocation (IMMEDIATE on Final Day)

Timeline: Immediately on final day (or immediately upon termination for cause)

Critical: Per Access Control Policy Section “Access Revocation”, all access must be revoked within 1 hour of departure.

GitHub Access Revocation

  • Remove contractor from our GitHub organisation

  • Responsible. Security Lead (GitHub admin)

  • Timeline. Final day (within 1 hour of departure)

  • Method. GitHub organisation settings → Members → Remove

  • Verification. Confirm user no longer appears in member list

  • Outcome. All repository access revoked

  • Verify no active GitHub sessions remain

  • Responsible. Security Lead

  • Timeline. Final day (immediately after removal)

  • Method. Check GitHub audit log for any post-removal activity

  • Outcome. No unauthorised post-departure access

  • Rotate any shared GitHub Personal Access Tokens (if applicable)

  • Responsible. Security Lead or ISMS Owner

  • Timeline. Final day (if contractor had access to shared tokens)

  • Method. Generate new tokens, update CI/CD secrets

  • Outcome. Shared credentials secured

Google Workspace Access Revocation

  • Suspend Google Workspace account

  • Responsible. Security Lead (Google Workspace admin)

  • Timeline. Final day (within 1 hour of departure)

  • Method. Google Admin Console → Users → Suspend user

  • Outcome. Email, calendar, and drive access revoked

  • Note. Suspend (not delete) to preserve data for transfer

  • Transfer Google Drive ownership to Security Lead

  • Responsible. Security Lead

  • Timeline. Final day or within 24 hours

  • Method. Google Admin Console → Data Transfer

  • Contents. Work-related documents, project files

  • Outcome. Work product preserved for business continuity

  • Note. Per HR Privacy Notice Section 6.2, work product retained 1 year post-termination

  • Forward email to Security Lead or designated person (if needed)

  • Responsible. Security Lead

  • Timeline. Final day

  • Duration. 30 days (or as needed for transition)

  • Method. Gmail forwarding rules

  • Outcome. Business continuity during transition

  • Privacy Note. Auto-responder informs senders of new contact

  • Delete Google Workspace account after data transfer

  • Responsible. Security Lead

  • Timeline. After data transfer complete (typically 7-30 days post-departure)

  • Verification. Confirm all work data transferred

  • Outcome. Account fully removed

Cloudflare Access Revocation

  • Revoke Cloudflare access (if contractor had infrastructure access)

  • Responsible. Security Lead (Cloudflare admin)

  • Timeline. Final day (within 1 hour of departure)

  • Method. Cloudflare dashboard → Account → Members → Remove

  • Outcome. Production infrastructure access revoked

  • Rotate Cloudflare API tokens (if contractor had API access)

  • Responsible. Security Lead or ISMS Owner

  • Timeline. Final day (immediately)

  • Method. Generate new tokens, update CI/CD secrets

  • Outcome. API access secured

Communication and Collaboration Tools

  • Remove from Slack workspace (if used)

  • Responsible. Security Lead

  • Timeline. Final day

  • Method. Slack admin console → Deactivate user

  • Outcome. Team communication access revoked

  • Revoke password manager access (if company-provided licence)

  • Responsible. Security Lead

  • Timeline. Final day

  • Outcome. Shared credentials no longer accessible

System Access Verification

  • Revoke ALL system access (check)

  • Responsible. Security Lead

  • Timeline. Final day (within 1 hour)

  • Systems to Check. GitHub, Google Workspace, Cloudflare, Slack, any other services

  • Method. Review access control lists for each system

  • Outcome. Complete access revocation verified

  • Verify no active sessions remain on any system

  • Responsible. Security Lead or ISMS Owner

  • Timeline. Within 24 hours of final day

  • Method. Check audit logs for GitHub, Google Workspace, Cloudflare

  • Outcome. No post-departure activity detected

Physical Assets (If Applicable)

Timeline: Final day or as arranged

  • Collect company property (if any provided)

