Box Trust Center

Box implements procedures to minimize the risk of unauthorized access to data. Access is granted based on the principle of "least privilege," which means access to Box systems is provisioned to a minimum level necessary for an individual to perform their job duties. Additionally, multi-factor authentication over VPN is required to access the systems that support the Box service.

Box’s data encryption strategy is based on requirements from standards including HIPAA/HITECH Act, PCI DSS, and ISO 27001 requirements and adherence to NIST- recommended algorithms and methods. Box uses TLS 1.3 as the standard protocol to encrypt content uploaded to Box in transit. If a user’s browser does not support the TLS 1.3 protocol, Box will use TLS 1.2. We use an Advanced Encryption Standard (AES) algorithm with a key size of 256 bits to encrypt data at rest.

Box has an established incident management process driven by our Security team to provide a consistent and organized approach for handling security incidents. In the event of a confirmed incident impacting the confidentiality, integrity and/or availability of customer data, we will notify within the timeframe required under applicable law or in accordance with the agreement between Box and the customer.

Box performs authenticated and unauthenticated network vulnerability scans of our production environment, which is inclusive of network, OS, and database scans, at least monthly or upon any significant changes. Box also performs authenticated Web Application and API vulnerability scans at least monthly or upon any significant changes. We remediate our critical-severity findings within 48 hours and high-severity findings between 3 to 30 days, based on their security impact. 

Box engages various independent security service companies to perform Penetration Tests of our services. Annual penetration testing is performed on Box’s Web Application, Mobile Application, APIs, network, and other services. A penetration test executive summary report can be provided under NDA. Please contact your account team to request a copy.

The Box service, including the Box application and encrypted customer content, is hosted within Google Cloud Platform (GCP) infrastructure. Box relies on GCP for the physical security of the data centers they own and manage on behalf of Box and others. Box performs an annual review of GCP as a critical third party, during which we review the operational effectiveness of their physical security controls.

In addition, Customers may choose to utilize Box Zones, a product offering that provides the option to store their content in specific regions or countries. Box follows a consistent approach to physical security, regardless of the Cloud Service Provider (CSP) used to support Box Zones. To learn more about Box Zones, please visit our website at https://www.box.com/zones.

Box has a formal Vendor Review process that evaluates vendors doing business with Box. Each vendor is risk-ranked based on our data classification standard and vendor reviews are conducted based on their risk rank. 

Secure software development is of utmost importance to the Software Development Lifecycle (SDLC) at Box. Box performs the following to ensure code is being developed securely:

• Secure software development training for developers (including training on OWASP top 10)
• Threat modeling
• Dynamic code analysis
• Static code analysis
• Peer code review
• Web and mobile application penetration testing
• Security, legal and compliance reviews for critical products and services

Box maintains the following security compliance certifications, standards, and reports:

• Cloud Computing Compliance Controls Catalogue (C5)
• Department of Defense (DoD) Cloud Computing Security Requirements Guide (SRG) Impact Level 4 Authorization
• FedRAMP (Moderate)
• FINRA/SEC 17a-4
• FIPS 140-2
• G-Cloud Framework
• GxP Validation
• Hébergeurs de Données de Santé (HDS)
• HIPAA and HITECH
• International Traffic and Arms Regulations (ITAR) and Export Administration Regulations (EAR)
• ISMAP
• IRS-1075
• ISO 27001
• ISO 27017
• ISO 27018
• ISO 27701
• NIST 800-53
• NIST 800-171
• PCI Data Security Standard
• SOC 1 (SSAE 18) Type II
• SOC 2 Type II
• SOC 3

Box has established an information security management system program primarily based on ISO 27001 and NIST 800-53. As part of this program, Box has developed policies and procedures that define the information security rules and requirements for maintaining security and compliance, and for safeguarding our customers’ data. Policies and procedures are communicated to Box employees and third-parties with access to Box systems. Policies and procedures are reviewed, updated as necessary, and approved by management at least annually. For more information about Box’s information security policies, our Information Security Policy Overview knowledge paper can be provided under NDA — please contact your account team for more information.

Box has a Global Training and Awareness Program and requires all employees to complete security and privacy training as part of new hire orientation and annually thereafter. Additionally, necessary role-based and contingent worker training is conducted at least annually.

Box has established procedures supporting logging and monitoring security events and activities in the Box production environment. Alerts are configured to notify the appropriate teams to take action as necessary. Production environment logs are retained for at least one year. Customers with Box Business accounts and higher can monitor activity and view data related to their Box accounts and the content owned by their accounts by generating on-demand reports in their Admin Console. Click here to learn more.

Box has an established Enterprise Risk and Resiliency program to identify, assess, quantify, respond to, and monitor risks that could have a material impact on Box’s ability to achieve its business objectives. Box's risk management methodology is adapted from ISO 31000:2018, COSO 2017 Enterprise Risk Management Framework, ISO 27001/27005, NIST 800-30, and HIPAA/HITECH standards. Box's Enterprise Risk and Resiliency team performs strategic and operational risk assessments annually across the enterprise. The results of these assessments are reviewed with the Audit Committee or Board of Directors. Mitigation strategies are designed and implemented as needed.

Our AI governance team regularly reviews legal, regulatory, technical, compliance, and security considerations as well as requirements specific to industry, sector, and business purposes. Representatives from our security, legal, compliance and product departments work closely with our engineering team focused on AI to support efforts to meet our customers’ needs. Our AI governance program incorporates standards such as the National Institute of Standards and Technology AI Risk Management Framework (NIST AI RMF) and the Organization for Economic Co-operation and Development (OECD) AI Principles.

