Case file AE-2026 · Prepared for your auditor
A dossier in six exhibits
Offboarding that survives the audit.
When someone leaves, their access rarely leaves with them. AccessExit turns each departure into a tracked case — owners, due dates, captured evidence — and closes it with a timestamped receipt an auditor can hold. This page is laid out like the record it produces; the first exhibit is the receipt itself.
Free plan · no credit card · CSV import · Google Workspace sync
ACME WORKSPACE
OFFBOARDING RECEIPT
CASE 2026-014 · J. MARSH · CONTRACTOR
- EXIT
- 2026-06-30
- CLOSED
- 2026-07-02
- APPS
- 8
- TASKS
- 14
- OWNER
- A. OKAFOR
- EVIDENCE
- 9 ON FILE
- Google Workspace — suspend account[VERIFIED]
- Drive — transfer ownership[TRANSFERRED]
- GitHub — remove from org[VERIFIED]
- Slack — deactivate account[REVOKED]
- 1Password — rotate shared vaults[VERIFIED]
- Notion — remove from workspace[VERIFIED]
- Vercel — remove team member[VERIFIED]
- Figma — remove seat[RISK ACCEPTED]
································
PROVABLY CLOSED
Exhibit A — a sample receipt from a closed case. Fictional workspace; the format is the product’s real output.
Contents
File AE-2026
Exhibit 01 · The problem
Filed: the unprovable departure
Remedy: see Exhibit 02
The departure you can’t prove happened.
Most offboarding ends the same way: a message in Slack, a stale checklist, and a quiet hope that nothing was missed. Then — months later — an auditor, a client security review, or a cyber-insurance renewal asks the only question that matters: prove it. And there is nothing on file.
“can someone remove Jordan from everything?”
Index — items commonly left open
Status
- iOAuth grantsOPEN
- iiGitHub org accessOPEN
- iiiDrive ownershipOPEN
- ivbilling-owned SaaSOPEN
- vshared passwordsOPEN
- viAPI tokensOPEN
- viiSlack accountsOPEN
- viiidomains & socialOPEN
- ixAI tool seatsOPEN
- xdeploy keysOPEN
- xiadmin consolesOPEN
- xiiautomationsOPEN
Most of these sit outside SSO’s reach — which is exactly where an auditor looks. None of them close themselves.
Exhibit 02 · The method
Procedure — three steps
Output: Exhibit A, above
The procedure is three steps long.
No rollout project, no agents, no six-month integration plan. The whole method fits on one ruled page.
Step 01
Import people & apps
Pull your directory from Google Workspace or a CSV. Build an app inventory from templates — owner, criticality, how access gets revoked.
Step 02
Run the offboarding case
Start a case for the person leaving. AccessExit generates the checklist; your team revokes, transfers, verifies, or accepts risk — with evidence.
Step 03
Export the receipt
Close the case and get a timestamped receipt with owners, evidence, and unresolved risks. Hand it to your auditor, insurer, or future self.
Ref: Exhibit A — sample receipt, above
Exhibit 03 · The record
Categories 3.1 – 3.9
Plan gates noted
What goes on file.
Every feature exists to put something on the record. Nine categories of evidence, one file per departure.
3.1
Offboarding cases
One case per departure. A generated checklist covers identity, files, code, billing, AI tools, and devices — owned, dated, and tracked.
3.2
The access map
Map who actually holds an account in each tool. Coverage gaps and access still held by people who already left surface before an auditor finds them.
3.3
Deprovisioning SLAs
Every task gets a criticality-aware due date from the exit date. Overdue revocations flag on the board and the receipt — before they become audit findings.
3.4
Evidence, not vibes
Every task records who did what, when, and how it was verified — screenshots, links, notes, or API checks.
3.5
Receipts for auditors
When a case closes you get an immutable receipt: timestamps, owners, evidence, and any risks you explicitly accepted.
3.6
TeamQuarterly access reviews
Send owners a list of who has access to what. Collect confirm / revoke / unsure attestations with timestamps, exportable as CSV.
3.7
TeamCompliance reporting
Median time-to-revoke, within-SLA %, and app exposure by month — the audit-and-ROI evidence an auditor or insurer asks for, exportable as CSV.
3.8
Integrations where they help
Google Workspace directory sync and API verification. Manual tasks with evidence stay first-class — no SSO tax required.
3.9
Built for 5–100 people
Not enterprise IAM. No agents, no SCIM mandates, no six-month rollout. Import a CSV and run your first case today.
