Box Product Terms

Box Service Agreement Definitions

“Account(s)” means the account(s) created by (a) a User for itself or (b) Customer on behalf of its Users, to access and/or use the Box Service.   

“Administrator(s)” means a User designated by Customer with the authority to utilize the Administrative Console(s) to configure and manage the Box Instance, including the ability to create and manage Accounts associated with Customer.

“Administrative Console” means the functionality within the Box Service that allows Customer to configure and manage the Box Instance, including User access, security settings, and other administrative functionality.

“Agreement” means this Box Service Agreement (including any additional terms incorporated by hyperlink, referenced and/or attached hereto) together with all Orders and addenda which are entered into between Box and Customer.    

“API” means the application-programming interfaces used by Customer to access certain functionality as provided by Box. 

“Box Instance” means the virtual environment managed by Administrator which constitutes part of the Box Service.

“Box Personnel” means Box’s employees, agents, consultants, contractors and Subprocessors. 

“Box Reseller” means an entity that has entered into an agreement with Box that, among other things, authorizes the entity to resell any Box offering and, if applicable, provide certain services. 

“Box Service” means the cloud-based content collaboration software-as-a-service application provided by Box (including any Box Software) and subscribed to under an Order. 

“Box Software” means optional software provided by Box for installation on a User’s device or accessed by Users from the Customer’s or User’s software, hardware or other device(s) that allows a User to use certain functionality in connection with features of the Box Service.    

“Content” means the electronic file objects (excluding, for the avoidance of doubt, system data and metadata) present in Customer’s Box Instance.

“Customer Domain” means any and all domains (e.g. @acmeco.com) registered, managed, owned or controlled by either Customer and/or Customer’s corporate affiliates owned or controlled by Customer.

“Data Protection Legislation” means the laws and regulations of the United States, European Union, the European Economic Area and/or their member states, Switzerland and/or United Kingdom applicable to the Processing of Customer Personal Data under this Agreement, including the General Data Protection Regulation 2016/679. If Customer is a business entity located in Australia the laws and regulations of Australia, including the Privacy Act 1988 shall apply.

“External User(s)” means a person who is permitted to access, store, retrieve or manage Content, using an email address that is not associated with a Customer Domain.

“Fair Use Policy” means the policy that outlines the technical limitations for the Box Service  and sets forth Box’s expectations for fair use of the services and systems found at https://www.box.com/legal/fairusepolicy.

“Malware” means viruses, worms, time bombs, Trojan horses and other malicious code, files, scripts, agents or programs.

“Managed User(s)” means a person who is permitted to access, store, retrieve or manage Content, and is a Customer employee or otherwise has been given access to, custody of, or control over an email address associated with a Customer Domain. 

“Order” means the separate document(s), including any Statement of Work, under which Customer purchases any Box offering pursuant to this Agreement and which has been agreed to in writing by the Parties or has been agreed to between Customer and Box Reseller.

“Personal Data” means any information relating to an identified or identifiable individual.

“Process(ing)” means any operation or set of operations which is performed upon Customer’s information, including Content and Customer Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, transmission, dissemination, encryption, decryption, or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Production Data” means all text and files stored in Customer's Box Instance (including all Content and metadata) that is (i) submitted electronically by a User; (ii) submitted on behalf of Customer via API; or (iii) created at the direction of a User or API. Box Production Data does not include data that is stored outside of your Box Instance and other data that is created, compiled or otherwise collected as a result of Box's operation of and monitoring of the Box Service ("System Data"). For the avoidance of doubt, System Data shall not include Content or Production Data.

“Service Level Commitments” means the service level commitments set forth in the Support Services Terms.

“Subprocessor” means any third party engaged by Box and/or its affiliates to Process Customer information, including Content, for the purposes of providing the Box Service and any associated services to Customer and its Users.

“Subscription Period” means the duration of Customer’s subscription to the Box Service commencing on the service start date of the Order and continuing for the period up to the service renewal date or end date as specified in the applicable Order.

“Support Services” has the meaning set forth in the Support Services Terms. 

“Support Services Terms” means the document describing the Support Services entitlements Customer will receive under an Order, as found in the Support Services Terms. 

“Term” has the meaning set forth in Section 11.1.

“User(s)” means, collectively, any Administrator, Managed User or External User.

“User Guide” means Box’s then-current published document specifying the functionality of the Box Service that is made generally available by Box to its customers or its users accessible at Box User Guide.   

