When You Fire Someone Today: The 30-Minute SaaS Access Revocation Protocol for Startups
Step-by-step protocol for revoking SaaS access the same day you terminate an employee — built for startups with no IT team.
When You Fire Someone Today: The 30-Minute SaaS Access Revocation Protocol for Startups
You've made the decision. The conversation is happening at 10am. By 10:31am, that person should have zero live access to your Slack, GitHub, HubSpot, Figma, Notion, and every other tool they touched — regardless of whether you have an IT department (you don't). This is the revocation protocol for startups doing involuntary terminations without a playbook.
Why Involuntary Terminations Are the Highest-Risk Moment in the Employee Lifecycle
66% of fired employees retain access to former employer cloud accounts after leaving. Of those, 70% with continued access admit to using it to cause intentional harm — deleted files, forwarded customer lists, poisoned repos. An IT specialist is involved in offboarding at only 9% of companies. At a 20-person startup, there is no IT specialist. There's you, a Notion doc, and 40 SaaS subscriptions. The planned offboarding articles help. This one is for the day the plan goes out the window.
Before You Say the Words
If you have any lead time — even a few hours — run these three steps before the conversation happens.
1. Pull an access inventory. Open every major tool and check what this person has access to. If you've run a who-has-access audit before, pull it up. If you haven't, open Slack, GitHub, Figma, Google Workspace admin, and your CRM in separate tabs right now.
2. Draft your revocation order. Tier your tools: identity layer first (SSO or Google Workspace), then communication, then code, then revenue-touching tools, then everything else. The order matters — kill the identity layer and you often cascade-revoke everything connected to it.
3. Coordinate silently. If someone else will be in the termination meeting, assign them the revocation task. The moment the conversation starts, they start revoking. You should not be context-switching between "this is your last day" and "let me log into your GitHub admin."
The Revocation Order (Do This in Sequence)
Order matters. Kill the identity layer first and many downstream revocations happen automatically. Start at the bottom and you waste 20 minutes logging into individual apps while the person still has email access.
Step 1 — SSO / Identity Provider (if you have one). If your company uses Google Workspace, Microsoft Entra, or Okta as an SSO layer, suspend the account here first. Any app connected via SSO immediately blocks login. This is the highest-leverage step: one action, many revocations. Suspend, don't delete — you may need audit logs.
Step 2 — Primary email account. Google Workspace or Microsoft 365 admin console. Suspend the account, force sign-out of all active sessions. Set an auto-reply if appropriate. Do not delete the account yet — forward mail to a manager for 30 days.
Step 3 — Slack (or Teams). Deactivate the account, not just remove from channels. A deactivated Slack account also revokes all active sessions on every device instantly. Check if they had admin privileges — downgrade before deactivating.
Step 4 — Code and product tools. GitHub: remove from the org (not just the repo). Figma: remove from the team. Linear or Jira: deactivate. Vercel / AWS / GCP: remove IAM user or revoke API keys associated with their account. This tier takes the longest — budget 10–15 minutes if you're doing it manually.
Step 5 — Revenue-touching tools. HubSpot, Salesforce, Stripe, Intercom — anything touching customer data or payment flows. Deactivate the user account in each. For Stripe: rotate any API keys they had access to. For HubSpot: transfer ownership of any contacts or deals.
Step 6 — Shared credentials. 1Password, Bitwarden, or whatever your team uses — remove the person from the vault. If they knew any credentials that were shared outside the vault (written down, stored in personal notes), rotate those passwords now. This is also where you check Notion — if your "passwords" page is a Notion doc, it's now exposed to anyone with the share link that person ever sent themselves.
Step 7 — Everything else. Notion workspaces, Loom, Canva, Miro, Zoom admin, domain registrar, billing portals. If they touched it, remove them. Check your SaaS billing dashboard — most list every active user. This is your fastest enumeration tool if you don't have a formal access inventory. The full picture of why SaaS access sprawl makes this hard is worth reading before the next hire starts.
The Hidden Gaps That Survive a Thorough Revocation
You followed all seven steps. Here's what still might be live:
OAuth grants on personal accounts. If the employee authenticated any work tool ("Continue with Google") from a personal Gmail, that OAuth token lives in their personal Google account, not your Google Workspace instance. Your admin console suspension doesn't touch it. You need to go into the specific app and revoke their access directly.
