Spotlight on data protection
Meet the highest bar in Europe
Get in-region data protection with Intelligent Content Management
At Box, securing our customers’ content is our top priority. Whether you're looking to process and/or transfer your data from the European Economic Area (EEA) or the United Kingdom (U.K.), we're here to help you with your data protection obligations. We pair our seamless end-user experience with an unmatched level of frictionless security, enhanced visibility, and meticulous control.
The global impact of Europe's data protection laws
The European Union GDPR and U.K. Data Protection Act harmonizes data privacy laws and regulations across the region, enhances data protection for E.U. and U.K. data subjects, and reshapes the way organizations approach data privacy. If you do business in E.U. or U.K., you'll need to comply with these data protection laws. Below we've outlined the recent evolution of data privacy regulations and guidance, as well as the steps we've taken to ensure we offer the privacy, security, and compliance you need.
The EU-U.S. DPF, UK Extension to the EU-U.S. DPF, and Swiss-U.S. DPF were respectively developed by the U.S. Department of Commerce and the European Commission, UK Government, and Swiss Federal Administration to provide U.S. companies like Box with reliable mechanisms for personal data transfers. To view our certifications, click here.
Box was among the first cloud content management platforms to have its Processor and Controller Binding Corporate Rules (BCRs) approved by European regulators in 2016. Today, we maintain Processor and Controller BCRs for both the EU and UK — the platinum standard in regional data protection. Learn more on our Regional Information Page.
The EU AI Act and GDPR set the benchmark for building AI that is safe, transparent and respectful of personal data. At Box, we’ve built privacy, security and AI Governance into Box AI. To learn more, visit our Box AI Trust webpage.
Strong AI governance is the key to unlocking innovation while managing risk. It’s about setting clear policies, oversight, and safeguards so AI works as intended. At Box, we see governance not as a hurdle, but as the foundation for building AI our customers can trust. To learn how you can set up your own AI governance program, click here.
Request to Sign your DPA
Box is committed to protecting the privacy of personal data. No matter the changing landscape, including the CJEU's Schrems II decision to invalidate Privacy Shield, the United Kingdom’s departure from the European Union (Brexit) or the issuance of updated SCCs by the European Commission, we’ve made it easy for our customers to maintain a lawful data transfer mechanism.
To offer the most flexible options to customers when it comes to transfers of personal data, our Data Processing Addendum (DPA) includes the updated EU SCCs issued on June 27, 2021 by the European Commission and the UKSCCs issued by the UK's Information Commissioner's Office (ICO) on March 21, 2022. To review Box's DPA, click here. To begin the DPA signature process, please submit your request via the link below and our team will respond promptly with any additional information required.
Our commitment to data privacy in the AI-first era
At Box, ensuring the privacy and security of our customer’s content is a foundational principle at the heart of our intelligent content management platform. We believe that Box AI unlocks powerful new ways for customers to engage with their content – and recognize that adopting generative AI technology introduces new responsibilities and risks that must be addressed thoughtfully and transparently.
As AI regulations continue to take shape globally, we know you may have questions about how Box fits into the evolving regulatory landscape – especially under frameworks like the European Union’s Artificial Intelligence Act (EU AI Act). That's why we've published a new knowledge paper: “The EU AI Act & Box AI: Building Privacy, Compliance, and Trust". To request the knowledge paper, please contact us at privacy@box.com.
How our products help you maintain seamless compliance
Box Zones
Comply with multi-regional data residency requirements.
Box KeySafe
Enhance your encryption key management strategy.
Box Governance
Meet data retention obligations.
Box Shield
Detect and protect against malware attacks.
Data protection beyond Europe
US State Privacy Laws
At Box, we understand that compliance with U.S. state privacy laws can be a challenge. Our platform provides secure content management, collaboration, and workflow capabilities that help us maintain our own compliance with various state privacy regulations, including the California Consumer Privacy Act (CCPA), Virginia Consumer Data Protection Act, Colorado Privacy Act, Connecticut Data Privacy Act, and Utah Consumer Privacy Act. Our updated US Data Processing Addendum includes specific provisions relevant to these evolving state privacy laws, reflecting our commitment to protecting customer data and maintaining transparency as privacy regulations continue to advance at both federal and state levels. To learn more about Box's US state privacy compliance efforts, click here.
Asian Pacific Economic Cooperation (APEC) & Beyond
Box is proud to be certified under the APEC and Global Cross-Border Privacy Rules (CBPR), Privacy Recognition for Processors (PRP) systems, the gold standard in regional data privacy compliance. Maintaining compliance with these frameworks ensures personal data is protected as it's transferred among the participating countries. To learn more about Box's APEC and Global CBPR/PRP certifications, please visit our regional information page.
To learn more about Box's ongoing commitment to privacy, security, and compliance, please visit our Trust Center.