Additional Product Specific Terms

Section 1. Applicability and Integration

These Additional Product Specific Terms are subject to the terms and conditions of the Agreement and is applicable only when Customer has purchased the applicable product identified below under an executed Order. All references under the Agreement to the “Box Service” shall be deemed to include the product purchased and except as otherwise set forth in these Additional Product Specific Terms, all terms and conditions of the Agreement shall apply. These Additional Product Specific Terms constitutes the entire agreement, and supersedes any and all prior agreements, between the Parties with regard to the subject matter hereof. With respect to the Platform Products, these Additional Product Specific Terms shall supersede and control over any conflicting terms and conditions in the Agreement.

Section 2. Box Platform

2.1 Platform Products.

2.1(a) Definitions.

“Monthly Active User” or “MAU” means a Platform Application User that is Active. A Platform Application User is deemed to be “Active” when an application uses the Box Service to access a Platform Application User via an API call (made by or on the behalf of the Platform Application User account) at least once in a monthly calendar period.

“Monthly Platform API Calls” means the total number of all API calls made by a Platform Application to the Box Service within a monthly calendar period on behalf of: (a) a Platform Application User; (b) a User; or (c) a Platform Service Account. Except as otherwise set forth in the applicable Order, excluded from Monthly Platform API Calls are API calls made on behalf of: (i) third party software application integrations that were permitted with Customer’s purchase of the Box Service as set forth in the applicable Order; (ii) Box provided applications (e.g., the Box Web App, Box Desktop); or (iii) Box provided services (e.g. Box Shuttle), if applicable.

“Platform Application” means any application used by or on behalf of Customer that uses the API for the purposes of access to the Box Service or to access certain functionality as provided by Box.

“Platform Application User” means a user with a unique identifier that is created and provisioned by Customer and such user’s access to Content in the Box Service is governed through an external-facing Platform Application that is built by or on behalf of Customer.

“Platform Product(s)” means the Box APIs that provide programmatic access to the Box Service from a Platform Application, and any additional Platform Product features and functionalities. The Platform Products may include Platform Resources and other features of the Platform Products that permit a Platform Service Account, a User, or Platform Application User to view, annotate and comment on Content, if expressly purchased by Customer as set forth in the applicable Order.

“Platform Resource(s)” means the resources, as may be specified in the applicable Order, including but not limited to Monthly Platform Bandwidth, Monthly Platform API Calls, Platform Storage and Monthly Active Users; and any other resources set forth in the applicable Order. Also included within the definition of Platform Resource(s) are Box’s APIs, tools and services made available for development of or integration with a Platform Application with respect to the APIs under these Platform terms.

"Platform Service Account” means a backend system-to-system connection with a unique identifier that is created and provisioned by or on behalf of Customer and its access to Content in the Box Service is governed through a Platform Application.

“Platform Storage” means the total amount of Content stored by or on behalf of all Platform Application Users, Platform Service Accounts and any other users of Platform Products that may be released by Box from time to time. Platform Storage does not include the storage of Content by Managed Users.

“Platform Use Limit(s)” means, as may be specified in the applicable Order (or in accordance with the applicable subscription level set forth in the Order): (i) Monthly Platform Bandwidth, Monthly Platform API Calls, Platform Storage and number of Monthly Active Users; and (ii) any other usage limits or restrictions set forth in the Agreement, Box Fair Use Policy, or Order.

2.1(b) Platform Grant. Subject to the terms and conditions of these terms and the purchase of one or more Platform Products under an applicable Order, Customer shall have the non-exclusive right during the applicable Subscription Period to utilize the Platform Products subscribed to by Customer under the applicable Order; and incorporate the API into the Platform Applications for the sole purpose of accessing certain functionality provided by the Platform Products subscribed to by Customer, solely through the API and associated tools and services. Customer will ensure that its usage of the Platform Products is at all times in conformance with the applicable Order (including but not limited to any Platform Use Limit), these Platform terms, the Agreement and applicable law.

2.1(c) Platform Restrictions. All terms applicable to Customer’s responsibility for Content in the Agreement also includes Content upload by via Platform Application Users and Platform Service Accounts to Customer’s instance of the Box Service. Customer will not (and will not encourage or assist any third party to):

(i) modify, alter, tamper with, repair or otherwise create derivative works of the API or any software included in or used or distributed by Box to provide or access the Platform Products;

(ii) reverse engineer, disassemble or decompile the Platform Products, or attempt to discover or recreate the source code for the Platform Products;

(iii) Use or affect the Platform Products in any manner that could damage, disable, overburden or impair the Platform Products or its functionality or negatively affect or interfere with users use and enjoyment of the Platform Products or disrupt the normal flow of traffic any Box website (including, but not limited to, flooding the Platform Products with an excessive amount of data or content);

