Client Offboarding Compliance SOP
Version 1.0 - Effective 2026-07-12 - Change log
Template document: review by a qualified data-protection lawyer or DPO before commercial reliance. Not legal advice.
This is the standard operating procedure Amaigo follows when a Whistle engagement ends, whether by expiry, notice, or termination. It is published so that a client's DPO can see that exit is handled with the same rigour as onboarding, and it is the same document our team works from internally. As with onboarding, every step is mirrored by a generated, client-specific offboarding pack, so the exit compliance record is produced by the same process that decommissions the deployment.
The offboarding pack
Each decommissioning generates a pack of three documents, produced by the same tooling as the onboarding pack:
- Offboarding checklist (
offboarding-checklist.md): the working checklist for the steps below. - Third-party revocation checklist (
third-party-revocation.md): the client-specific list of external grants to revoke, listing only the integrations this deployment actually used. - Certificate of data deletion (
deletion-certificate.md): the signed confirmation of deletion, with per-category record counts, that satisfies clause 9.2 of the DPA.
Procedure
1. Notice and data choice
Termination or expiry is confirmed in writing and the effective date recorded. Per clause 9.2 of the DPA, the client (as controller) chooses whether Amaigo deletes all personal data, or returns then deletes it. Their choice is recorded on the checklist.
2. Data return (if chosen)
If the client asks for their data back, we export the complete set of lead records for the deployment as a structured bundle and deliver it to the registered contact. Return always precedes deletion; it is never a substitute for it.
3. Deletion within 30 days
We run the decommissioning tool, which permanently deletes every record Amaigo holds for the client: lead records (including any stored transcripts), booking references, SMS and WhatsApp conversation threads, portal access tokens, and the client's audit-log records. Deletion is a hard delete, not a soft flag. Backups age out under the provider's rolling window and are not restored except for disaster recovery, after which the same deletion is re-applied.
4. Written confirmation
The generated certificate of data deletion records what was deleted, when, by whom, and in what quantity. It is sent to the client's registered contact and filed as the exit compliance record, evidencing the deletion obligation under clause 9.2.
5. Third-party access revocation
The calendar events themselves live in the client's own Microsoft 365 or Google Workspace tenancy and are theirs to keep or remove. What must be revoked is Amaigo's access:
- Amaigo purges, from the tenant configuration, any CRM token, outbound webhook URL and secret, Slack/Teams incoming-webhook URLs, and SMS/WhatsApp settings, so no dormant credential survives.
- The client revokes, in their own admin console, the calendar grant they issued at onboarding: for Microsoft 365, the enterprise-app admin consent (and any application access policy); for Google Workspace, Amaigo's service-account client id under domain-wide delegation.
The revocation checklist lists only the items this specific deployment used, and both sides sign it off.
6. Decommission
The tenant is set inactive and marked closed, so the widget stops serving immediately. The client removes the embed snippet from their site. The complete pack (checklist, revocation list, certificate) is filed as the offboarding compliance record.
A note on audit records
During normal operation, audit-log rows are retained for accountability and hold no message content or contact details. On full offboarding, at the controller's instruction, the client's audit records are deleted along with everything else, so nothing personal to the engagement remains. A client who needs the AI-decision log retained for their own regulatory reasons can ask us to return it before deletion.
Records retained
| Artifact | Where it lives |
|---|---|
| Certificate of data deletion (counts, date, operator) | Engagement file |
| Signed third-party revocation checklist | Engagement file |
| Written deletion confirmation to the controller | Sent to the registered contact, copy filed |
| Data-return bundle receipt (if return was chosen) | Engagement file |
This document is a GDPR-aligned template and must be reviewed by a qualified data-protection lawyer or DPO before commercial reliance. It is not legal advice.