TPRM Β· Offboarding

Supplier Offboarding

Supplier offboarding is the orderly process for terminating a supplier relationship β€” with data deletion, access revocation and regulatory compliance.

Supplier offboarding is the last step in the TPRM lifecycle and is frequently underestimated: incomplete offboarding leaves active access credentials, undeleted data and unfulfilled regulatory obligations.

Supplier offboarding checklist

A complete offboarding includes: (1) access revocation β€” immediately revoke all systems, VPN access, API keys, (2) data migration β€” reclaim own data from the supplier, (3) data deletion β€” confirmation of deletion of all company data, (4) contract completion β€” outstanding services, warranties, NDA obligations, (5) knowledge transfer β€” secure documentation and know-how, (6) regulatory notifications β€” if change is reportable under DORA.

Zombie accounts are a security risk

Studies show 20-30% of all data breaches arise from active credentials of former employees or suppliers. Offboarding must be immediate and complete.

Offboarding under DORA

DORA Art. 28(7) requires documented exit strategies that also govern offboarding. For critical ICT service providers, a change may be reportable. Supervisory authorities can request evidence of complete offboarding of ICT third-party providers.

Automated offboarding

360TPRM maintains a complete offboarding checklist and documents each step in an audit-ready manner β€” for supervisory authorities and internal control.

FAQ

What happens if offboarding is incomplete?+

Security risks from active access, GDPR violations from undeleted data, and regulatory violations under DORA/NIS2 from missing documentation.

How long does a complete offboarding take?+

Access revocations should happen within hours. Data migration and deletion 1-4 weeks depending on volume. Contractual completion 1-3 months.

Design offboarding securely

See in a 45-minute demo how 360TPRM specifically meets your requirements.

Request free demo β†’