How to Securely Offboard a Vendor: A Step-by-Step Checklist

Why Secure Offboarding Matters

The end of a vendor relationship is a high-risk period. Data may remain in the vendor's systems, access credentials may not be revoked, and transition gaps can create security vulnerabilities. A poorly managed offboarding leaves your data exposed with a party you no longer have a business relationship with, and therefore less contractual leverage over.

The Offboarding Checklist

Phase 1: Preparation (4-8 Weeks Before Termination)

• Review contract terms: Understand termination clauses, notice periods, data return obligations, and transition assistance requirements.
• Notify the vendor: Provide formal written notice of termination per contract terms.
• Plan data migration: If transitioning to a new vendor, plan the data migration process, timelines, and testing.
• Identify all data and access: Catalog all data held by the vendor and all access points (API keys, credentials, VPN accounts, system integrations).

Phase 2: Data Return and Migration (2-4 Weeks Before Termination)

• Request data export: Have the vendor export all your data in a standard, usable format (CSV, JSON, SQL dump, etc.).
• Verify completeness: Review the exported data to confirm completeness. Spot-check key records.
• Test data in new environment: If migrating, import the data into the new system and verify integrity.
• Document the handover: Record what data was returned, in what format, and on what date.

Phase 3: Access Revocation (On or Before Termination Date)

• Revoke all credentials: Disable all vendor accounts, API keys, SSH keys, VPN certificates, and application access.
• Remove system integrations: Disconnect or disable all automated integrations between your systems and the vendor's.
• Update firewall rules: Remove vendor IP addresses from allow lists.
• Revoke physical access: If applicable, collect badges, keys, and disable building access.
• Audit access logs: Review recent access logs for any unusual activity during the transition period.

Phase 4: Data Deletion and Certification (Post-Termination)

• Formal deletion request: Send a written request to the vendor to delete all copies of your data.
• Certificate of destruction: Require a signed certificate confirming all data (including backups and archives) has been permanently deleted.
• Sub-processor deletion: Confirm that the vendor's sub-processors have also deleted your data.
• Specify deletion method: For sensitive data, require specific destruction standards (e.g., NIST SP 800-88 for media sanitization).

Phase 5: Post-Termination Monitoring (30-90 Days After)

• Monitor for data exposure: Check whether any of your data appears in breach disclosures or dark web monitoring after termination.
• Verify access removal: Attempt to use revoked credentials to confirm they are disabled.
• Update vendor inventory: Remove or reclassify the vendor in your TPRM platform.
• Retain records: Keep offboarding documentation, deletion certificates, and communication records per your retention policy.

Jerisaliant's TPRM module includes offboarding workflow templates, access revocation checklists, automated deletion request generation, and certificate of destruction tracking.