  • Responsible. Security Lead arranges collection

  • Timeline. Final day or within 7 days

  • Items. Laptops, monitors, hardware security keys, mobile devices

  • Method. Return shipping or in-person collection

  • Outcome. All company property recovered

  • Wipe company data from returned devices

  • Responsible. Security Lead or ISMS Owner

  • Timeline. Upon device receipt

  • Method. Factory reset, secure wipe, verification

  • Outcome. No company data remains on device

  • Verify no company data on personal devices (if BYOD)

  • Responsible. Security Lead requests confirmation, contractor self-certifies

  • Timeline. Final day

  • Method. Contractor confirms deletion of work repositories, documents, credentials

  • Outcome. Company data removed from personal devices

  • Note. Rely on contractor good faith (no remote wipe on personal devices)

Financial Settlement

Timeline: Per contract terms (typically 7-30 days after final day)

  • Process final payment

  • Responsible. ISMS Owner (or Finance if outsourced)

  • Timeline. Per contract terms (typically within 14-30 days)

  • Amount. Final invoice or prorated payment + outstanding expenses

  • Method. Bank transfer using previously provided bank details

  • Outcome. Final payment completed

  • Generate final payment summary and tax statement

  • Responsible. ISMS Owner or accountant

  • Timeline. By end of financial year (or immediately if requested)

  • Document. Payment summary for tax purposes

  • Outcome. Contractor can complete tax return

  • Confirm no outstanding financial obligations

  • Responsible. Security Lead

  • Timeline. Within 30 days of final day

  • Verification. Review invoices, expense claims, payment records

  • Outcome. Financial relationship closed

Timeline: Final day

  • Remind contractor of ongoing confidentiality obligations

  • Responsible. Security Lead

  • Timeline. Final day (in writing)

  • Method. Email or formal letter

  • Content. Confidentiality obligations survive termination, NDA still in effect

  • Reference. Contractor agreement and NDA

  • Outcome. Contractor reminded of post-termination obligations

  • Remind contractor of IP assignment obligations

  • Responsible. Security Lead

  • Timeline. Final day (in writing)

  • Content. All work product belongs to Maelstrom AI, no use of company IP for other purposes

  • Reference. Contractor agreement IP assignment clause

  • Outcome. IP ownership clarified

  • Request confirmation of data deletion from personal devices

  • Responsible. Security Lead

  • Timeline. Final day

  • Method. Written request and contractor confirmation

  • Content. Delete all work repositories, documents, credentials, proprietary information

  • Outcome. Contractor confirms deletion (self-certification)

Data Retention and Deletion

Timeline: Per HR Privacy Notice retention schedules

Legal Basis: HR Privacy Notice Section 6 defines retention periods for former contractors.

Immediate Archival (Final Day)

  • Archive work product for retention

  • Responsible. Security Lead

  • Timeline. Final day or within 7 days

  • Retention Period. 1 year post-termination (per HR Privacy Notice Section 6.2)

  • Storage. Encrypted archive, limited access

  • Contents. Code contributions (Git history preserved), documents, project files

  • Purpose. Business continuity, knowledge retention, IP protection

  • Outcome. Work product preserved for legal retention period

  • Archive financial records for retention

  • Responsible. ISMS Owner or Finance

  • Timeline. Final day or within 30 days

  • Retention Period. 7 years post-termination (Australian Taxation Office requirement)

  • Storage. Encrypted archive, secure location

  • Contents. Invoices, payment records, tax information (TFN/ABN), payment summaries

  • Legal Basis. Legal obligation (Taxation Administration Act 1953)

  • Outcome. Financial records preserved for ATO compliance

  • Archive contract and legal documents

  • Responsible. Security Lead

  • Timeline. Final day or within 30 days

  • Retention Period. 7 years post-termination (contract disputes, legal compliance)

  • Storage. Encrypted archive, legal hold if needed

  • Contents. Signed contracts, amendments, NDAs, IP assignments, HR Privacy Notice acknowledgment

  • Legal Basis. Legal obligation (Corporations Act, contract law)

  • Outcome. Legal documents preserved for statutory retention

Retention Period Management

  • Retain contact information for 1 year (for contract renewal opportunities, references)

