1. Document Control

• Document Title: Employee Offboarding Procedure

• Document Identifier: PRC-HR-002

• Version Number: v1.0

• Approval Date: <24 June 2025>

• Effective Date: <24 June 2025>

• Review Date: <24 June 2026>

• Document Owner: <Human Resources Director>

• Approved By: <Chief Operating Officer>

2. Purpose

The purpose of this procedure is to ensure a consistent, secure, and comprehensive offboarding process for all departing employees at . A standardized offboarding process mitigates the risk of unauthorized access, data leakage, and operational disruptions by ensuring that all access is revoked, assets are recovered, and critical knowledge is transferred in a timely manner.

This procedure also supports compliance with SOC 2 controls CC5.1 (Integrity and Ethical Values) and CC5.2 (Board and Management Oversight), which require organizations to establish structures and accountability for the protection of system resources and confidential data. The offboarding process addresses both voluntary and involuntary terminations, including resignations, retirements, layoffs, and contract completions.

3. Scope

This procedure applies to all employees, contractors, and temporary workers exiting , regardless of location, employment type, or reason for departure. It applies across all business units and functions and includes both planned and unplanned exits.

This document also covers responsibilities across departments, including Human Resources, IT, Security, Facilities, and departmental supervisors. Activities include access termination, equipment recovery, exit interviews, knowledge transition, and compliance documentation. Any exceptions must be approved by the HR Director and the CISO or delegate.

4. Policy Statement

shall implement a structured offboarding procedure to ensure that all system access, facility access, credentials, and corporate assets are properly revoked or retrieved, and that departing personnel understand and fulfill post-employment obligations. This procedure shall begin immediately upon confirmation of an employee’s departure and be completed within five (5) business days after their final working day.

The offboarding process shall include:

• Timely revocation of access to all systems, applications, and third-party services

• Retrieval of all company-owned equipment, ID badges, and credentials

• Termination of remote access and VPN rights

• Deletion or deactivation of user accounts in accordance with IT security policies

• Exit interview to discuss final benefits, responsibilities, and non-disclosure obligations

• Documentation of all actions taken and retention in the personnel file

5. Safeguards

The following safeguards support and enforce this procedure:

These controls are tracked in a centralized HR/IT offboarding checklist system and audited quarterly.

6. Roles and Responsibilities

• Human Resources (HR): Manages the offboarding workflow, schedules the exit interview, ensures completion of final documentation, and coordinates notifications to IT, Legal, and Facilities.

• IT Department: Terminates all digital access, decommissions accounts, retrieves or remotely wipes devices, and documents all revocations.

• Security Team: Manages physical access removal (badges, door codes) and reviews any security implications of the departure.

• Hiring/Department Manager: Assists with knowledge transition, ensures that work in progress is reassigned, and that intellectual property and materials are returned.

• Legal Department: Ensures reaffirmation of NDAs and other contractual obligations.

• Exiting Employee: Returns all property, participates in the exit process, and signs final acknowledgments.

7. Compliance and Exceptions

Compliance is enforced via quarterly audits by the HR Compliance and Internal Audit teams. These reviews verify completion of all required offboarding steps, including access revocations, device return confirmations, and documented exit interviews.

Any deviations must be pre-approved in writing by the HR Director and Information Security team. All exceptions will be logged, justified, and reviewed annually to assess risk exposure and identify trends for process improvement.

8. Enforcement

Violations of this procedure—such as failure to revoke access, retain assets, or record documentation—pose significant security and compliance risks. Accordingly, the following enforcement measures apply:

• HR and Management Staff: Repeated failures to initiate or complete offboarding tasks may lead to disciplinary actions, performance reviews, or formal escalation to executive leadership.

• IT or Security Team Members: Failure to act within timeframes may be escalated to the CISO or CIO for remediation and corrective measures.

• Departing Employees: Any failure to return assets or comply with final obligations may result in legal action, withholding of final compensation (where lawful), or notification to external regulators.

• All enforcement actions are logged and subject to review by the HR and Legal departments.

9. Related Policies/Documents

• PRC-HR-001: Employee Onboarding Procedure (CC5.1, CC5.2)

• POL-HR-001: Employee Onboarding and Offboarding Policy

• PRC-IT-001: User Access Provisioning and Deprovisioning Procedure

• POL-ALL-015: Confidentiality Policy

• POL-HR-002: Security Awareness and Training Policy

• ISO 27001:2022 A.5.4, A.6.2, A.7.2.2, A.8.1.4

• SOC 2 CC5.1, CC5.2

10. Review and Maintenance

This procedure shall be reviewed annually, or upon any major organizational change (e.g., new HRIS system, changes in legal requirements, or new remote access technology). The HR Director is accountable for initiating the review and updating this procedure as necessary, with input from IT, Security, and Legal departments.

All changes will be version-controlled and archived according to 's document retention policy. Updates will be communicated via HR compliance bulletins.