SOC 2 CC6.5: the vendor data offboarding control nobody has.

If you've been through a SOC 2 audit in the last two years, you've probably noticed the questions getting sharper. Not just “do you have a vendor management policy?” but “show me what happened when you offboarded Vendor X last quarter.” Not just “do you have a data disposal process?” but “walk me through the evidence trail for a specific vendor termination.”

The shift is subtle but significant. And it's centered around a control that most organizations have on paper but almost none have in practice: CC6.5.

What CC6.5 actually says

SOC 2 is built on the Trust Services Criteria, and CC6.5 falls under the Common Criteria for Logical and Physical Access Controls. The criterion addresses the disposal, destruction, and removal of data when it's no longer needed to meet the entity's objectives.

The full criterion is broader than just vendor offboarding — it covers internal data disposal, hardware decommissioning, and media destruction. But the vendor angle is where the most significant gaps tend to surface during audits, because it involves a third party whose actions you can't directly control.

For vendor relationships, CC6.5 effectively requires you to demonstrate that when a vendor relationship ends, the data they held on your behalf is properly disposed of. “Properly” means in accordance with your data retention policies, your contractual obligations, and the sensitivity of the data involved.

Why auditors are tightening here

The supply chain risk narrative has changed. High-profile supply chain breaches over the past few years have shifted the industry conversation from “are your vendors secure?” to “what happens to your data across the full vendor lifecycle?” Auditors are reflecting this shift in their testing procedures.

Vendor sprawl is creating material risk. When a company had 15 vendors, the risk from incomplete offboarding was manageable. When a company has 150 vendors and offboards 20 to 30 per year, the cumulative exposure from undocumented offboardings becomes material. Auditors are starting to treat it accordingly.

Complementary frameworks are raising the bar. If your customers are in the EU, they're subject to GDPR. If they're in financial services, DORA and the various banking regulatory frameworks have explicit vendor lifecycle requirements. SOC 2 auditors are increasingly considering these intersecting frameworks when evaluating vendor management controls.

Evidence standards are evolving. Five years ago, having a vendor management policy that mentioned offboarding was sufficient. Today, auditors want to see the policy and the evidence that it was executed. They want to trace a specific vendor offboarding from initiation through data deletion confirmation.

What auditors are actually asking

“Show me your vendor offboarding procedure.” This is the baseline. Auditors want to see a documented, repeatable process — not a policy statement, but an operational procedure. It should cover who initiates offboarding, what steps are required, what evidence is collected, and how completion is verified.

“Give me a list of vendors offboarded in the audit period.” This is where it gets real. The auditor wants to select specific vendor offboardings and test them against your procedure. If you offboarded eight vendors this year and your process was followed for two of them, that's a finding.

“Show me the evidence for Vendor X's offboarding.” For selected vendors, auditors want to see the full evidence package: the offboarding initiation record, the data inventory, the deletion request, the vendor's response, the deletion certification, and the access revocation confirmation. They want timestamps. They want specifics.

“How do you verify that the vendor actually deleted the data?” This is the question that trips up most organizations. Sending a deletion request is one thing. Verifying that the deletion occurred is another. Auditors are increasingly unsatisfied with “we sent an email and they said they did it.”

“What happens with backups and sub-processors?” Sophisticated auditors know that production data deletion doesn't mean complete deletion. They'll ask whether your deletion requests address backup systems, disaster recovery environments, analytics databases, and sub-processors.

The gap between policy and evidence

Here's the uncomfortable truth: most companies that have a vendor offboarding policy don't have vendor offboarding evidence. The policy says the right things. The practice is an email thread, a verbal confirmation, and a line item moved to “inactive” in a spreadsheet.

This is the gap that creates audit findings. CC6.5 isn't satisfied by having the right policy. It's satisfied by demonstrating that the policy was consistently executed and that evidence exists to prove it.

The root cause isn't negligence — it's infrastructure. Most organizations don't have a dedicated system for managing vendor offboardings. The process is distributed across email, Slack, spreadsheets, and ticket systems. There's no single source of truth, no structured evidence collection, and no standardized output format.

How Fimi closes the evidence gap

This is the exact problem we built Fimi to solve. Not by replacing your GRC platform — OneTrust, Vanta, and Drata are great at what they do. But by giving you a purpose-built system for the part of the vendor lifecycle they don't cover: what happens after the relationship ends.

Here's what a vendor offboarding looks like in Fimi:

Structured offboarding initiation. When a vendor relationship is flagged for termination — whether by procurement, the business unit, or an upcoming contract expiration — Fimi creates a structured offboarding record. This becomes your single source of truth for every step that follows.

Automated data inventory. Fimi parses your DPA and vendor agreements to extract the data categories, storage locations, sub-processor relationships, and contractual deletion obligations. Instead of manually reconstructing what data the vendor had, you start with an inventory built from your own contracts.

Scoped deletion requests with tracking. Fimi generates deletion requests that reference specific data categories and systems — production, backups, analytics, sub-processors. Each request includes a deadline and specifies the deletion certification format you require. Automated follow-ups ensure nothing slips through the cracks.

Deletion certification validation. When the vendor responds, Fimi captures their certification and validates it against the original scope. Did they address all data categories? Did they cover backups and sub-processors? Did they document any retention exceptions with legal basis? Gaps are flagged automatically.

Audit-ready evidence packages. Every completed offboarding produces a structured evidence package: data inventory, deletion request, vendor correspondence, deletion certification, access revocation confirmation, and a full timeline. When the auditor asks for evidence of Vendor X's offboarding, you export the package in minutes — not hours of email archaeology.

Beyond CC6.5: the broader control environment

Vendor offboarding evidence doesn't just satisfy CC6.5. It supports multiple Trust Services Criteria:

CC3.2 (risk assessment) is strengthened when you can demonstrate that vendor termination risks are identified and managed. CC6.1 (logical access) is supported by evidence that vendor access was revoked at offboarding. CC9.2 (risk mitigation) benefits from documentation showing that vendor-related risks are addressed through the full lifecycle, including termination.

A strong vendor offboarding process also supports your broader compliance narrative. When an auditor sees that you manage the end of vendor relationships with the same rigor as the beginning, it signals a mature control environment.

Fimi customers tell us that the audit conversation around vendor offboarding goes from their most stressful topic to their strongest evidence. That's the difference between scrambling for email threads and handing over a structured evidence package.

The trajectory

SOC 2 has always been a moving target. The Trust Services Criteria provide a framework, but the practical expectations — what auditors actually test and what constitutes sufficient evidence — evolve with the threat landscape and regulatory environment.

Vendor offboarding is moving from “nice to have” to “table stakes.” The organizations that invest in a structured, evidence-driven offboarding process now will be ahead of the curve when audit expectations tighten further.

The control exists on paper at most companies. The evidence doesn't. Fimi closes that gap.