NordPass – User Data Management (Deleted Members SOP)

Platform

NordPass

Applies To: HCI Organization Admins & Owners
Authority Level Required: Owner (Primary Control Recommended)


Purpose

This procedure outlines how to:

  • Transfer vault items from a deleted member

  • Permanently delete vault items

  • Maintain compliance with internal security and data governance policies


Section 1 – Transferring Items to a New Owner

⚠️ Only Organization Owners can transfer deleted members' items.

Steps:

  1. Log in to the NordPass Admin Panel as Owner.

  2. Click “Members” (left sidebar).

  3. Select the “Deleted” tab.

  4. Locate the deleted member.

  5. Click the three-dots menu next to their email.

  6. Select “Transfer.”

  7. Choose the new owner from the list.

  8. Click Transfer to confirm.

What Happens After Transfer:

  • A folder named:
    “Transferred, [Date]”
    is created in the new owner’s vault.

  • All transferred items are stored inside that folder.

  • Shared folders transfer ownership automatically.

  • The new owner receives a vault notification.

  • Items previously in Trash will appear in the new owner’s Trash.


Section 2 – Deleting Items of a Deleted Member

⚠️ Only Organization Owners can permanently delete items.

Steps:

  1. Log in to the NordPass Admin Panel.

  2. Click “Members.”

  3. Select the “Deleted” tab.

  4. Locate the member.

  5. Click the three-dots menu.

  6. Select “Delete items.”

  7. Click Delete to confirm.

🚨 This action is irreversible.


Important Governance Notes

Visibility Limitations

  • Owners cannot view individual items of deleted members.

  • Owners cannot select specific items to transfer or delete.

  • Actions apply to the entire vault.


2000 Item Limitation

  • If the deleted user had more than 2000 items, transfer will not be available.


Automatic Deletion Policy

  • If no action is taken, items are automatically deleted after 180 days.

  • After 180 days, recovery is impossible.


Shared Item Behavior

  • If an item was shared:

    • Other users retain access.

    • Ownership is reassigned to the new owner.

  • Even empty shared folders will transfer (item count may display 0).


HCI Internal Control Recommendation

When an employee exits:

  1. Disable NordPass access immediately.

  2. Within 7 days:

    • Transfer or delete vault items.

  3. Document action taken in:

    • Offboarding checklist

    • IT asset log

    • Security audit record


Risk & Compliance Considerations (Nonprofit Context)

This process protects:

  • Donor system credentials

  • Payment gateway logins

  • Banking access

  • PCI-sensitive systems

  • Cloud admin accounts

Failure to transfer or delete could result in:

  • Credential orphaning

  • Unauthorized shared access

  • Compliance exposure


Good to consider:

  • A Cybersecurity Governance Controls Matrix for HCI