Get in-region data protection with the Content Cloud
At Box, securing our customers’ content is our top priority. Whether you're looking to process and/or transfer your data from the European Economic Area (EEA) or the United Kingdom (U.K.), we're here to help you with your data protection obligations. We pair our seamless end-user experience with an unmatched level of frictionless security, enhanced visibility, and meticulous control.
The global impact of Europe's data protection laws
The European Union GDPR and U.K. Data Protection Act harmonizes data privacy laws and regulations across the region, enhances data protection for E.U. and U.K. data subjects, and reshapes the way organizations approach data privacy. If you do business in E.U. or U.K., you'll need to comply with these data protection laws. Below we've outlined the recent evolution of data privacy regulations and guidance, as well as the steps we've taken to ensure we offer the privacy, security, and compliance you need.
On July 11, 2023, we welcomed the European Commission’s adequacy decision for the E.U.-U.S. Data Privacy Framework (“E.U.-U.S. DPF”). As part of our continued commitment to providing our customers with multiple means to lawfully transfer data, we’re excited to announce that Box will certify to the EU-U.S. Data Privacy Framework (EU-U.S. DPF) by the 10 October 2023 deadline, as well as to the UK-U.S. DPF and Swiss-U.S. DPF. Read more in our blog post.
In November 2020, data protection authorities in the EEA issued draft guidance, and the European Commission released a draft version of its updated SCCs. The European Commission also deliberated on a potential adequacy decision for the U.K. Find out more in our blog post.
To ensure Box and our customers comply with our shared legal obligations in the EEA, some customers will need to transition to the EU SCCs by December 27, 2022. On March 21, 2022, the United Kingdom's Information Commissioner's Office (ICO) issued the UK SCCs as a data transfer mechanism for cross-border data transfers to third countries with an effective date of September21, 2022 for new customers and March 21, 2024 for existing customers. To learn more, check out our blog post, or to sign the updated DPA that now includes the UK Addendum, see below.
Request to Sign your DPA
Box is committed to protecting the privacy of personal data. No matter the changing landscape, including the CJEU's Schrems II decision to invalidate Privacy Shield, the United Kingdom’s departure from the European Union (Brexit) or the issuance of updated SCCs by the European Commission, we’ve made it easy for our customers to maintain a lawful data transfer mechanism.
To offer the most flexible options to customers when it comes to transfers of personal data, our Data Processing Addendum (DPA) includes the updated EU SCCs issued on June 27, 2021 by the European Commission and the UKSCCs issued by the UK's Information Commissioner's Office (ICO) on March 21, 2022.To ensure Box and our customers comply with our shared legal obligations in the EEA, some customers with existing Box agreements will need to transition to the EU SCCs by December 27, 2022. For customers doing business in the UK, the UK SCCs have an effective date of September 21, 2022 for new customers, and March 21, 2024 for existing customers. To review Box's DPA, click here. To begin the DPA signature process, please submit your request via the link below and our team will respond promptly with any additional information required.
Our commitment to data privacy
Customer and end-user privacy rights are fundamental to Box. That’s why we committed early on to provide a cloud-based content management platform and product portfolio that not only met, but surpassed industry standards.
Following the issuance of the European Data Protection Board's (EDPB) guidance, we understand that our customers may have additional questions about how Box safeguards customer personal data. To support our customers in meeting their due diligence obligations as controllers and to comply with our own Article 28 obligations as a processor, we’ve created a Due Diligence and Supplementary Measures Report (Report), which will be made available upon request. To request for the Report, please contact email@example.com.
View an update below on what we’ve done since the EDPB published its guidance on Supplementary Measures and Essential Guarantees for cross-boarded data transfers.
Data protection beyond Europe
California Consumer Privacy Act (CCPA)
At Box, we understand that CCPA readiness can be a challenge. By providing one platform to secure content management, collaboration, and workflow, Box bridges the gap in CCPA readiness by making it easier to control where your data is stored and how it's accessed, along with data minimization, enhanced security measures, and the timely response to California consumer requests. To learn more about how Box can support your CCPA-readiness journey, click here.
Asian Pacific Economic Cooperation (APEC)
Box is proud to be certified under the APEC Cross-Border Privacy Rules (CBPR) and Privacy Recognition for Processors (PRP) systems, the gold standard in regional data privacy compliance. Maintaining compliance with the APEC, CBPR, and PRP systems ensures personal data is protected as it's transferred among the participating APEC economies. To learn more about Box's APEC CBPR and PRP certifications, please visit our regional information page.
To learn more about Box's ongoing commitment to privacy, security, and compliance, please visit our Trust Center.
Does Box maintain privacy and information security certifications?
Box maintains an array of certifications that supports customers in the European Economic Area (EEA), United Kingdom (U.K.) and elsewhere. We proudly adhere to many of the most comprehensive privacy and information security certifications, like Germany’s Cloud Computing Compliance Controls Catalogue (C5), the Trust Cloud Data Protection Profile (TCDP), and Binding Corporate Rules (BCRs). To learn more, please visit our compliance page.
What is Box KeySafe?
At Box, we understand that encryption key management is fundamental to your company’s data privacy and security program. In addition to providing you with industry leading privacy and security controls as part of core Box functionalities, you may choose to adopt the add-on product offering, Box KeySafe. Box KeySafe builds on strong encryption and security capabilities to offer you complete, independent control over your encryption keys. All key usage is unchangeable and includes a detailed, auditable record of key usage so you can track exactly why the keys are being accessed. With KeySafe, you can immediately revoke access to content with no impact to the Box platform’s usability, mobility, security, or governance.
What proactive steps has Box taken to further establish technical and organizational safeguards in response to the supplementary measures and essential guarantees guidance issued by the European Data Protection Board (EDPB)?
Following the issuance of the finalized European Data Protection Board (EDPB) guidance on June 21, 2021, we recognize that our customers may have additional questions about how Box safeguards customer personal data.
To support our customers in meeting their due diligence obligations as controllers under General Data Protection Regulation (GDPR), and to comply with our own Article 28 obligations as a processor, we've issued a Due Diligence and Supplementary Measures Report that is available upon request. This report includes detailed information regarding the technical and organizational safeguards Box currently has in place, the lawful data transfer mechanisms Box utilizes, and how we handle public authority requests while maintaining compliance with GDPR.
To request the report, please contact firstname.lastname@example.org.
How does Box safeguard my personal data?
We respect the privacy rights of users and recognize the importance of protecting your information. To learn more about how information is collected, retained, used, disclosed, and transferred by Box, take a look at our privacy notice.
What steps has Box taken to protect personal information following the Court of Justice of the European Union (CJEU) July 2020 decision to invalidate the adequacy of Privacy Shield in the "Schrems II" case?
Early on, we made a commitment to offer customers a cloud content management platform and product offering that not only met, but surpassed, industry standards. We've also historically offered customers an overlapping set of legal mechanisms and frameworks for data transfers outside of the EEA. These mechanisms include (1) Controller and Processor Binding Corporate Rules (BCRs), and (2) SCCs. And, while the CJEU invalidated Privacy Shield as a valid data transfer mechanism, we will continue to adhere to the Privacy Shield principles and the annual independent assessment performed to ensure compliance. To learn more about our continued dedication to safeguarding your data and our ongoing commitment to data privacy protection, check out our blog post.
Does Box use subprocessors?
Box uses the subprocessors identified on our subprocessors page to assist with data processing activities. This page outlines the services each subprocessor provides and the location of service, along with the due diligence procedures we perform prior to engaging any subprocessor. Subprocessors are strictly prohibited from using customer data, content, or personal data for any purpose other than to support Box in providing the service to its customers.