Technically no, web.config and the database contain half of the encryption keys - put the halves together and you can decrypt the content of the database.
The ZIP contains everything in /inetpub/passwordstate
The Bak, as you pointed out, is the database. So with these two things you have everything you need.
We rotate then export our encryption keys every third upgrade and send them off site in a vault to be stored - but this isn't required.
We also ship our passwordstate generated backups to a different physical server at a different site, as well as sending to tapes which get stored at an offsite vault.
At anyone one time we have some 365 copies we can restore from (on tapes, one for each day), and then 30 copies on the passwordstate server we can restore from, as well as those same ones on the second physical server in the second site.