The 'Kill Switch': What Happens When an Employee Leaves Your Team?

Ask any security engineer what keeps them up at night, and "offboarding" will be near the top of the list. New employees get welcome packages, badges, and onboarding checklists. Departing employees get a Slack farewell and, if you're lucky, a half-remembered list of accounts to revoke. The asymmetry is dangerous. It's why former employees retain access to production systems for months — sometimes years — after they walk out the door.

The traditional offboarding nightmare

Most teams "offboard" by removing a user from a shared vault and rotating any passwords that the person knew. This is correct in theory and disastrous in practice. The departing employee may have copied passwords into local notes, browser autofill, password manager exports, or — most often — their own memory. Removing their seat from the SaaS dashboard does nothing about any of that. Until every credential they touched is rotated, they still hold valid keys.

What the Pwdly Kill Switch actually does

When an admin clicks Kill Switch on a member, four things happen in sequence — all within a few hundred milliseconds:

1. Session termination. All active session tokens for that user are invalidated server-side. Any open browser tab attempting to refresh is logged out instantly.
2. Project key rotation. For every project the user had access to, a new symmetric project key is generated client-side by the next admin to log in (or by a designated rotation worker on their device). Every secret in the project is re-encrypted under the new key.
3. Sealed-envelope re-issuance. New sealed boxes containing the new project key are generated for every remaining member, exactly the way the original invites worked. The departed user receives no envelope.
4. Rotation queue. Every secret that user could have viewed in the last 90 days is flagged for password rotation, with one-click rotation links to supported services and a checklist for the rest.

Why client-side key rotation matters

A naive system would rotate keys on the server, which would require the server to briefly hold the old project key in memory to re-encrypt everything. We refused. Instead, key rotation happens entirely on a remaining admin's device. The old project key is decrypted in the admin's browser, the new key is generated locally, and the re-encrypted ciphertext is uploaded. Our servers see ciphertext-in, ciphertext-out — never the keys themselves.

Forward secrecy for shared vaults

Even if the departed employee somehow saved a copy of the old project key, it's now useless. The new ciphertext on our servers is encrypted under a key they've never seen. Any future changes — new credentials added by the team, password updates, item edits — are mathematically inaccessible to them. This is forward secrecy applied to a team vault, and it's the property that makes "revoking access" mean what people think it means.

The audit trail

Every Kill Switch event generates a signed audit log entry: who pulled the switch, who was removed, which projects were affected, when the rotation completed, and which credentials were flagged for follow-up. The log is append-only and exportable for compliance. When auditors ask "how do you handle offboarding," you don't have to write a process document — you hand them a timestamped record.

The human side

We deliberately made the Kill Switch a single, weighty button. There's a confirmation dialog that summarizes exactly what's about to happen, including the number of projects, secrets, and members affected. We don't believe security tooling should be casual at the moments that matter most. Pulling the switch should feel like locking a door — definitive, immediate, and slightly dramatic.

Closing the gap

Offboarding is the moment where most security postures quietly collapse, because it's the moment where humans are tired, distracted, and emotionally complicated. The right answer isn't a better checklist. It's a system where the cryptographic guarantee snaps into place the instant the button is pressed, with no follow-up required to make "revoked" actually mean revoked. That's what the Kill Switch is for.