Personal sign-ins to company tools. Figma, Linear, GitHub, Notion — many let users sign in with a personal email. If this person used their personal email on any company-paid tool, your SSO suspension did nothing to that session. Check each admin panel for accounts that don't match your company domain.
API keys and personal access tokens. A developer's GitHub personal access token, a Zapier API key set up under their personal account, a Postman environment with embedded credentials. These survive account deactivation. Go to GitHub → Settings → Developer settings and revoke any active tokens tied to org repos. Same for any CI/CD pipelines where they were the authenticated user.
Shared accounts. If five people shared one Figma seat or one HubSpot login, suspending the person's email does nothing — the shared login is still live, with credentials the former employee knows. Rotate the password immediately. Shared account offboarding is a separate problem worth a separate protocol.
When You Had Absolutely Zero Warning
Sometimes there's no lead time. The conversation happens because they said something in a meeting and it's over in 20 minutes. Same protocol — just compressed.
Start with the SSO kill switch the moment the meeting ends, while they're still in the conversation. If you're the only person in the room, have the Workspace admin console open on your phone. A suspended email account plus a Slack deactivation handles 80% of the risk in under two minutes. Do the full seven-step sweep in the 30 minutes after they physically leave.
The one thing you cannot skip in a zero-warning scenario: change any credential they may have known verbally. If they set up a service and you asked them for the password on Slack, that password is compromised regardless of account deactivation status.
Building a System So Next Time Takes Five Minutes
The reason this feels chaotic is that the access inventory doesn't exist until someone leaves. The HR-IT gap — HR knowing someone is being terminated but having no connection to the tools that person uses — is what turns a 30-minute protocol into a two-hour fire drill.
Optserv connects the HR record to the tool-access layer. When a termination is logged, every SaaS connection tied to that employee is flagged for revocation in one flow — not seven admin consoles. You can trial the workflow before the next termination happens at app.optserv.ai.
Revocation Priority at a Glance
| Layer | Tools | Why First |
|---|---|---|
| Identity (SSO) | Google Workspace, Okta, Entra | Cascade-revokes all SSO-connected apps |
| Gmail, Outlook 365 | Blocks password resets and data exfil | |
| Communications | Slack, Teams, Zoom | Prevents messaging and channel access |
| Code / Product | GitHub, Figma, Linear, AWS | Source code and infrastructure risk |
| Revenue tools | HubSpot, Stripe, Intercom | Customer data and payment exposure |
| Shared credentials | 1Password, Bitwarden, Notion | Known passwords survive SSO suspension |
| Everything else | Notion, Canva, Loom, billing | Catch-all sweep |
FAQ
How quickly do I legally need to revoke access after terminating an employee? There's no universal legal deadline in most jurisdictions, but SOC 2 auditors expect revocation within one business day. Practically, the risk window for intentional harm is highest in the first 2–4 hours — that's the window this protocol closes.
What if I don't have an SSO system? Start with email (Google or Microsoft admin console), then Slack. These two, done in sequence, handle the highest-risk channels and take about three minutes. Build the rest of the list from your SaaS billing dashboard.
Should I warn the IT department before the termination meeting? If you have someone who handles IT (even a part-time consultant), yes — brief them an hour before. They should be ready to execute Steps 1–3 the moment the meeting starts. Synchronizing the revocation with the conversation is the professional and secure approach.
What happens to data in the terminated employee's accounts? Suspend, don't delete immediately. You may need their email history or Slack messages for reference. Google Workspace retains suspended account data indefinitely until you delete it. Export what you need, then delete after 30–90 days.
Sources
- LeadingIT: 1 in 4 Ex-Employees Still Has Access to Company Data
- Directive: 66% of Fired Employees Able to Access Former Company's Cloud Data
- Beyond Identity: Former Employees Admit to Using Continued Account Access to Harm Employers
- AccountableHQ: Terminated Employee Access Checklist
Byline: Optserv Team
Run your entire team from one place.
Optserv handles hiring, onboarding, access management, and offboarding — built for startups that want to operate like grown-ups without the enterprise overhead.
Try Optserv free