  • Responsible. Security Lead

  • Timeline. 1 year post-termination

  • Information. Email, phone, LinkedIn (if provided)

  • Purpose. Legitimate interests (potential re-engagement, reference requests)

  • Legal Basis. Legitimate interests (GDPR Article 6(1)(f)) - contractor may object

  • Deletion. Automatic deletion after 1 year unless consent for longer retention

  • Retain performance information for 1 year (for references with consent)

  • Responsible. Security Lead

  • Timeline. 1 year post-termination

  • Information. Performance reviews, feedback, skills assessments

  • Purpose. Provide references if requested by contractor

  • Legal Basis. Legitimate interests + consent (for reference provision)

  • Deletion. Automatic deletion after 1 year

  • Retain communications (email, Slack) for 1 year (business continuity)

  • Responsible. Security Lead

  • Timeline. 1 year post-termination

  • Information. Work-related emails, Slack messages (work channels only)

  • Purpose. Business continuity, knowledge retention

  • Legal Basis. Legitimate interests (contractor may object)

  • Deletion. Automatic deletion after 1 year unless legal hold

Scheduled Deletion (1 Year Post-Termination)

  • Delete contact information after 1 year

  • Responsible. Security Lead (automated process)

  • Timeline. 1 year + 1 month post-termination (grace period for execution)

  • Method. Secure deletion (cryptographic erasure, multi-pass overwrite)

  • Verification. Deletion confirmed and logged

  • Exception. Retain if contractor consented to talent pool retention

  • Outcome. Personal contact information deleted

  • Delete performance information after 1 year

  • Responsible. Security Lead (automated process)

  • Timeline. 1 year + 1 month post-termination

  • Method. Secure deletion

  • Exception. Retain if ongoing reference requests with contractor consent

  • Outcome. Performance data deleted

  • Delete work communications after 1 year

  • Responsible. Security Lead (automated process)

  • Timeline. 1 year + 1 month post-termination

  • Method. Email archival deletion, Slack export deletion

  • Exception. Retain if subject to legal hold

  • Outcome. Communications deleted

  • Anonymize or delete work product after 1 year

  • Responsible. Security Lead or ISMS Owner

  • Timeline. 1 year + 1 month post-termination

  • Method. Anonymize Git history (if feasible) or delete attribution metadata

  • Exception. Work product incorporated into production may be retained with attribution (contractor may object)

  • Legal Basis. Legitimate interests (IP protection, business continuity)

  • Outcome. Work product anonymized or deleted per contractor preference

Scheduled Deletion (7 Years Post-Termination)

  • Delete financial records after 7 years

  • Responsible. ISMS Owner or Finance (automated process)

  • Timeline. 7 years + 1 month post-termination

  • Method. Secure deletion (cryptographic erasure)

  • Verification. Deletion confirmed and logged

  • Legal Note. 7-year retention satisfies ATO requirements

  • Outcome. Financial records deleted

  • Delete contract and legal documents after 7 years

  • Responsible. Security Lead (automated process)

  • Timeline. 7 years + 1 month post-termination

  • Method. Secure deletion

  • Exception. Retain if subject to ongoing legal proceedings

  • Outcome. Contracts deleted (absent legal hold)

Deletion Upon Request (Erasure Rights)

  • Process contractor erasure request (if received)
  • Responsible. Security Lead
  • Timeline. 30 days from request (GDPR requirement)
  • Legal Basis. GDPR Article 17 (Right to Erasure), Australian Privacy Act APP 13
  • Process:
  1. Verify contractor identity
  2. Determine legal basis for retention (if any)
  3. Delete data if no legal basis for retention
  4. Inform contractor of any data retained (with legal justification)
  • Exceptions. Cannot delete data subject to legal retention (financial records for 7 years, contracts for 7 years)
  • Outcome. Contractor’s personal data deleted (except legally required retention)

Code and Repository Management

Timeline: Final day to Week 1 post-departure

  • Update CODEOWNERS files (remove contractor from all repositories)