For more information on Box's approach to AI, including a separate AI FAQ, refer to our AI Trust page at https://www.box.com/ai/trust.

Box engages independent third parties on a periodic basis to perform audits required for the security compliance certifications we achieve and maintain. Box also has an internal audit function that is responsible for evaluating Box's internal controls. Additionally, Box’s Legal and Governance, Risk, and Compliance (GRC) teams regularly review applicable legislative or regulatory changes which could necessitate updating our information security policies and procedures.

The Box Service, including the application itself and encrypted customer content, is hosted within Google Cloud Platform (GCP) infrastructure. Upon uploading content to Box, the files are encrypted and stored in multiple locations within GCP's data centers. GCP uses a multi-region strategy which is spread across the continental US. This approach ensures that customer content is available and accessible from multiple facilities simultaneously. In case of any adverse incidents affecting one location, the content remains accessible from the unaffected locations. 

Customers may choose a location to store their content by utilizing the Box Zones product offering. Zones allows customers to store their content (at rest) in a specific region or even country. To learn more about Box Zones, please visit https://www.box.com/zones.

Customers can visit status.box.com for communications on the availability of Box services. From the Box status page, customers can also subscribe to email notification for whenever Box creates, updates, or resolves an incident. If there are any circumstances where we would have a planned outage event, Box shares updates with customers with advance notice.

Our Enterprise Resiliency team has established business continuity, disaster recovery, emergency response, and crisis management plans which include strategies, procedures, and contact information to be used in the case of a disruption due to an adverse event. These plans are tested annually to ensure recovery preparedness and any significant changes to plan processes or environment are documented. Box’s enterprise resiliency plan and most recent disaster recovery exercise report can be provided under NDA. Please contact your account team for more information.

We employ an active-active data center model, which ensures the simultaneous availability of content from multiple data centers within GCP’s infrastructure. In scenarios where a specific data center or geographic region is impacted by an adverse event, the unaffected data centers within GCP seamlessly support the Box Service. Additionally, our well-established Disaster Recovery (DR) testing process rigorously assesses the efficacy of DR processes and procedures at least annually, confirming the ability to transition production services to an alternate availability zone or cloud region effectively. 

Box’s RTO to restore critical services is 8 hours, and RPO is 1 hour. It’s important to note that we have implemented an active-active data center model using GCP. This approach entails serving content concurrently from multiple data centers (availability zones) within GCP. In the event of an adverse incident affecting a specific data center (zone), the unaffected data center within GCP steps in to support the Box service. Moreover, in scenarios where an adverse event impacts our primary data centers within a geographic region, the Box service can seamlessly transition to an alternate location within GCP.

Upon uploading content to Box, the files are encrypted and stored in both a primary and backup facility. In the event of any adverse incidents, the files can be seamlessly accessed from either the primary or backup storage facility.

It’s important to note that the backup/replication process is closely tied to the upload process. Replication occurs automatically at the time of content upload, ensuring that your data is protected and available in multiple locations from the start.

If ransomware affects Box content, customers can contact Box Support for help in remediating the issue. Box has an additional backup copy stored of all content and an active-active data center model which allows Box to rollback to the last known uncorrupted version of a customer's file. Also, Box may restore the original file from the trash and remove a corrupted file if ransomware has deleted an original file and uploaded a new malicious file. Click here to learn more.

We respect the privacy rights of users and recognize the importance of protecting your information. To learn more about how information is collected, retained, used, disclosed, and transferred by Box, take a look at our privacy notice.

Following the issuance of the finalized European Data Protection Board (EDPB) guidance on June 21, 2021, we recognize that our customers may have additional questions about how Box safeguards customers personal data.

To support our customers in meeting their due diligence obligations as controllers under General Data protection Regulation (GDPR), and to comply with our own Article 28 obligations as a processor, we’ve issued a Due Diligence and Supplementary Measures Report that is available upon request. This report includes detailed information regarding the technical and organizational safeguards Box currently has in place, the lawful data transfer mechanisms that Box utilizes, and how we handle public authority requests while maintaining compliance with GDPR.

To request the report, please contact privacy@box.com

We comply with region-specific data privacy regulations such as the General Data Protection Regulation (GDPR), Asia-Pacific Economic Cooperation (APEC), Cross Border Privacy Rules (CBPR), Privacy Recognition for Processors (PRP), and the California Consumer Privacy Act (CCPA). To learn more, take a look at our regional information notice.

Early on, we made a commitment to offer customers a cloud-based content management platform and product offering that not only met, but surpassed, industry standards. We've also historically offered customers an overlapping set of legal mechanisms and frameworks for data transfers outside of the EEA. These mechanisms include (1) Controller and Processor Binding Corporate Rules (BCRs), and (2) Standard Contractual Clauses (SCCs). On July 11, 2023, we welcomed the European Commission’s adequacy decision of the EU-U.S. DPF. The DPF enables eligible U.S. companies to facilitate cross-border transfers of personal data in compliance with EU law. Box complies with the EU-U.S. DPF for the transfer of personal data we process on behalf of Organizations in Business Accounts. Box has also certified to a similar Data Privacy Framework that will be adopted by Switzerland, known as the Swiss-U.S. DPF. For more information about Box Inc’s. Data Privacy Framework certification, please view the Box Data Privacy Framework Notice. To view our certification, please visit https://www.dataprivacyframework.gov.

Box uses the subprocessors identified on our subprocessors page to assist with data processing activities. This page outlines the services each subprocessor provides and the location of service, along with the due diligence procedures we perform prior to engaging any subprocessor. Subprocessors are strictly prohibited from using customer data, content, or personal data for any purpose other than to support Box in providing the service to its customers.