Box Security

Protect the flow of information

A safer place for all your content

The flow of content isn’t slowing down anytime soon, and that means heightened security risks for your business. More collaboration, coupled with ever-evolving regulatory requirements, calls for a solution that keeps your teams productive — and your sensitive content safe and compliant.

Box Shield

Intelligent, frictionless security

With work happening faster than ever, you need a way to prevent data leaks that doesn't slow down your business. Box Shield does just that, bringing you precise, classification-based controls that prevent accidental data leaks. Plus, intelligent, ML-powered alerts help you quickly detect potential threats. With Box Shield, you reduce risk and protect the flow of information without impacting how you work.

Total visibility and control

With Box, you can easily manage file access and sharing policies, as well as effectively govern your corporate data. At the same time, you can reduce the risk of data loss with full visibility and a centralized way to manage your content, security, policy and provisioning.


Explore IT & Admin Controls and Box Governance to see how we help you take control of your content security. Plus, you'll learn how Box helps you place legal holds, apply security classifications and manage the entire lifecycle of your documents with retention policies — all without impacting productivity.

Security backed by hardened infrastructure

We offer the Box service from multiple data centers with strong security practices that are independently validated by third-party auditors. Every file you store with Box is maintained and encrypted using AES 256-bit encryption in geographically diverse areas, leveraging both the Box data centers as well as the redundant facilities managed by Box partners.


With Box Zones, you can choose exactly where you store your encrypted files around the globe. By leveraging data centers operated by Box partners such as AWS, Google, Microsoft and IBM, Box Zones enables you to easily and securely store your data in one location or in multiple regions. Using Box Zones is completely invisible to end users and addresses your organization's data residency needs.

Privacy that fits your needs

Box effectuates EU personal data transfers pursuant to our Processor Global Binding Corporate Rules and Controller Global Binding Corporate Rules (BCRs), approved by the European Data Protection Authorities in August 2016. Check out our BCRs FAQs to learn more. We're also certified under the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) System, United Kingdom's G-Cloud Framework and Germany's TUV Rheinland Certified Cloud Services standards. Plus, we help our customers meet new global privacy obligations, such as the General Data Protection Regulation. Review our privacy policy for more information.


Box KeySafe makes it easy to secure your sensitive content in the cloud, providing you with unchangeable audit logs and a cost-effective way to manage your own encryption keys.


"Security is key in everyone's business. We have the ability to downgrade sovereign nations, so it’s an imperative for us. We have to be really thoughtful about putting the right controls in place and ensuring that information is not accessible where it shouldn’t be.”

Seth Fox, Global Head of Workplace Services, S&P Global

Availability for all

We deliver a secure, resilient and highly available service at scale to organizations in all industries, with more than one billion files processed every single day. Box uses multiple data centers with reliable power sources and backup systems to offer 99.9% SLAs and redundancy.

Seamless security integrations

Our seamless integrations with trusted security partners extend your security controls in the cloud. The Box Trust Ecosystem brings you identity and authentication, network controls, Secure Information and Event Management (SIEM) and analytics, as well as specific solutions for eDiscovery, mobile security and Data Loss Prevention (DLP).

Compliance across the board

Box is dedicated to providing best-in-class security, compliance and data protection for our customers.  Whether you need to meet specific industry regulations or international security and data privacy standards, Box has all of your compliance bases covered.

SOC 1, SOC 2 and SOC 3

Box maintains a SOC 1 report based on the SSAE 18 standard, SOC 2 report based on the ISAE 3000 standard, and SOC 3 report based on TSP Section 100a from an independent third party.

ISO 27001/27018

Box is ISO 27001 and ISO 27018 certified for its Information Security Management System and privacy protection as a PII processor.

DoD Cloud SRG

Box is accredited at Department of Defense (DoD) Cloud Computing Security Requirements Guide (SRG) Impact Level 4 Authorization.


Box has been granted an Authority to Operate and is listed on as a FedRAMP compliant system at the moderate impact level.


Box Governance enables organizations in highly-regulated industries, such as financial services, to comply with write once read many (WORM) retention requirements like SEC 17a-4.


Box is compliant with HIPAA and HITECH, and customers can configure their Box accounts to comply with HIPAA requirements.


Our GxP offering lets life sciences companies show the FDA they're in full control of their processes and can safely work with regulated content in Box.


Box is GDPR-ready. So you can use Box as the Cloud Content Management platform to facilitate your GDPR compliance program. Box meets the highest bar for data privacy while fulfilling your global data privacy obligations.

Key features

Granular user permissions, with 7 user-friendly sharing roles

Organization-wide controls on sharing and collaboration permissions

Robust device and access controls, both natively in Box and with EMM partners such as Airwatch and Intune

User-friendly information rights management for secure external sharing, including custom watermarking

Native content security policies and available integration with leading CASB and DLP vendors

In-depth audit logs, easy end user and admin reporting, and integration with popular SIEM tools

Native information governance and eDiscovery capabilities

FIPS 140-2 certified, AES 256-bit encryption at rest and in transit, with the option of customer-managed encryption keys

SSO support with all major portals, native password controls, as well as two-factor authentication for internal and external users

Achieve digital transformation with good governance

Learn and see in a demo how Box Governance provides the guardrails your organization needs to effectively govern content in the cloud

Governance webinar

Learn how Coalfire Systems uses Box Governance and Box KeySafe to meet their data protection needs.

Securing business information in the cloud

Learn how to secure your business information in the cloud.

Rethink how you secure your business content