(iv) Use any Box trademarks, logos, or other Box marks to promote and market the Platform Products without the prior written consent of Box

(v) Use the Platform Application or Platform Products to:

(a)Transmit Content in violation of the Agreement, including but not limited to spam, junk mail, chain letters, pyramid schemes, spyware, adware, viruses, worms, or any other malicious code.
(b)Install software to harm user systems, perform hidden activities, or otherwise without Platform Application User consent, (ii) that may harm or alter a Platform Application User’s system without express permission from the Platform Application User, (iii) that is downloaded as a hidden component of other software, or (iv) that is automatically downloaded in whole or in part without express Platform Application User consent:

(c) Impersonate, or misrepresent an affiliation with, any person or entity;

(d) Except as otherwise authorized by a Platform Application User with respect to such Platform Application User’s Content, mine or analyze any Content transmitted to, retrieved from or stored in the Platform Products/Box Service (including, but not limited to, through spiders, robots, crawlers, data mining tools, scrapers, or other automated means, or services employing any such means)

(e) Circumvent any security measures or content filtering devices;

(f) Engage in any activity or conduct that is deceptive, unfair or harmful or that violates any law, rule, regulation, generally accepted industry standards, or the rights of Box or any third party, including but not limited to intellectual property rights, privacy and publicity.

2.1(d) Overages. During the Subscription Period, Box may provide Customer with a report identifying the number of Accounts (or other usage) that, at any time, exceeds the Platform Use Limit, and Box (or Box Reseller, if applicable) may provide Customer with an Order for the additional required purchases (“Expansion Service Order”). Customer shall promptly (but in any event within fourteen (14) days of receiving such report) either: (i) execute the Expansion Service Order; (ii) increase the Order Limit through an alternate purchase method provided by Box if available; or (iii) permanently delete the excess Accounts or other applicable activity.

2.1(e) Support. Customer will be responsible for supporting the Platform Application and shall provide such support direct to Platform Application Users. Box will not provide Support Services to Platform Application Users and is not responsible for any Downtime, Issues or other performance issues to the extent attributable to a Platform Application.

Section 3. Box Zones

3.1 Definitions

“Box Zones” means the Box infrastructure product (either Zones or Zones-Multi) that enables storage of customer files at Locations.

“Service Provider(s)” means the Box subprocessor(s) providing the geographic storage of Content.

“Location(s)” means the primary geographic location(s) specified in the applicable Order or otherwise made available to Customer where Content will be stored.

3.2 Zones Grants. Subject to the terms and conditions of these Additional Product Specific Terms and a purchase of a Box Zones account for each User as set forth in the applicable Order, Box shall: (a) make the Locations specified in the applicable Order available to Customer as of Service Start Date; (b) store Content generated after Customer’s purchase and provisioning of Box Zones in the default Location specified in the applicable Order; (c) to the extent included in Customer’s purchased product, allow Administrator(s) to designate and manage, at any time during the Subscription Period, the Location for each Managed User and Administrator via the Administrative Console; (d) migrate all such Users’ Content to the designated Location(s) within a commercially reasonable timeframe after designation by the Administrator, provided however, that migration of Content generated prior to the Service Start Date of the initial Box Zones Order may be subject to a one-time additional fee mutually agreed by the Parties; and (e) store such Users’ Content generated after such designation in the respective Locations.

3.3. Content Location. While Content will be stored and may be partially processed in the Location(s), some processing and metadata storage may continue to be provided from the United States. Nothing herein prohibits a User from accessing the Box Service, including Content, outside of the Location(s). The terms of these Additional Product Specific Terms supersede and replace any and all provisions in the Agreement regarding the location of Content storage and related controls. Locations are subject to change upon prior written notice from Box.

3.4 Service Providers. Box agrees to provide Customer with notice pursuant to the terms of the Agreement if it is adding a new subprocessor as a potential Service Provider. Security certifications of Service Provider(s) may vary based on selected Location(s) and additional information can be made available upon request by Customer pursuant to the terms of the Agreement.

3.5 Zones Configuration. It is Customer’s responsibility to configure and properly utilize the Box Service and Box Zones to address its obligations related to data types and compliance obligations. To the extent there are multiple Locations, Customer must ensure that each Managed User and Administrator is mapped to a Location at all times during the Subscription Period. Notwithstanding the foregoing, Content storage follows ownership in folder structure.

