Box Trust Center

Our data encryption strategy is based on requirements from standards such as HIPAA/HITECH Act, PCI DSS, and ISO 27001 requirements and adherence to NIST- recommended algorithms and methods, among others.

Box uses TLS 1.3 as the standard protocol to encrypt content uploaded to Box in transit. If a user’s browser does not support the TLS 1.3 protocol, Box will use TLS 1.2. We use an Advanced Encryption Standard (AES) algorithm with a key size of 256 bits to encrypt data at rest.

Box has an established incident management process driven by our dedicated Security Incident Response Team to provide a consistent and organized approach for handling security (including confidentiality) and availability incidents. In the event of a confirmed incident involving their data, we will notify the customer (specifically the Box Administrator listed within the customer's account) within the timeframe required under applicable law or in accordance with the agreement between Box and its customers.

Box implements various procedures to minimize the risk of unauthorized access to data. Access is granted based on the principle of "least privilege," which means access to Box systems is provisioned to a minimum level necessary for an individual to perform their job duties. Additionally, two-factor authentication over VPN is required to access the systems that support the Box service.

Box performs authenticated and unauthenticated network vulnerability scans of our production environment, which is inclusive of network, OS, and database scans, at least monthly or upon any significant changes. Box also performs authenticated Web Application vulnerability scans at least monthly or upon any significant changes. We remediate our high-severity findings within 3–30 days based on their security impact.

Box engages various independent security service companies to perform Penetration Tests of our services. Testing is performed on Box's Web Application, network, and other services annually. A penetration test executive summary report can be provided under NDA. Please contact your account team to request a copy.

Physical access to Box's server rooms and data centers is restricted to authorized personnel with business justification and must be approved by Box Technical Operations management. Mechanisms such as RFID badge, personal identification numbers (PINs), bio-metric scanning, and 24/7 security cameras are in place to further ensure only authorized personnel can access the facilities.

Box has a formal Vendor Review process that evaluates vendors doing business with Box. Each vendor is risk-ranked based on our data classification standard and vendor reviews are conducted based on their risk rank.

Secure software development is of utmost importance to the Software Development Lifecycle (SDLC) at Box. Box performs the following to ensure code is being developed securely:

• Secure software development training for developers (e.g., training on OWASP top 10)
• Threat modeling
• Dynamic code analysis
• Static code analysis
• Web application penetration testing
• Security, legal and compliance reviews for critical products and services

Box maintains the following security compliance certifications, standards, and reports:

• Cloud Computing Compliance Controls Catalogue (C5)
• Department of Defense (DoD) Cloud Computing Security Requirements Guide (SRG) Impact Level 4 Authorization
• FedRAMP (Moderate)
• FINRA/SEC 17a-4
• FIPS 140-2
• G-Cloud Framework
• GxP Validation
• HIPAA and HITECH
• International Traffic and Arms Regulations (ITAR) and Export Administration Regulations (EAR)
• ISMAP
• IRS-1075
• ISO 27001
• ISO 27017
• ISO 27018
• ISO 27701
• NIST 800-53
• NIST 800-171
• PCI Data Security Standard
• SOC 1 (SSAE 18) Type II
• SOC 2 Type II
• SOC 3

Box has established an information security management system program primarily based on ISO 27001 and NIST 800-53. As part of this program, Box has developed policies and procedures that define the information security rules and requirements for maintaining security and compliance, and for safeguarding our customers’ data. Policies and procedures are communicated to Box employees and third-parties with access to Box systems. Policies and procedures are reviewed, updated as necessary, and approved by management at least annually. For more information about Box’s information security policies, our Information Security Policy Overview knowledge paper can be provided under NDA — please contact your account team for more information.

Box has a Global Training and Awareness Program and requires all employees to complete a security and privacy training as part of new hire orientation and annually thereafter. Additionally, various role-based trainings are conducted at least annually.

Box has established procedures around logging and monitoring security events and activities in the Box production environment. Alerts are configured to notify the appropriate teams to take action as necessary. Production environment logs are retained for at least one year.

Customers with Box Business accounts and higher can monitor activity and view data about their Box accounts and the content owned by their accounts by generating on-demand reports in their Admin Console. Click here to learn more.