Exhibit 04 · Scope
In / out, plainly stated
No claims beyond
What this is — and what it is not.
AccessExit is deliberately narrow. The honest way to earn trust is to say where it ends.
4.1 — In scope
Teams of 5–100 people
Small enough to know everyone; big enough to lose track of who still holds what.
Your first SOC 2 or ISO 27001
Offboarding evidence and access reviews in the shape auditors actually ask for.
Agencies and studios
Contractor churn, shared accounts, client systems — the long tail of real work.
Teams without SSO everywhere
Manual removal with captured evidence is a first-class outcome, not a workaround.
4.2 — Out of scope
An identity provider
AccessExit complements Okta or Entra; it does not replace them.
BetterCloud or Zluri
No agents, no SCIM mandate, no six-month rollout — and not their price.
A GRC suite or an HRIS
It produces evidence for your audit; it does not run the audit.
A 1,000-seat platform
Right-sized for 5–100 is the point, not a limitation we apologize for.
If your team is in scope, the free plan is enough to run your first case today.
Exhibit 05 · Terms
Three plans · USD · monthly
Beta note 5.4, below
Three plans, plainly priced.
Figures are monthly, in US dollars. The free plan is a real plan, not a trial.
5.1 — Plan
Free
$0
- People
- 10
- Apps
- 3
- Cases
- 1 / mo
- Core offboarding checklist
- Evidence notes on every task
5.2 — Plan
Starter
$29 /mo
- People
- 25
- Apps
- 15
- Cases
- Unlimited
- Google Workspace directory sync
- File evidence — screenshots on record
- PDF & CSV receipt export
5.3 — Plan
Team
$49 /mo
- People
- 100
- Apps
- 50
- Cases
- Unlimited
- Everything in Starter
- Quarterly access reviews & attestations
- Compliance reports, exportable as CSV
NOTE 5.4 — During the beta, paid plans are activated manually — no credit card.
Exhibit 06 · Questions
Nine entries
Nothing off the record
Questions, on the record.
6.1
Is AccessExit an identity provider like Okta or Entra?
No. AccessExit isn't an IdP, an HRIS, or a GRC suite. It's an offboarding and access-review command center that produces an audit-ready receipt. It complements SSO by covering the long tail of tools SSO doesn't reach.
6.2
What happens for tools that don't have a deprovisioning API?
Manual removal with captured evidence — a screenshot, link, note, or API check — is a first-class outcome. A receipt is only marked provably closed when every task is verified or a named person explicitly accepted the risk.
6.3
How is this different from BetterCloud or Zluri?
Those tools are priced and scoped for organizations with dedicated IT and SSO budgets. AccessExit is right-sized for teams of 5–100: no agents, no SCIM mandate, and no six-month rollout.
6.4
Do I need SSO or SCIM to use it?
No. AccessExit is built for teams that can't automate deprovisioning everywhere. It treats manual removal with evidence as first-class, so you stay audit-ready without paying the SSO tax.
6.5
Which integrations are live today?
Google Workspace directory sync and account-suspension verification are live, alongside a demo directory for trials. Microsoft 365, GitHub, and Slack are on the roadmap; every other tool works as a manual task with evidence.
6.6
Does AccessExit use AI?
No. v1 is deliberately deterministic — checklists are generated by rules, not models — so every step is auditable and repeatable.
6.7
Where is my data — and my evidence — stored?
In a workspace on infrastructure we operate: PostgreSQL (Neon) for records and Vercel Blob for files. Evidence is stored private and served only through an auth-gated download route, integration tokens are encrypted at rest, and the audit trail is append-only. The Privacy Policy lists every subprocessor.
6.8
How does billing work, and what happens if I cancel?
Paid plans are billed monthly through Lemon Squeezy, our merchant of record. Cancel anytime — you keep paid features until the period ends, then move to Free with your data and past receipts intact. During the beta, paid plans are activated manually with no credit card.
6.9
Can I export or delete my data?
Yes. Receipts and access reviews export to CSV on paid plans, and any receipt can be saved as PDF from the browser. You can delete people, apps, and evidence — deletions are themselves audited — or ask us to remove your workspace entirely.
In closing
Every departure, every account, provably closed.
Start free, document your next departure properly, and keep a receipt on file for every one that follows.
AccessExit
Signed & sealed · File AE-2026 · the record closes here
File AE-2026 · End of dossier