Section 4. KeySafe KMS

4.1 KeySafe Grant. Subject to the terms and conditions of these Additional Product Specific Terms and a purchase of a Box KeySafe KMS account for each User as set forth in the applicable Order, Box hereby grants Customer the right to use the Box feature which allows Customer to connect its Box instance to a third-party data hosting partner (“Hosting Partner”) offering to enable a second level of encryption using a key not managed by Box (such Box feature, “KeySafe KMS”). For the avoidance of doubt, Customer must separately purchase a license subscription dedicated solely to KeySafe KMS from a Box approved third party Hosting Partner. Customer’s subscription with the Hosting Partner is subject to the service terms for such subscription as agreed upon by the Customer and the Hosting Partner. Box is not responsible for providing any maintenance or support in connection with the Hosting Partner’s products or services.

4.2 Customer Responsibilities. During Customer’s use of KeySafe KMS, Customer shall:

(a) comply with the then-current technical documentation applicable to KeySafe KMS;

(b) provide Box with information sufficient to enable setup and support for KeySafe KMS, which information includes, but is not limited to encryption key ID, access key and secret access key;

(c) purchase Enhanced Support Services from Box (or their equivalent) for so long as it maintains the KeySafe KMS subscription;

(d) ensure it has appropriate technical resources with KeySafe KMS experience such that Customer can provide a 24/7 technical liaison with Box with respect to Customer’s use of KeySafe KMS, and provide Box the contact information including email and phone number of such technical liaison upon the Effective Date of the Applicable Order and immediately thereafter should such information change;

(e) use appropriately detailed process design, planning, governance, support and training efforts during deployment, including the purchase of additional professional and training services from Box as required; and

(f) maintain proper rights, access methods, support and permission to any application that will be integrated with the Box Service to enable KeySafe KMS, including but not limited to the Hosting Partner, for so long as Customer subscribes to KeySafe KMS and following expiration or termination of the Agreement for any applicable post-term access rights as described in the Agreement.

4.3. Downtime. Any commitments in the Agreement to minimize Downtime or offer service level credits do not comply to any period during which the Customer is unable to access the Box Service because of Customer’s failure to adhere to one or more of the requirements set forth in the then-current technical documentation applicable to KeySafe KMS, any period of time under which KeySafe KMS is not available or experiences degradation as a result of required third-party software updates to KeySafe KMS, and/or any downtime experienced by Hosting Partner.

4.4. Functionality. Customer understands and acknowledges that certain functionality of the Box Service may be limited as a result of implementation of KeySafe KMS as described in the KeySafe KMS technical documentation.

4.5. Content Controls. Upon written notice from Box, Customer agrees to provide reasonable support and timely removal of Content that has come to Box’s knowledge as including a virus, malware or harmful code, or is illegal or in the event that Box has received a valid process. In the event that such Content is not removed within forty-eight (48) hours of written notification, Box has the right to suspend or disable the specific user account or Customer’s account.

4.6. Key Rotation. Box may assist Customer in the implementation of the initial encryption key as part of the KeySafe KMS implementation. If Customer changes the key (“Key Rotation(s)”), Customer will coordinate with Box, and Customer will be solely responsible and liable for any such Key Rotations. Customer acknowledges that if it improperly manages the Key Rotation, then: (a) Customer may not be able to decrypt or otherwise access its Content; and (b) Box will not be able to help Customer decrypt or otherwise access the Content. In no event will Box be responsible or otherwise liable for the Key Rotations or impacts of the Key Rotations.

4.7 Intellectual Property. For the avoidance of doubt, these KMS terms do not convey to Customer any rights of ownership in KeySafe KMS and Customer acknowledges Box’s intellectual property rights in KeySafe KMS. All right, title, and interest in KeySafe KMS and in any ideas, know-how, and programs which are developed by Box in the course of providing any technical services to Customer, including any enhancements or modifications made to KeySafe KMS, shall at all times remain the property of Box or its licensor

4.8 Disclaimer of Warranties. Customer acknowledges that the Hosting Partner products are not provided by or sold by Box. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN ADDITION TO THE DISCLAIMER OF WARRANTIES SET FORTH IN THE AGREEMENT, BOX EXPRESSLY DISCLAIMS, WITHOUT LIMITATION, ANY WARRANTIES RELATING TO HOSTING PARTNER’S PROVISION OF PRODUCTS OR SERVICES, AND SPECIFICALLY DISCLAIMS LIABILITY FOR ANY DAMAGES WHATSOEVER ARISING FROM: (A) CUSTOMER’S FAILURE TO MEET ITS OBLIGATIONS WITH RESPECT TO KEYSAFE KMS AS SET FORTH IN THESE KMS TERMS; OR (B) HOSTING PARTNER’S PRODUCTS OR SERVICES, INCLUDING, WITHOUT LIMITATION, CONTENT BREACHES, CONTENT LOSS OR UNAVAILABILITY AND DOWNTIME.

