All encryption is performed client side within the Admin Console, and at no time does Keeper have the ability to decrypt the information being shared or transferred. Additionally, at no time is a user's client Data Key shared. Therefore, the data cached on a user’s device cannot be decrypted without the user’s master password. A user who is removed from a team, shared folder, or direct share will not receive new data from the team, shared folder, or record. Although the record, folder and team keys are compromised to the admin during the transaction, the keys are not usable for gaining access to the underlying record or folder data.