This is a Controlled Document
Inline with GitLab's regulatory obligations, changes to controlled documents must be approved or merged by a code owner. All contributions are welcome and encouraged.
These standards specify requirements related to the offboarding of GitLab team members from all GitLab related computing resources and data assets so as to protect our customers, team members, contractors, company, and other partners from harm caused by both deliberate and inadvertent misuse. Our intention in publishing these standards is to outline information security standards intended to protect GitLab assets.
These standards apply to all GitLab team-members, contractors, advisors, and contracted parties interacting with GitLab computing resources and accessing company or customer data.
|GitLab Team Members||Responsible for following the requirements in this document|
|PeopleOps||Responsible for implementing and executing this document|
|PeopleOps (Code Owners)||Responsible for approving significant changes and exceptions to this document|
Once the termination process has been approved and completed in Workday either by the departing team members Direct Manager (Voluntary) or by Team Member Relations (Involuntary) either a People Connect (Voluntary) or Team Member Relations (Involuntary) team member will submit an Offboarding Workflow Form. In the instance of a Voluntary Termination this process will follow the resignation process intiated by the team member directly in Workday.
This will populate the tracker through which various offboarding automations are triggered in addition to notifying IT Operations; Payroll and other Stakeholders of the team members temination particulars such as the effective date, information about garden leave if applicable and the time at which access to GitLab systems should be terminated in the #offboarding channel.
In alignment with the needs of both People Connect and IT Operations, offboardings will kick off at 16:00pm in the team members regional timezone (EMEA, JAPAC, and NORAM) and 12:00pm in their regional timezone on Friday at which point de-provisioning will commence.
Note: In instances where team members require de-provisioning initiated at outside of those documented above they should reach out to People Connect via direct message or firstname.lastname@example.org to arrange an alternate time.
Should the effective date fall on a day which People Connect is unable to support e.g. a Family and Friends Day or Global Holiday, People Connect will reach out to the People Business Partner to discuss alternate offboarding options.
Per the People Connect Rotation the offboarding will be assigned directly in the offboarding tracker.
Offboarding issues are created automatically using the data that is populated by the offboarding form. It is essential that the date and time inserted in the tracker is accurate as this will be the time at which the employment bot will open the offboarding issue
The assigned People Connect member will be automatically added to the list of assignees once the offboarding issue is created.
Many teams work to deprovision access including the IT Operations, this should be regarded as urgent and all tasks expected to be completed in 5 working days with the exception of laptop returns, which can take 2 - 4 weeks.
Note: If the team member is temporarily transitioning to a contractor or consultant role, please proceed with the full offboarding process and create a separate onboarding issue to grant only specific temporary access for what they would need to fulfill their contractual obligations.
In the event that the offboarding issue is not automatically opened or an urgent issue is needed to be opened, the People Connect member can open the offboarding issue manually, by following the steps below:
/pops run offboarding <EMPLOYEE_NUMBER>.
IT Ops will follow the below steps to set up an auto-response that notifies the sender that the team member they are trying to reach is no longer with GitLab and who to contact.
Customize rejection notice
The Out of Office message will stay on the account for 90 days, aftewards ITOPs will follow up and archive the account in the G-Suite vault.
IT Ops check if the team member has created any bots before disabling the account. Go to Slack or on your admin Slack profile click Menu » Configure Apps » Custom Integrations » Bots and search through the bots' list for the team member. If a bot exists, please DM the manager to confirm if the bot should be removed.
As per the automation in place, a merge request is automatically created to remove the team member from the team page. This will update the following:
The People Connect Team member will need to complete:
The People Connect Team member in the relevant rotation will complete a weekly audit of all offboarding issues opened within that specific week and check that all tasks have been completed by all Team Member and/or Departments. In the event that tasks are still outstanding, the People Connect Team member will ping the relevant Departments within the offboarding issue to call for tasks to be completed.
Once all tasks have been completed, the People Connect Team member will close the offboarding issue and mark as completed in the offboarding tracker.
All offboarding tasks by all Departments need to be completed within 5 days of the offboarding date. For systems that are more critical and time sensitive, these will be completed within the first 24 hours (example 1Password, Slack) by the relevant Departments. Information about application & system deprovisioners can be found on the Tech Stack Applications handbook page.
To ensure a successful completion of the offboarding issue, it is important that all tasks are checked off, whether the system/tool is applicable to the offboarding team member or not. Checking the box indicates one of the following:
Exceptions to this policy must be approved by PeopleOps.