Box Trust Center

Putting our customers and their content first

Trust

A longstanding commitment to security and compliance

At Box, security and compliance are part of our DNA. We're dedicated to earning and keeping our customers' trust — every day. The Box Trust Center connects you to the latest information on how we prioritize security, compliance, data privacy, and reliability for our products.

Our approach to reliability

You've put your trust in Box as a valued service provider and partner. To keep your trust, we’re committed to updating you on what's happening with and within the Box Services, whether it’s planned maintenance or an unexpected service disruption.

Exceed global compliance requirements

The Content Cloud enables advanced privacy and compliance in today’s global, digital-first world. We’re committed to delivering a secure content platform that helps you meet and exceed your regulatory and compliance needs and obligations.

Protecting US government agencies critical information

Digitize your agency services and drive government cloud security while maintaining industry compliance. Within the United States Federal and Department of Defense community, Box has achieved a number of certifications that demonstrate our capabilities and commitment to security.

How we approach security and compliance

Compliance Catalogue C5
Cloud Computing Controls Compliance Catalogue (C5)

Provided under NDA — please contact your account team

CAIQ
Consensus Answer Initiative Questionnaire (CAIQ) 3.1
FedRAMP
FedRAMP Moderate Authorization
Finra
FINRA Report

Provided under NDA — please contact your account team

gxp validation
GxP Validation
HECVAT Full 3.02
HECVAT Full 3.02

Provided under NDA — please contact your account team

HIPAA assessment letter
HIPAA Assessment Letter

Provided under NDA — please contact your account team

HIPAA compliance
HIPAA Compliance
ISMAP Certification
ISMAP Certification
ISO
ISO 27001, 27017, & 27018 Certification
ITAR
ITAR

Provided under NDA — please contact your account team

PCI DSS
Payment Card Industry Data Security Standard (PCI DSS)

Provided under NDA — please contact your account team

SIG Lite
SIG Lite

Provided under NDA — please contact your account team

SOC 1 & 2 - Type II
SOC 1 & 2 - Type II

Provided under NDA — please contact your account team

StateRAMP
StateRAMP
WCAG
Web Content Accessibility Guidelines (WCAG) 2.0 Level AA

VPAT provided under NDA — please contact your account team

How we prioritize data privacy

CCPA
CCPA

Find out how to steer clear of risk and keep your reputation intact as you meet obligations for the California Consumer Privacy Act (CCPA).

Cookie notice
Cookie notice
Explore how and why Box utilizes cookies and how you can change your cookie preferences.
gdpr
GDPR

Read about our GDPR compliance, our Data Processing Addendum (DPA), and our product offerings for data protection obligations.

Privacy notice
Privacy notice

See what information is collected, retained, used, disclosed, and transferred by Box and how to exercise your data subject rights.

Regional information
Regional information

Discover how we comply with region-specific data privacy regulations.

schrems II and Brexit
Schrems II and Brexit
Take a look at our continued commitment to safeguarding your data and how we process formal government requests.
subprocessors
Subprocessors
Find out about Box's subprocessors and the services they provide.

Explore our resources

ESG at box
ESG at Box

Explore Box’s environmental, social, and corporate governance commitments.

vulnerability
Log4J Vulnerability

Read Box’s response to the Log4J Vulnerability CVE-2021-44228.

accessibility improvements
Accessibility Improvements to the Box Web Application
Discover how we’re committed to providing a simple and compelling experience for our users.

FAQ

Find answers to frequently asked questions on security, reliability, compliance, and privacy.

Security

Do you encrypt data in motion and at rest?
What is your approach to security incidents? When and how are customers notified in the event of a confirmed incident involving their data?
What procedures does Box have in place to restrict unauthorized access to Box services and IT environment?
What vulnerability scans does Box perform and how often? When are findings identified from the scans remediated?
Does Box perform penetration tests using an independent third-party? How often?
What physical security measures are in place to restrict unauthorized access to Box's server rooms and data centers?
What is your process for reviewing key vendors for security risk?
How does Box implement secure software development practices in developing the Box application?

Compliance

What security certifications does Box have and maintain?
What information security management policies does Box have?
How does Box ensure that its personnel obtain the appropriate level of knowledge regarding compliance, security, and privacy best practices?
What procedures does Box have in place to log and monitor security activities in the Box environment?
Does Box have a risk management program?
Does Box have processes in place to ensure its continuous compliance with applicable information security requirements?

Reliability

How does Box notify and communicate with customers in case of unplanned outages?
What business continuity procedures does Box have in place to ensure the availability of its products and services and the safety and well-being of its employees?
What is your strategy to ensure core operations will continue during an adverse event?
What is Box’s recovery time objective (RTO) and recovery point objective (RPO)?
What is your process of restoring customer content if impacted by ransomware?

Privacy

How does Box safeguard my personal data?
What proactive steps has Box taken to further establish technical and organizational safeguards in response to the supplementary measures and essential guarantees guidance issued by the European Data Protection Board (EDPB)?
Does Box comply with General Data Protection Regulation?
What steps has Box taken to protect personal information following the Court of Justice of the European Union (CJEU) July 2020 decision to invalidate the adequacy of Privacy Shield in the "Schrems II" case?
Does Box use subprocessors?

Ready to get started?