Overview

This runbook is intended for Password Boss administrators. It covers how the Recovery Group works, when to use it, and the exact steps required to restore organizational backup data for a user who has lost account access.

The Recovery Group is a built-in group in the Partner Portal that enables authorized users to decrypt and restore organizational backup files. Because Password Boss uses zero-knowledge encryption — meaning Master Passwords are never stored — losing access to an account can render business data inaccessible without a proper recovery workflow.

Membership in the Recovery Group is temporary and intentional. Users should be added only to perform a specific recovery operation, then removed immediately afterward.

How organizational backups work

A separate backup of each user's business profile items is created automatically when the Back up all business profile items policy is enabled. These backups are encrypted using the organization's Recovery Group keys — a public/private key pair tied to the group itself.

For a backup to generate successfully, all of the following conditions must be met:

• Internet connectivity is available
• The backup policy is enabled and synced
• The Recovery Group exists and is synced
• The Recovery Group has members with synced entries
• Both public and private keys are present for the Recovery Group
• The upload server is reachable

You can verify all of these conditions at any time from Settings → Troubleshoot → Organizational Backup in the Web App. This screen runs a live validation check and displays each condition as a pass/fail. A downloadable diagnostic report is also available from this screen.

How to use the Recovery Group to restore a user

Recovery is a three-phase process — admin steps in the Partner Portal, end-user steps in the Web App, and admin cleanup when complete.

Phase 1 — Admin (Partner Portal)

1. Locate and download the user's organizational backup file from the Partner Portal under Backups.
2. If the user has lost account access entirely, navigate to their account and use Reset Master Password. This wipes their encrypted data — confirm the backup file is in hand before proceeding.
3. Go to Groups → Recovery and add the affected user to the Recovery Group.
4. Identify an existing Recovery Group member who is confirmed to already have their key pair. Have that member log in to the Password Boss Web App. This step is required — without an existing key-holding member actively logged in, the key pair cannot be shared with the newly added user.
5. Have the newly added user also log in to the Web App. The key exchange happens automatically once both users are connected. Do not proceed to Phase 2 until the new user has successfully received the key pair.
    

Phase 2 — End user (Web App)

This phase can only proceed once the user has successfully received the Recovery Group key pair in Phase 1.

1. Log in to the Password Boss Web App at app.passwordboss.com.
2. Go to Settings → Import and upload the organizational backup file provided by the admin.
3. The Web App decrypts the backup using the Recovery Group key pair now associated with the account.
4. Confirm that organizational credentials and vault items are restored correctly.
    

Phase 3 — Admin cleanup (Partner Portal)

1. Return to Groups → Recovery and remove the user from the Recovery Group once restoration is confirmed complete.
2. Before removing, confirm that at least one other Recovery Group member remains, is actively logged in to the Web App, and has their key pair intact. Never remove a member if they are the last valid key holder.
    

Recovery without a Recovery Key PDF

If the user does not have their Recovery Key PDF (the self-service recovery option), the only path is:

1. Admin resets the account (this wipes existing encrypted data)
2. Recovery is performed using a backup file via the Recovery Group workflow above

This is why users should be encouraged to download their Recovery Key PDF from Settings → Security → Get Recovery Codes as part of initial account setup. The Recovery Key PDF allows users to regain access on their own without admin involvement.

Post-deletion recovery

Organizational backups may still be recoverable after an account is deleted, provided the backup file still exists and falls within the backup retention period. If you need to recover data for a deleted account, contact support to confirm backup availability before proceeding.

Troubleshooting

Security notes

• Keep Recovery Group membership to the minimum necessary. Add users only during an active recovery operation and remove them immediately after.
• Backup files contain encrypted organizational data, and you should treat them as sensitive information. Handle securely during transfer and do not store them in shared or public locations.
• All recovery activity should be tracked through your administrative processes. Recovery Group membership changes and backup file downloads are auditable events.
• Password Boss never stores Master Passwords. Resetting a Master Password permanently removes access to data encrypted with the old password. Always confirm a backup exists before resetting.