  • Responsible. Security Lead or ISMS Owner

  • Timeline. Final day or within 7 days

  • Method. Remove contractor’s GitHub username from all CODEOWNERS files

  • Verification. Search repositories for contractor username in CODEOWNERS

  • Outcome. Contractor no longer assigned as code reviewer

  • Reassign open pull requests

  • Responsible. Security Lead

  • Timeline. Final day or within 7 days

  • Method. Assign to other team members for review or completion

  • Outcome. No orphaned PRs

  • Preserve Git commit history

  • Responsible. Automatic (Git history immutable)

  • Timeline. Permanent (unless contractor requests anonymization)

  • Note. Git commits contain contractor name and email

  • Contractor Right. Contractor may request anonymization per HR Privacy Notice Section 9.3

  • Outcome. Commit history preserved for IP tracking and provenance

Audit and Documentation

Timeline: Within 30 days of final day

  • Document offboarding completion

  • Responsible. Security Lead

  • Timeline. Within 7 days of final day

  • Method. Complete this checklist, store with contractor file

  • Outcome. Offboarding process documented

  • Update contractor tracking template

  • Responsible. Security Lead

  • Timeline. Final day

  • File. Contractor Tracking Template (maintained internally; available to auditors and enterprise customers on request)

  • Update. Status changed to “Inactive”, final day recorded, access revocation confirmed

  • Outcome. Contractor status tracked

  • Review audit logs for post-departure activity

  • Responsible. Security Lead or ISMS Owner

  • Timeline. 7 days post-departure

  • Logs. GitHub audit log, Google Workspace audit log, Cloudflare audit log

  • Purpose. Detect any unauthorised post-departure access

  • Outcome. No unauthorised activity confirmed

  • Document lessons learned

  • Responsible. Security Lead

  • Timeline. Within 30 days of final day

  • Topics. Offboarding process effectiveness, improvements needed, exit interview insights

  • Storage. Internal knowledge base or management review records

  • Outcome. Continuous improvement of offboarding process

  • Trigger quarterly access review (if not already scheduled)

  • Responsible. Security Lead

  • Timeline. Next quarterly access review (or immediate if significant access changes)

  • Purpose. Verify no residual access remains

  • Outcome. Access review validates complete revocation

Post-Departure Follow-Up

Timeline: 1-7 days post-departure

  • Confirm contractor received final payment

  • Responsible. Security Lead

  • Timeline. Within 7 days of payment date

  • Method. Email confirmation or payment receipt

  • Outcome. Payment confirmed received

  • Send offboarding completion notification to contractor

  • Responsible. Security Lead

  • Timeline. Within 7 days of offboarding completion

  • Content:

  • Thank you for contributions

  • Reminder of ongoing confidentiality obligations

  • Data retention and deletion schedule (per HR Privacy Notice)

  • Contact for future reference requests

  • Privacy rights information (access, erasure, objection)

  • Outcome. Professional closure, contractor informed of data handling

  • Provide reference information (if applicable and with consent)

  • Responsible. Security Lead

  • Timeline. As requested by contractor or prospective employer

  • Consent. Contractor must consent to reference provision

  • Retention. Reference records retained per performance information retention (1 year)

  • Outcome. Support contractor’s future opportunities (with consent)

Privacy Rights After Departure

Information for Contractor (to be provided in offboarding notification):

Per the HR Privacy Notice, departed contractors retain the following rights:

  1. Right to Access (GDPR Article 15, Australian Privacy Act APP 12):
  1. Right to Erasure (GDPR Article 17, Australian Privacy Act APP 13):
  • Request deletion of personal data (subject to legal retention requirements)
  • Financial records and contracts must be retained 7 years (legal obligation)
  • Work product and contact info can be deleted earlier upon request
  1. Right to Object (GDPR Article 21):
  • Object to retention of work product beyond 1 year
  • Object to retention of contact information beyond 1 year
  1. Right to Complain:
  • Australia: Office of the Australian Information Commissioner (OAIC)
  • EU/UK: Local Data Protection Authority
  • California: California Attorney General or Privacy Protection Agency

Contact: privacy@maelstrom.au for any privacy-related requests.