Box has an established enterprise risk management program to identify, assess, quantify, respond to, and monitor risks that could have a material impact on Box's ability to achieve its business objectives. Box's risk management methodology is adapted from ISO 31000:2018, COSO 2017 Enterprise Risk Management Framework, ISO 27001/27005, NIST 800-30, and HIPAA/HITECH standards. Box's Enterprise Risk Management team performs strategic and operational risk assessments annually across the enterprise. The results of these assessments are reviewed with the Audit Committee or Board of Directors. Mitigation strategies are designed and implemented as needed.

Box engages independent third parties on a periodic basis to perform audits required for the security compliance certifications we have and maintain. Box also has an internal audit function that is responsible for evaluating Box's internal controls. Additionally, Box's Legal Team regularly reviews applicable rules and regulations and will notify the Governance, Risk, and Compliance team of legislative or regulatory changes which necessitate an update to information security policies and procedures.

Customers can visit status.box.com for communications on the availability of Box services. From the Box status page, customers can also subscribe to email notification for whenever Box creates, updates, or resolves an incident.

Our Enterprise Resiliency team has established business continuity, disaster recovery, emergency response, and crisis management plans which include strategies, procedures, and contact information to be used in the case of a disruption due to an adverse event. These plans are tested annually to ensure recovery preparedness and any significant changes to plan processes or environment are documented. Box’s most recent disaster recovery exercise report can be provided under NDA. Please contact your account team for more information.

We employ an active-active data center model, which serves content concurrently out of multiple data centers. In the event of an adverse event that affects a specific data center, the unaffected data center is able to support the Box service. In the event of an adverse event that affects the geographic region and impacts our primary data centers, the Box service will be operated from an alternate location.

Box's RTO to restore critical services is 8 hours, and RPO is 4 hours. However, we employ an active-active data center model, which serves content concurrently out of multiple data centers. In the event of an adverse event that affects a specific data center, the unaffected data center is able to support the Box service. In the event of an adverse event that affects the geographic region and impacts our primary data centers, the Box service will be operated from an alternate location.

If ransomware affects Box content, customers can contact Box Support for help in remediating the issue. Box has an additional backup copy stored of all content and an active-active data center model which allows Box to rollback to the last known uncorrupted version of a customer's file. Also, Box may restore the original file from the trash and remove a corrupted file if ransomware has deleted an original file and uploaded a new malicious file. Click here to learn more.

We respect the privacy rights of users and recognize the importance of protecting your information. To learn more about how information is collected, retained, used, disclosed, and transferred by Box, take a look at our privacy notice.

Following the issuance of the finalized European Data Protection Board (EDPB) guidance on June 21, 2021, we recognize that our customers may have additional questions about how Box safeguards customers personal data.

To support our customers in meeting their due diligence obligations as controllers under General Data protection Regulation (GDPR), and to comply with our own Article 28 obligations as a processor, we’ve issued a Due Diligence and Supplementary Measures Report that is available upon request. This report includes detailed information regarding the technical and organizational safeguards Box currently has in place, the lawful data transfer mechanisms that Box utilizes, and how we handle public authority requests while maintaining compliance with GDPR.

To request the report, please contact privacy@box.com

We comply with region-specific data privacy regulations such as the General Data Protection Regulation (GDPR), Asia-Pacific Economic Cooperation (APEC), Cross Border Privacy Rules (CBPR), Privacy Recognition for Processors (PRP), and the California Consumer Privacy Act (CCPA). To learn more, take a look at our regional information notice.

Early on, we made a commitment to offer customers a cloud-based content management platform and product offering that not only met, but surpassed, industry standards. We've also historically offered customers an overlapping set of legal mechanisms and frameworks for data transfers outside of the EEA. These mechanisms include (1) Controller and Processor Binding Corporate Rules (BCRs), and (2) SCCs. And, while the CJEU invalidated Privacy Shield as a valid data transfer mechanism, we will continue to adhere to the Privacy Shield principles and the annual independent assessment performed to ensure compliance. To learn more about our continued dedication to safeguarding your data and our ongoing commitment to data privacy protection, check out our blog post.

Box uses the subprocessors identified on our subprocessors page to assist with data processing activities. This page outlines the services each subprocessor provides and the location of service, along with the due diligence procedures we perform prior to engaging any subprocessor. Subprocessors are strictly prohibited from using customer data, content, or personal data for any purpose other than to support Box in providing the service to its customers.