DATABASE//OPERATIONS-SECURITY//EMPLOYEE OFFBOARDING: SAFELY REVOKING KEY ACCESS

Module Execution // OPERATIONS & SECURITY / HR & RISK

Employee Offboarding: Safely Revoking Key Access

REF_ID: LSSN_EMPLOYEE

LAST_AUDIT: January 6, 2026

EST_TIME: 11 Minutes

REFERENCE_NOTE

The Executive Verdict

What to do with crypto access when an employee leaves? The procedure depends on your architecture: • Shared Seed Phrases (Hardware Wallets): CRITICAL EMERGENCY. You must Sweep All Funds to a new wallet immediately. The old wallet is burned. • Multi-Sig/MPC: Key Rotation. Remove the signer via an on-chain transaction or admin console. Funds stay put. The Rule: You can fire an employee, but you cannot fire a memory. If they know the seed, they own the money.

SECTION_HEADER

Introduction: The "Ghost" in the Machine

In Web2, disabling email works. In Web3, access is based on possession of a secret. If Bob knows the seed phrase, he can access funds forever. You cannot "un-know" a seed.

SECTION_HEADER

1. Scenario A: The Nightmare (Shared Seed Phrases)

If you share a Ledger: STOP. Secure assets before the meeting. Procedure: 1. Create clean wallet. 2. Sweep 100% of assets. 3. Gas Check (leave enough ETH for fees). 4. Abandon old wallet.

SECTION_HEADER

2. Scenario B: The Standard (Multi-Sig / MPC)

Multi-Sig: 1. Identify signer (0xBob). 2. Remaining signers propose removal. 3. Execute on-chain. MPC: 1. Admin logs in. 2. Revoke user. 3. Server kills key shard.

VISUAL_RECON

A Split Screen. Left: "The Sweep" showing money moving from Box A to Box B. Right: "The Rotation" showing the Lock changing on Box A, but money staying inside.

Architectural Wireframe // CW-V-001

SECTION_HEADER

3. The "Shadow Access" Checklist

Stop Reading, Start Building

Theory is dangerous without execution.

The Secure Setup: Ledger + Gnosis Safe Tutorial. Watch the step-by-step video guide in the The Ops & Security Course ($49).

ID_01API Keys: Specific to developers. Rotate Infura/Alchemy keys.

ID_02Exchange Accounts: Reset 2FA if set up on personal device.

ID_03Discord/Socials: Revoke permissions immediately to prevent scam links.

ID_04Dead Man's Switch: If employee dies, rotate signer immediately to restore redundancy.

SECTION_HEADER

4. HR & Legal Coordination (The Paper Layer)

Tech solves access, Law solves liability. Offboarding agreement must include a "Digital Asset Attestation" confirming destruction of all keys/passwords.

SECTION_HEADER

5. Emergency Protocol: The "Hostile Offboarding"

If theft is suspected: Front-Run Them. Move funds to Cold Storage BEFORE the meeting. Trigger "Pause" on smart contracts if available.

SECTION_HEADER

Conclusion: You Are Not Firing a User; You Are Rotating a Key

Every former employee with a retained seed phrase is a "Silent Risk." Treat key revocation like changing physical locks.

REFERENCE_NOTE

Offboarding Incident Response Checklist

1. Identify Wallet Type (Seed vs. MPC). 2. If Seed: SWEEP IMMEDIATELY. 3. If MPC: ROTATE SIGNER. 4. Rotate API Keys. 5. Reset Exchange 2FA. 6. Revoke Socials. 7. Sign Attestation.

F.A.Q // Logical Clarification

Can I just ask them to delete the seed?

"No. "Trust but Verify." You cannot verify deletion. You must assume they have it."

Does rotating a signer cost gas?

"Yes ($20-$50). Small price for security."

What if they refuse to sign?

"In 2-of-3, you don't need them. In 2-of-2, you are stuck. Always use 2-of-3."

What about vesting tokens?

"Use smart contract "Clawback" or stop the stream. Don't rely on manual return."

Official Training Material

Master The Process

You've read the theory. Now master the execution. Get the complete The Ops & Security Course tailored for this exact framework.

INCLUDES: VIDEO TUTORIALS • TEMPLATES • SOP CHECKLISTS

Module ActionsCW-MA-2026

Institutional Context

"This module has been cross-referenced with Operations & Security / HR & Risk standards for maximum operational reliability."

VECTOR: OPERATIONS-SECURITY

STATUS: DEPLOYED

REVISION: 1.0.4