Administrative Controls

  1. Frequency of Backups: Upon upload of Content to Box, the files are encrypted and stored in a primary and backup facility. If an adverse event occurs, files can be restored on demand from the primary or backup storage facility. Because backups of files occur upon upload, there is no periodic (e.g., daily) backup process for Content. Data backups are not client based.
  2. Location of Backups: Customer content is backed up to our cloud storage providers upon upload. Box has a multi-cloud strategy with AWS and GCP. Customer backups are located in the US.
  3. Least Privilege Access: Box upholds a least privileged approach to access provisioning, limiting access to the minimum privileges necessary for employees to perform their job functions. Access to Box's corporate and production environments requires creation of an access request ticket and approval from management prior to provisioning by the IT team. Standard access to the systems supporting the Box Service is based on roles membership within the corporate LDAP. Non-standard production access or access modifications require additional levels of approval.
  4. Monitoring Access: Box monitors user and network activities and security events for suspicious activities. Alerting is in place, and if actions are necessary, the appropriate teams will take action on such alerts. Due to the sensitivity of the monitoring performed, Box is unable to provide the specific details of the security technologies used.

    Box has Box Shield implemented internally, which allows us to monitor and alert on a user accessing their Box account from suspicious locations.
  5. Return or Destruction of Data: Box has a Data Handling and Destruction Policy which covers the handling and destruction of data based on the type and category of data. When required, data can be securely returned or destroyed in compliance with applicable regulations. Please see the attached knowledge papers and instructions at the bottom of the page: Deleting Files Stored in Box and the Leaving Box - What Happens to All of Your Files.
  6. Regarding the number of persons who will have access to backup files: We have less than 10 employees - all US nationals - who serve as Key Custodians. Key Custodians are responsible for the encryption key necessary for Box to gain access to customer content. This is done with customer knowledge and permission or if required by law, such as to comply with a government subpoena, requires participation of two Key Custodians, and is highly monitored by Box. Moreover, access controls and permissions for these individuals are reviewed and renewed quarterly.

The below report(s) was created for University of Nebraska Medical Center:

- Leaving Box - What Happens to All of Your Files (September 2022) - University of Nebraska Medical Center:

- Deleting Files Stored in Box (September 2022) - University of Nebraska Medical Center: