Get in-region data protection with the Content Cloud
At Box, securing our customers’ content is our top priority. Whether you're looking to process and/or transfer your data from the European Economic Area (EEA) or the United Kingdom (U.K.), we're here to help you with your data protection obligations. We pair our seamless end-user experience with an unmatched level of frictionless security, enhanced visibility, and meticulous control.
The global impact of Europe's data protection laws
The European Union GDPR and U.K. Data Protection Act harmonizes data privacy laws and regulations across the region, enhances data protection for E.U. and U.K. data subjects, and reshapes the way organizations approach data privacy. If you do business in E.U. or U.K., you'll need to comply with these data protection laws. Below we've outlined the recent evolution of data privacy regulations and guidance, as well as the steps we've taken to ensure we offer the privacy, security, and compliance you need.
On July 11, 2023, we welcomed the European Commission’s adequacy decision for the E.U.-U.S. Data Privacy Framework (“E.U.-U.S. DPF”). As part of our continued commitment to providing our customers with multiple means to lawfully transfer data, we’re excited to announce that Box will certify to the EU-U.S. Data Privacy Framework (EU-U.S. DPF) by the 10 October 2023 deadline, as well as to the UK-U.S. DPF and Swiss-U.S. DPF. Read more in our blog post.
In November 2020, data protection authorities in the EEA issued draft guidance, and the European Commission released a draft version of its updated SCCs. The European Commission also deliberated on a potential adequacy decision for the U.K. Find out more in our blog post.
To ensure Box and our customers comply with our shared legal obligations in the EEA, some customers will need to transition to the EU SCCs by December 27, 2022. On March 21, 2022, the United Kingdom's Information Commissioner's Office (ICO) issued the UK SCCs as a data transfer mechanism for cross-border data transfers to third countries with an effective date of September21, 2022 for new customers and March 21, 2024 for existing customers. To learn more, check out our blog post, or to sign the updated DPA that now includes the UK Addendum, see below.
Request to Sign your DPA
Box is committed to protecting the privacy of personal data. No matter the changing landscape, including the CJEU's Schrems II decision to invalidate Privacy Shield, the United Kingdom’s departure from the European Union (Brexit) or the issuance of updated SCCs by the European Commission, we’ve made it easy for our customers to maintain a lawful data transfer mechanism.
To offer the most flexible options to customers when it comes to transfers of personal data, our Data Processing Addendum (DPA) includes the updated EU SCCs issued on June 27, 2021 by the European Commission and the UKSCCs issued by the UK's Information Commissioner's Office (ICO) on March 21, 2022.To ensure Box and our customers comply with our shared legal obligations in the EEA, some customers with existing Box agreements will need to transition to the EU SCCs by December 27, 2022. For customers doing business in the UK, the UK SCCs have an effective date of September 21, 2022 for new customers, and March 21, 2024 for existing customers. To review Box's DPA, click here. To begin the DPA signature process, please submit your request via the link below and our team will respond promptly with any additional information required.
Our commitment to data privacy
Customer and end-user privacy rights are fundamental to Box. That’s why we committed early on to provide a cloud-based content management platform and product portfolio that not only met, but surpassed industry standards.
Following the issuance of the European Data Protection Board's (EDPB) guidance, we understand that our customers may have additional questions about how Box safeguards customer personal data. To support our customers in meeting their due diligence obligations as controllers and to comply with our own Article 28 obligations as a processor, we’ve created a Due Diligence and Supplementary Measures Report (Report), which will be made available upon request. To request for the Report, please contact email@example.com.
View an update below on what we’ve done since the EDPB published its guidance on Supplementary Measures and Essential Guarantees for cross-boarded data transfers.
Data protection beyond Europe
California Consumer Privacy Act (CCPA)
At Box, we understand that CCPA readiness can be a challenge. By providing one platform to secure content management, collaboration, and workflow, Box bridges the gap in CCPA readiness by making it easier to control where your data is stored and how it's accessed, along with data minimization, enhanced security measures, and the timely response to California consumer requests. To learn more about how Box can support your CCPA-readiness journey, click here.
Asian Pacific Economic Cooperation (APEC)
Box is proud to be certified under the APEC Cross-Border Privacy Rules (CBPR) and Privacy Recognition for Processors (PRP) systems, the gold standard in regional data privacy compliance. Maintaining compliance with the APEC, CBPR, and PRP systems ensures personal data is protected as it's transferred among the participating APEC economies. To learn more about Box's APEC CBPR and PRP certifications, please visit our regional information page.
To learn more about Box's ongoing commitment to privacy, security, and compliance, please visit our Trust Center.