Case file AE-2026 · Prepared for your auditor

A dossier in six exhibits

Offboarding that survives the audit.

When someone leaves, their access rarely leaves with them. AccessExit turns each departure into a tracked case — owners, due dates, captured evidence — and closes it with a timestamped receipt an auditor can hold. This page is laid out like the record it produces; the first exhibit is the receipt itself.

Free plan · no credit card · CSV import · Google Workspace sync

EXHIBIT A

ACME WORKSPACE

OFFBOARDING RECEIPT

CASE 2026-014 · J. MARSH · CONTRACTOR

EXIT
2026-06-30
CLOSED
2026-07-02
APPS
8
TASKS
14
OWNER
A. OKAFOR
EVIDENCE
9 ON FILE
  • Google Workspace — suspend account[VERIFIED]
  • Drive — transfer ownership[TRANSFERRED]
  • GitHub — remove from org[VERIFIED]
  • Slack — deactivate account[REVOKED]
  • 1Password — rotate shared vaults[VERIFIED]
  • Notion — remove from workspace[VERIFIED]
  • Vercel — remove team member[VERIFIED]
  • Figma — remove seat[RISK ACCEPTED]
UNRESOLVED RISKS1 — DOCUMENTED

································

PROVABLY CLOSED

PROVABLY CLOSEDACCESS · EXIT

Exhibit A — a sample receipt from a closed case. Fictional workspace; the format is the product’s real output.

Exhibit 01 · The problem

Filed: the unprovable departure

Remedy: see Exhibit 02

The departure you can’t prove happened.

Most offboarding ends the same way: a message in Slack, a stale checklist, and a quiet hope that nothing was missed. Then — months later — an auditor, a client security review, or a cyber-insurance renewal asks the only question that matters: prove it. And there is nothing on file.

“can someone remove Jordan from everything?”
Posted in #ops, the day after a departure — the entire process, on the record

Index — items commonly left open

  • iOAuth grantsOPEN
  • iiGitHub org accessOPEN
  • iiiDrive ownershipOPEN
  • ivbilling-owned SaaSOPEN
  • vshared passwordsOPEN
  • viAPI tokensOPEN
  • viiSlack accountsOPEN
  • viiidomains & socialOPEN
  • ixAI tool seatsOPEN
  • xdeploy keysOPEN
  • xiadmin consolesOPEN
  • xiiautomationsOPEN

Most of these sit outside SSO’s reach — which is exactly where an auditor looks. None of them close themselves.

Exhibit 02 · The method

Procedure — three steps

Output: Exhibit A, above

The procedure is three steps long.

No rollout project, no agents, no six-month integration plan. The whole method fits on one ruled page.

Step 01

Import people & apps

Pull your directory from Google Workspace or a CSV. Build an app inventory from templates — owner, criticality, how access gets revoked.

Step 02

Run the offboarding case

Start a case for the person leaving. AccessExit generates the checklist; your team revokes, transfers, verifies, or accepts risk — with evidence.

Step 03

Export the receipt

Close the case and get a timestamped receipt with owners, evidence, and unresolved risks. Hand it to your auditor, insurer, or future self.

Ref: Exhibit A — sample receipt, above

Exhibit 03 · The record

Categories 3.1 – 3.9

Plan gates noted

What goes on file.

Every feature exists to put something on the record. Nine categories of evidence, one file per departure.

3.1

Offboarding cases

One case per departure. A generated checklist covers identity, files, code, billing, AI tools, and devices — owned, dated, and tracked.

3.2

The access map

Map who actually holds an account in each tool. Coverage gaps and access still held by people who already left surface before an auditor finds them.

3.3

Deprovisioning SLAs

Every task gets a criticality-aware due date from the exit date. Overdue revocations flag on the board and the receipt — before they become audit findings.

3.4

Evidence, not vibes

Every task records who did what, when, and how it was verified — screenshots, links, notes, or API checks.

3.5

Receipts for auditors

When a case closes you get an immutable receipt: timestamps, owners, evidence, and any risks you explicitly accepted.

3.6

Team

Quarterly access reviews

Send owners a list of who has access to what. Collect confirm / revoke / unsure attestations with timestamps, exportable as CSV.

3.7

Team

Compliance reporting

Median time-to-revoke, within-SLA %, and app exposure by month — the audit-and-ROI evidence an auditor or insurer asks for, exportable as CSV.

3.8

Integrations where they help

Google Workspace directory sync and API verification. Manual tasks with evidence stay first-class — no SSO tax required.