Offboarding Completion Sign-Off

Timeline: Within 7 days of final day

  • ISMS Owner confirms all offboarding items complete

  • Responsible. Security Lead

  • Timeline. Within 7 days of final day

  • Method. Review this checklist, verify all critical items completed

  • Documentation. Store completed checklist with contractor file

  • ISMS Owner verifies access revocation (if separate role)

  • Responsible. Security Lead

  • Timeline. Within 7 days of final day

  • Method. Audit log review, access list verification

  • Outcome. Independent verification of access revocation

  • Archive offboarding documentation

  • Responsible. Security Lead

  • Timeline. Within 30 days

  • Contents. Completed checklist, exit interview notes, lessons learned

  • Storage. Encrypted archive with contractor file

  • Retention. 7 years (with contract documents)

  • Outcome. Offboarding records preserved

HR Privacy Notice Compliance Summary

Data Retention and Deletion - MANDATORY

This offboarding checklist is designed to support HR Privacy Notice compliance by:

  1. Immediate Access Revocation (Final Day):
  • All system access revoked within 1 hour per Access Control Policy
  • Protects company assets and data security
  1. Structured Retention (Per HR Privacy Notice Section 6.2):
  • 7 years. Financial records (TFN, ABN, payment history), contracts, legal documents
  • 1 year. Work product, contact information, performance data, communications
  • Legal Basis. Legal obligation (7-year), Legitimate interests (1-year with right to object)
  1. Scheduled Deletion:
  • 1 year post-termination. Contact info, performance data, communications, work product
  • 7 years post-termination. Financial records, contracts
  • Automated deletion. Scheduled jobs are designed to support timely deletion
  1. Contractor Rights Respected:
  • Erasure requests. Processed within 30 days (GDPR, Australian Privacy Act)
  • Objection rights. Contractor may object to 1-year retention of work product
  • Access rights. Contractor may request copy of retained data
  1. Transparency:
  • Contractor informed of retention schedules in offboarding notification
  • Privacy rights explained
  • Contact information provided for privacy requests

HR Privacy Notice Status: Aligned to data retention and deletion obligations

Emergency Offboarding (Termination for Cause)

Use this expedited process for immediate termination (security incidents, policy violations, etc.)

Immediate Actions (Within 1 Hour)

  1. Revoke ALL access immediately:
  • GitHub, Google Workspace, Cloudflare, Slack, all systems
  • Change any shared passwords or API keys contractor had access to
  • Verify no active sessions remain
  1. Notify Security Lead (if separate role):
  • Investigate for security incidents
  • Review audit logs for unauthorised activity
  • Assess data breach risk
  1. Secure physical assets (if applicable):
  • Request immediate return of company property
  • Remote wipe company devices if not returned
  1. Document incident:
  • Reason for termination
  • Access revocation actions taken
  • Any security concerns or incidents

Follow-Up Actions (Within 24 Hours)

  1. Complete standard offboarding checklist (except knowledge transfer)
  2. Legal review (if termination involves legal issues)
  3. Incident report (if security incident involved)
  4. Post-incident review (lessons learned)

Note: Even for termination for cause, data retention follows standard HR Privacy Notice schedules (7 years financial, 1 year work product). Legal holds may extend retention if litigation expected.

Document Information

Document Title: Contractor Offboarding Checklist Document Owner: ISMS Owner Effective Date: November 8, 2025 Version: 1.0 Classification: Public Review Frequency: Annually or when policies updated Next Review: November 8, 2026

Related Documents:

  • HR Privacy Notice: /trust/legal/hr-privacy-notice.md
  • Access Control Policy: /trust/security/access-control.mdx
  • Information Security Policy: /trust/security/information-security-policy.mdx
  • Contractor Onboarding Checklist: /trust/operations/contractor-onboarding-checklist.md
  • Contractor Tracking Template: Contractor Tracking Template (maintained internally; available to auditors and enterprise customers on request)

Acknowledgment: This checklist is designed to support secure, compliant offboarding while respecting contractor privacy rights and maintaining business continuity.