Vendor Offboarding & Access Revocation Checklist

The problem this kills

When a vendor relationship ends, the work doesn't end with it. Someone has to revoke their logins, recover or destroy the data they held, settle the last invoice, get your laptops and badges back, and confirm in writing that they deleted your information. In real life this lives in a forwarded email thread and a half-finished spreadsheet — and six months later nobody can prove the access was ever actually revoked.

That gap is exactly how a departed vendor leaves an open door. An auditor asks "show me the offboarding evidence for Acme" and you're scrolling through inboxes. Worse, the account that should have been killed is still active.

This tool closes the door, every time, and keeps the receipt.

What you'll build

A small, login-protected web app for your vendor-risk, IT-security, and procurement teams:

• Trigger offboarding for a vendor when the relationship ends.
• Auto-generate the checklist based on the vendor's type and tier (a high-risk data processor gets more items than a one-off supplier).
• Each item has an owner who confirms when it's done — access revocation, data recovery/destruction, final invoice, asset retrieval, and the data-deletion attestation.
• Mandatory, non-skippable items: access revocation and data deletion cannot be checked off without confirmation, and exceptions must be logged with a reason.
• A hard approval gate: the vendor-risk owner can only approve closure when every required item is confirmed.
• A confirmation email via Resend, and a completed-checklist evidence CSV you can hand to any auditor.

What's inside the Implementation Plan

The plan is a single file you paste into an AI coding agent (Claude Code), and it builds the tool with you step by step — in plain language, for a non-coder.

It starts by interviewing you about your business. Before it writes a line of code, the plan has the agent ask about your vendor tiers, the systems you revoke access in, how you name vendors and offboarding events, your real checklist items, who owns each one, and your messy edge cases (the vendor who disputes the final invoice, the one who can't produce a deletion attestation). It reads back a short tailored spec, you give a thumbs-up, and only then does it build — so you get a tool shaped to how you actually offboard vendors, not a generic template.

From there it walks through the database, the login, the trigger-and-generate flow, the owner confirmations, the deletion attestation, the approval gate, the email, and the evidence export — each step ending with a ready-to-paste prompt.

The governance it includes (this is the point)

• Login so only your team can use the tool.
• Row-level security so people only ever see their own organization's data.
• A complete audit trail — who confirmed what, who approved closure, and when.
• A human-in-the-loop approval gate — the AI never closes an offboarding on its own; the vendor-risk owner reviews and approves, and only then is closure committed.
• Duplicate guards so the same vendor-plus-offboarding-event can't be processed twice.
• Kept evidence — the data-deletion attestation and the completed checklist are retained and exportable.

Who it's for

Vendor-risk, IT-security, and procurement teams who need to end vendor relationships cleanly and prove they did it — without a developer and without buying another platform.

You've got this — paste the first prompt and let the agent interview you.