3.9

Built for 5–100 people

Not enterprise IAM. No agents, no SCIM mandates, no six-month rollout. Import a CSV and run your first case today.

Exhibit 04 · Scope

In / out, plainly stated

No claims beyond

What this is — and what it is not.

AccessExit is deliberately narrow. The honest way to earn trust is to say where it ends.

4.1 — In scope

  • Teams of 5–100 people

    Small enough to know everyone; big enough to lose track of who still holds what.

  • Your first SOC 2 or ISO 27001

    Offboarding evidence and access reviews in the shape auditors actually ask for.

  • Agencies and studios

    Contractor churn, shared accounts, client systems — the long tail of real work.

  • Teams without SSO everywhere

    Manual removal with captured evidence is a first-class outcome, not a workaround.

4.2 — Out of scope

  • An identity provider

    AccessExit complements Okta or Entra; it does not replace them.

  • BetterCloud or Zluri

    No agents, no SCIM mandate, no six-month rollout — and not their price.

  • A GRC suite or an HRIS

    It produces evidence for your audit; it does not run the audit.

  • A 1,000-seat platform

    Right-sized for 5–100 is the point, not a limitation we apologize for.

If your team is in scope, the free plan is enough to run your first case today.

Exhibit 05 · Terms

Three plans · USD · monthly

Beta note 5.4, below

Three plans, plainly priced.

Figures are monthly, in US dollars. The free plan is a real plan, not a trial.

5.1 — Plan

Free

$0

People
10
Apps
3
Cases
1 / mo
  • Core offboarding checklist
  • Evidence notes on every task

5.2 — Plan

Starter

$29 /mo

People
25
Apps
15
Cases
Unlimited
  • Google Workspace directory sync
  • File evidence — screenshots on record
  • PDF & CSV receipt export

5.3 — Plan

Team

$49 /mo

People
100
Apps
50
Cases
Unlimited
  • Everything in Starter
  • Quarterly access reviews & attestations
  • Compliance reports, exportable as CSV

NOTE 5.4 — During the beta, paid plans are activated manually — no credit card.

Exhibit 06 · Questions

Nine entries

Nothing off the record

Questions, on the record.

6.1

Is AccessExit an identity provider like Okta or Entra?

No. AccessExit isn't an IdP, an HRIS, or a GRC suite. It's an offboarding and access-review command center that produces an audit-ready receipt. It complements SSO by covering the long tail of tools SSO doesn't reach.

6.2

What happens for tools that don't have a deprovisioning API?

Manual removal with captured evidence — a screenshot, link, note, or API check — is a first-class outcome. A receipt is only marked provably closed when every task is verified or a named person explicitly accepted the risk.

6.3

How is this different from BetterCloud or Zluri?

Those tools are priced and scoped for organizations with dedicated IT and SSO budgets. AccessExit is right-sized for teams of 5–100: no agents, no SCIM mandate, and no six-month rollout.

6.4

Do I need SSO or SCIM to use it?

No. AccessExit is built for teams that can't automate deprovisioning everywhere. It treats manual removal with evidence as first-class, so you stay audit-ready without paying the SSO tax.

6.5

Which integrations are live today?

Google Workspace directory sync and account-suspension verification are live, alongside a demo directory for trials. Microsoft 365, GitHub, and Slack are on the roadmap; every other tool works as a manual task with evidence.

6.6

Does AccessExit use AI?

No. v1 is deliberately deterministic — checklists are generated by rules, not models — so every step is auditable and repeatable.

6.7

Where is my data — and my evidence — stored?

In a workspace on infrastructure we operate: PostgreSQL (Neon) for records and Vercel Blob for files. Evidence is stored private and served only through an auth-gated download route, integration tokens are encrypted at rest, and the audit trail is append-only. The Privacy Policy lists every subprocessor.

6.8

How does billing work, and what happens if I cancel?

Paid plans are billed monthly through Lemon Squeezy, our merchant of record. Cancel anytime — you keep paid features until the period ends, then move to Free with your data and past receipts intact. During the beta, paid plans are activated manually with no credit card.

6.9

Can I export or delete my data?

Yes. Receipts and access reviews export to CSV on paid plans, and any receipt can be saved as PDF from the browser. You can delete people, apps, and evidence — deletions are themselves audited — or ask us to remove your workspace entirely.

In closing

Every departure, every account, provably closed.

Start free, document your next departure properly, and keep a receipt on file for every one that follows.

AccessExit

Signed & sealed · File AE-2026 · the record closes here

PROVABLY CLOSEDACCESS · EXIT

File AE-2026 · End of dossier