Skip to Content
Nemu Inc.
Human Resources SecurityπŸšͺ Employee Separation Handling

πŸšͺ Employee Separation Handling

1. Purpose

This document describes Nemu Inc.’s procedures for handling voluntary and involuntary separations to minimize security risks.

2. Scope

Applies to:

  • All employees and long-term contractors.
  • Any user with access to internal systems, customer data, or CSP consoles.

3. Separation Procedures

3.1 Notification and Coordination

  • HR or the manager notifies the Security/Engineering lead of a planned or immediate separation.
  • An effective date and time for access removal is agreed upon.

3.2 Access Revocation

On or before the separation effective time:

  • Accounts in Google Workspace, Supabase, Render, and other production services are disabled or removed.
  • Administrative roles or group memberships are revoked.
  • Shared secrets, credentials, or tokens accessible to the departing individual are rotated when applicable.

3.3 Asset Return

  • All company-owned devices and security tokens must be returned.
  • Access to internal repositories (GitHub), project management tools, and messaging platforms is removed.

3.4 Post-Separation Review

  • The Security Lead may review access logs for unusual activity before or immediately after separation.
  • All records of access removal or outstanding items (e.g., device return) are tracked to completion.

4. Audit Evidence

  • Separation checklist or runbook.
  • Example ticket or record showing timely access revocation.
  • Documentation of credential rotation after sensitive-role departures.

5. 24-Hour Access Removal Requirement

5.1 Mandatory Timeline for Logical & Physical Access Removal

Nemu Inc.’s Human Resources and Security policies require that all physical and logical access to systems containing scoped data be removed within 24 hours of a termination (voluntary or involuntary).

This includes:

  • Google Workspace account deactivation
  • Revocation of Supabase, Render, and GitHub access
  • Removal from Slack and internal tools
  • Endpoint device lockout and retrieval
  • Rotation of any shared credentials previously accessible

5.2 Enforcement Mechanism

  • HR triggers the separation workflow immediately after termination notice.
  • The Engineering/Security Lead confirms revocation within the 24-hour window.
  • Audit records are kept to demonstrate compliance.

6. Compliance Mapping

  • SOC 2: CC6.2
  • ISO 27001: A.7.3.1, A.9.2.6

Contact: support@mynemu.com Β© 2025 Nemu Inc.

Last updated on
πŸŽ“ Security Awareness Training ProgramIT Operations Management