Feature: Vault Transfer

Simplify employee offboarding

Keeper's Vault Transfer feature allows administrators to securely transfer user vaults when employees leave an organization, ensuring a smooth transition of access without exposing data.

Start Free Trial

UI of Keeper’s admin console showing the User Actions menu for vault transfer, with options to transfer account, disable 2FA, expire master password, lock account or delete user, as part of the account recovery and offboarding workflow.

How Vault Transfer works

UI of Keeper’s Transfer Account feature enabled, with the Delegated Administrator role selected as eligible for vault transfer actions during account recovery or offboarding.

1. Complete initial setup

Enable Transfer Account and user role policies during Keeper deployment.

UI of Keeper’s permission settings showing enabled admin capabilities, including team management, record type control, share admin, compliance reporting, and vault transfer rights.

2. Assign permissions

The administrator must have the Transfer Account permission. Role changes will re-trigger the consent prompt for all users.

UI of Keeper’s User Actions menu displaying administrative options, including editing a user, disabling 2FA, transferring an account, and expiring a master password for account lifecycle management.

3. Transfer the vault

Lock the account, and click Transfer Account to select a recipient. The vault transfers and the original account is deleted.

Take control over credentials when employees leave

UI of Keeper’s vault transfer interface where an admin selects an eligible user to receive vault ownership, with a search bar and radio button options for managed users.

Don’t get locked out of critical accounts

Retain access to essential systems by transferring credentials from deactivated users to active employees.

Keep operations running smoothly

Ensure business continuity by maintaining access to sensitive credentials even after an employee’s departure.

UI of Keeper’s user detail view showing account status, 2FA activation, accepted transfer policy, assigned node, and security tags highlighting a poor security score and active BreachWatch alert.

Meet internal security and compliance standards

Securely transfer vault data with full auditing to align with organizational policies and regulatory requirements.

Streamline IT and HR offboarding processes

By integrating Keeper’s Vault Transfer feature into employee offboarding, IT and HR staff can save time and minimize security risks.

Frequently asked questions

What happens to the original vault after transferring its contents?

After a vault transfer, the original user’s vault is permanently deleted. All records and folders are transferred to the recipient’s vault and placed inside a folder labeled with the original user’s email address.

Can vault transfers be reversed?

No, vault transfers cannot be reversed. Once transferred, the original user’s vault is deleted forever. If necessary, the recipient can manually re-share the transferred records, but the original vault and its structure cannot be restored.

Do administrators have direct access to vaults?

No, Keeper is built on a zero-knowledge architecture, meaning administrators cannot view or access user vault contents. They can initiate a transfer only after the user’s account has been locked, and only if key exchange (via consent) has already occurred.

What if a user doesn’t accept the consent acknowledgement?

If a user does not accept the Account Transfer consent prompt, their vault cannot be transferred. Consent is required to facilitate the secure exchange of encryption keys. Without it, the contents of the user’s vault remain inaccessible, even to administrators.

What if I don't want a vault transfer policy in my tenant?

Keeper provides organizations with the flexibility to control the Vault Transfer feature. If you prefer not to enable Vault Transfer within your tenant, you can request to disable this policy by opening a support ticket. Once submitted, the Keeper team will apply the appropriate configuration to prevent Vault Transfer.