Product
Platform
Platform API
Onna + Reveal Hold
Onna + Logikcull
Connectors
Slack
Google
Microsoft 365
Jira
Confluence
Google Gemini
ChatGPT
Miro
Zendesk
Zoom
All Connectors
Solutions
Solutions by Use Case
Preservation
Collections
Early Case Assement
Internal Investigations
Data Archiving
Data Activity Monitor
Solutions by Role
Legal
Information Technology
Information Security
Human Resources
Resources
Content Library
Blog
Webinars & Events
Reveal Academy
Developer Hub
Company
About Us
Careers
Newsroom
Partnerships
Trust Center
Pricing
Login
Get a Demo
eDiscovery
Data Management

Internal Investigations Software for Offboarding

Flutura Ahmetxhekaj
Demand Generation Manager
July 2, 2026

Employee Offboarding and Internal Investigations: Preserving Critical Evidence

Most employee exits are administrative. A handful are evidentiary. Organizations rarely know, at the moment an employee resigns or is terminated, which category applies. By the time it becomes clear that a departure is tied to a harassment complaint, a data theft concern, or a regulatory inquiry, the standard offboarding checklist has often already run its course: accounts deactivated, devices wiped, mailboxes archived or deleted. The evidence an investigation needs may be gone before anyone realizes an investigation is required.

This is the tension underneath most conversations about internal investigations software: offboarding and evidence preservation run on different clocks, owned by different teams, with different definitions of “done.” IT wants access revoked quickly. HR wants a low-friction transition while legal and compliance need custodian data preserved exactly as it existed on the day the issue arose. When these clocks aren’t synchronized, the organization loses the one thing it cannot recreate later: an intact record.

Defining Internal Investigations Software

Internal investigations software is a category of legal technology that helps organizations identify, preserve, collect, and review electronically stored information (ESI) tied to workplace complaints, compliance concerns, or suspected misconduct, independent of standard IT offboarding timelines. It typically combines custodian and legal hold management with connectors to collaboration platforms, email, chat, and cloud storage, so relevant data can be locked down before it is altered, moved, or deleted.

In practice, an organization can flag an employee as a custodian, apply a legal hold across their Slack messages, email, shared drives, and Teams chats, and keep preserving that content even after the account would otherwise be deactivated on their last day.

Where Offboarding and Investigations Collide

The scale of the problem is well documented. Cyberhaven’s 2024 analysis of workplace data movement found that risky data exfiltration activity spikes 720% in the period immediately before layoffs are announced, a window when employees have both access and motive to move data before it disappears. Separately, Ponemon Institute’s 2025 Cost of Insider Risks research found that the average total cost of an insider threat incident climbed from $15.4 million in 2022 to $17.4 million in 2024, a trend tied closely to departures where access and data handling weren’t tightly controlled. IBM’s 2024 data breach research adds a related point: breaches identified internally cost meaningfully less than those disclosed by an attacker, reinforcing that speed of detection and preservation directly affects financial exposure.

None of this is a story about malicious employees alone; it is a story about process gaps. A departing employee’s data footprint, mailbox, chat history, shared files, collaboration threads, is exactly what a legal or compliance team needs in a harassment claim, a whistleblower complaint, or a trade secrets dispute. If IT offboarding runs on autopilot and legal hold isn’t triggered before deactivation, that footprint can be lost with no bad intent required.

Where the Two Timelines Collide

The Standard Offboarding Sequence

A typical IT-led offboarding workflow moves fast, often within 24 to 48 hours of a confirmed departure:

  • Revoke SSO and application access
  • Forward or archive email
  • Reassign or delete shared drive permissions
  • Wipe or reissue company devices
  • Close collaboration tool accounts (Slack, Teams, Zoom)

Each step is reasonable from a security standpoint, and each is a potential point of evidence loss if a legal hold has not already been applied.

The Legal Hold Sequence

Legal hold obligations follow different logic entirely. Once litigation, regulatory inquiry, or a credible internal complaint is reasonably anticipated, the organization has a duty to preserve relevant data, regardless of IT’s offboarding calendar. That duty does not pause for a two-week notice period or accelerate to match a layoff announcement; it is triggered by the facts of the matter.

The organizations that manage this well treat custodian offboarding as a checkpoint, not an afterthought. Before any account is deactivated or device wiped, someone confirms whether that employee is, or might become, a custodian in an open or reasonably anticipated matter. If HR and legal platforms for HR investigations and data management are connected to this workflow, that check happens automatically rather than relying on someone remembering to ask.

Building a Defensible Offboarding-to-Investigation Handoff

A defensible process generally includes:

  1. A shared trigger list. HR, legal, and IT agree in advance on which departure types require a legal hold check: performance terminations, harassment or discrimination complaints, data security incidents, regulatory exposure, and departures to competitors.
  1. A pause point before deactivation. Before final account closure, a documented step confirms whether the departing employee is subject to a hold.
  1. Preservation independent of the account. Data collection for internal investigations shouldn’t depend on the employee’s account staying active; content needs to be copied, indexed, and preserved in a system that survives offboarding.
  1. A single source of custodian data. Consolidating email, chat, and file data from multiple platforms removes the need to reconstruct a timeline from scattered exports after the fact.
  1. Chain of custody documentation. Every preservation and collection action should be logged, timestamped, and auditable, so the process can withstand scrutiny in litigation or a regulatory review.

Platforms that unify eDiscovery workflows, such as the Onna and Logikcull integration, are built around this idea: preservation and collection happen in a connected system, so legal teams are not dependent on IT support tickets or manual exports once an employee’s last day has passed.

The Practical Takeaway for Legal Operations and IT Leaders

The organizations most exposed to preservation failures are not the ones without a security process; they are the ones running two separate processes, security-driven offboarding and legal-driven preservation, that were never designed to talk to each other. Closing that gap doesn’t require slowing IT’s offboarding timeline. It requires one governed checkpoint before deactivation, backed by software that can apply a hold and collect data without needing the employee’s account to remain live.

For legal operations leaders and information governance teams, the practical next step is auditing how offboarding and legal hold currently interact: who owns the trigger decision, how quickly a hold can be applied relative to IT’s deactivation timeline, and whether custodian data is captured somewhere that survives the account itself. Those answers reveal whether an organization is prepared for the next internal investigation, or simply hoping it won’t need to be.

Onna works with legal, compliance, and IT teams to close that gap, connecting the systems where employee data lives to the legal hold and collection processes that protect it. To see how this fits your offboarding and investigation workflow, get in touch with Onna.

Subscribe to our newsletter

Get Complete Visibility into Your Unstructured Data, Today

Complete initial setup and first collection in one business day. No lengthy implementations. No IT backlog. Just full visibility into your collaboration data when you need it most.

Product
PlatformPlatform APIOnna + Reveal HoldOnna + Logikcull
Comparisons
Onna vs. EverlawOnna vs. ExterroOnna vs. HanzoOnna vs. Microsoft PurviewOnna vs. Theta Lake
Connectors
All ConnectorsSlackGoogleMicrosoft 365JiraConfluenceMiroZendeskZoom
Solutions by Use Case
PreservationCollectionsEarly Case AssessmentInternal InvestigationsData ArchivingData Activity Monitor
Solutions by Role
LegalInformation TechnologyInformation SecurityHuman Resources
Resources
Content LibraryBlogWebinars & Events
Reveal Academy
Developer Hub
Documentation
Company
About Us
Careers
Newsroom
Partnerships
Trust CenterContact Us
© Copyright 2026 Onna
Privacy PolicySAAS Terms of ServiceModern Slavery Statement