Hey @andrepaulo I recently posted a comment similarly discussing this topic.
In short as I understand, the Bitwarden server will store an encrypted copy of the Organization’s symmetric encryption key, which is encrypted with the public-key of an RSA key pair associated with your account.
(Hence this can only be appropriately unencrypted with the User’s private-key, so maintaining zero-knowledge architecture where only you hold your keys.)
While onboarding new users in an organization, the “confirmation” process performs an exchange of the organization’s encryption key from the organization admin to the new organization user. The organization admin user asks the server for the new user’s public key, which is then used to encrypt the organization key before being transmitted back to the server for storage.
This is particularly important and part of the reason for the account fingerprint phrase.
Hope this information helps 