How to Terminate a VA and Revoke Access Safely
Ending a virtual assistant engagement is a routine business event - but how you handle it determines whether you walk away clean or spend weeks cleaning up after a security gap. This guide covers offboarding a VA professionally and revoking access completely.
See also: secure access setup for virtual assistants, audit VA access permissions quarterly, data security best practices.
Why Offboarding Requires a Formal Process
Most security incidents involving former contractors happen because offboarding was rushed, incomplete, or skipped entirely. The pattern is consistent: the engagement ends, the business owner moves on, and weeks later discovers the former VA's account still has access to the CRM, the Gmail inbox, or the Shopify store.
A systematic offboarding process, run on the last day of the engagement, eliminates these gaps.
Types of Termination: How Each Affects Your Approach
Planned termination (mutual agreement): The VA knows their last day in advance. You can plan a structured knowledge transfer, gather deliverables, and time access revocation for end of day on their final date.
Immediate termination (performance or conduct issue): Revoke access first, then communicate. If there's any reason to believe the departure is contentious, prioritize account security over a smooth conversation.
VA-initiated resignation: Same as planned termination - request adequate notice (1–2 weeks), complete knowledge transfer, then revoke access on the last day.
Reduced scope (not full termination): If you're reducing hours or scope, audit which access the VA still needs for their revised role and remove what's no longer relevant.
The Offboarding Checklist: What to Do on the Last Day
Communication and Knowledge Transfer (Before Revoking Access)
- Receive final deliverables and verify completion
- Confirm handoff of any active tasks to you or a replacement
- Collect any SOPs, templates, or documentation the VA created
- Get status on all in-progress projects
- Confirm any client or vendor introductions that need to be transitioned
- Retrieve physical items (if applicable - branded materials, equipment)
Access Revocation (On Final Day - Before End of Business)
Email and Communication:
- Deactivate Google Workspace or Microsoft 365 account (this kills email access and Drive)
- Remove email delegation if you used it instead of a named account
- Remove from Slack/Teams workspace
- Remove from any client communication threads or groups
File Storage:
- Remove sharing from all Google Drive, Dropbox, or OneDrive folders
- Verify they have no shared folder access remaining
- Confirm no business files remain on their personal devices (covered in your policy)
Business Platforms:
- Deactivate Shopify staff account
- Deactivate/remove CRM user account
- Remove from project management tools (Asana, ClickUp, Notion, Trello)
- Remove from social media management tools (Buffer, Hootsuite, Later)
- Revoke access to any e-commerce marketplace accounts (Amazon Seller Central, Etsy, etc.)
- Remove from advertising platforms (Google Ads, Facebook Business Manager)
Password and Credentials:
- Remove from password manager shared vault/collection
- Change any passwords they had direct access to
- Regenerate API keys or tokens they may have used
- Remove their device from any Authy or shared 2FA setups
Financial Systems (High Priority):
- Remove from accounting software (QuickBooks, Xero)
- Revoke any payment gateway access (Stripe, PayPal business account)
- Remove from banking portals if they had view/limited access
Post-Termination (Within 48 Hours)
- Monitor business email for any forwarding rules they may have set
- Review access logs in key systems for any anomalous activity around the termination date
- Send final payment per your contract terms
- File signed contractor agreement and NDA for record retention
Handling Contentious Terminations
If you're terminating for cause, or if you have any reason to believe the VA might react negatively:
- Revoke access before the conversation (or simultaneously) - not after
- Document your reasons in writing before the termination conversation
- Do not give advance notice of the termination date - revoke on the day
- Review your audit logs immediately after for unusual activity
- Change passwords on all shared accounts, even if you believe they've been removed from your password manager
- Consult your contract regarding any outstanding payment obligations and notice requirements
What to Do If You Discover Lingering Access
If you discover a former VA still has access to your systems:
- Revoke immediately - don't wait
- Review access logs for that account to see what was accessed after termination
- Change relevant passwords
- If any sensitive data was accessed without authorization, assess your notification obligations
- Document what you discovered, when, and what you did about it
Frequently Asked Questions
How much notice should I give a VA before terminating?
Your contractor agreement should specify this. Typically, either party can terminate with 2 weeks' notice. Immediate termination for cause is usually permitted. For long-term VA relationships, more notice is professionally appropriate.
Should I give a departing VA a reference?
If the departure is on good terms and they performed well, yes. A reference is a professional courtesy that costs you nothing and maintains goodwill. Keep it focused on work quality and reliability, not personal information.
Can I reactivate a former VA?
Yes - and it's common. If you let someone go due to budget and they were excellent, re-engaging them later is a good option. Start with a fresh contractor agreement and go through the access setup process from scratch.
Ready to Hire Your Next VA?
Virtual Assistant VA matches you with vetted, professional VAs. Get matched today.