4.9 Indemnification. In addition to Customer’s indemnification obligations under the Agreement, Customer will defend, indemnify and hold Box harmless from any third-party claim arising out of: (a) Customer’s failure to meet the technical requirements of the KeySafe KMS; and (b) Customer’s use of third-party products or services including, but not limited to, the products and services of the Hosting Partner.

Section 5. Box Sign

5.1 In the event Customer chooses to use Box’s electronic signature product (“Box Sign”), Customer will be solely responsible for determining whether (a) the features of Box Sign as specified in the User Guide are appropriate for Customer’s use case; (b) any particular jurisdiction’s laws, regulations or other requirements may apply to Customer’s use of Box Sign for the category of documents and transactions intended for such use; and (c) Customer’s configuration and use of Box Sign (including the use of any default disclosures) complies with such laws, regulations, or other requirements. Signed agreements and signature logs are created during the Box Sign process after a final recipient's successful completion of a signature request. Customer has the sole responsibility to ensure its signed agreements and signature logs are maintained appropriately.

Section 6. Box AI

6.1 Ownership and Control. Customer is solely responsible for the production and retention of outputs using Box AI in compliance with the Agreement, the then-current Box AI Acceptable Use Policy & Guiding Principles, and all applicable laws. All output generated by Box AI is created at the User’s direction and is stored in Content (or other Production Data (a) at the User’s sole discretion and/or (b) as an outcome of a Customer workflow or API Call. Box AI outputs are not human generated or filtered by humans and cannot be represented by Customer as human work product. Box is not responsible for the accuracy or biases of the output or Customer’s reliance on Box AI output. Box AI queries and outputs are Customer’s Confidential Information but are not Content.

6.2 Processing. A User direction to process a Box AI query qualifies as Customer consent for the modification, aggregation, deidentification or other Processing of Confidential Information for purposes of generating output. Notwithstanding the above, Box will not train Box AI using Customer queries or outputs or other Confidential Information without explicit consent.

6.3 Sensitive Information. To the extent Users enter personal data or other sensitive information subject to regulatory oversight in Box AI queries, Customer and not Box has sole responsibility for providing any legally adequate privacy notices and obtaining any necessary consents for such Processing.

6.4 Infringing Queries and Output Use. Box shall not be responsible for, and shall not have any obligation regarding, any use of Box AI which relies on queries that infringe on any proprietary right of a third party or any use of outputs in a manner which infringes on any proprietary right of a third party.

Section 7. Box Forms

7.1 Definitions

“Box Forms” means the Box product that allows Users to initiate form-driven business processes configured by Customer.

“Box Forms Data” means any text or other data (excluding files) submitted through Box Forms.

7.2. Access and Use of Box Forms

7.2(a) Box Forms Data. Box Forms Data is Customer’s Confidential Information and is stored and processed by Box in a centralized database rather than in a file stored in Customer’s instance of the Box Service. Except as otherwise noted herein or by Box in its technical documentation, Box will process Box Forms Data in a manner consistent with other similar categories of system data as stated in Box’s Information Security Management System documentation. Customer agrees that such mechanisms are sufficient safeguards for the processing of regulated information in Box Forms Data.

7.2(b) Processing. For the purposes of compliance with EU and UK GDPR, or any other privacy legislation applicable to the Parties, Box is the Processor and Customer is the Controller of any Box Forms Data. For purposes of data transfers from the European Economic Area and/or their member states, Switzerland, and/or the United Kingdom, the lawful transfer mechanism for Box Forms Data is any mutually agreed EU Standard Contractual Clauses (Controller-to-Processor; Module Two) and the UK Standard Contractual Clauses (subject to any restrictions noted in Section 3.1, Box Forms Data above) between the Parties, and/or the EU-U.S. Data Privacy Framework, including the UK Extension and the Swiss-US DPF. Box Forms Data will be stored and hosted in the United States but may be Processed by Box outside of the United States.

7.2(c) Interoperability. Except as otherwise agreed in writing by Box, Box disclaims any warranties or commitments that other elements of the Box Service (e.g. Box Governance, Box Shield, Box Zones, Box Keysafe, etc.) are compatible with or perform functions on Box Forms Data, which may impact Customer’s ability to achieve compliance outcomes reliant on those service elements (e.g. CJIS or ITAR compliance, GxP, FINRA Broker-Dealer), and any Agreement provisions applicable to those compliance outcomes are inapplicable to Box Forms Data.

Box Security Practices

Section 1. Purpose. This Security Exhibit sets forth the information security program and operation policies that Box will maintain in order to protect Customer’s Production Data from unauthorized use, access or disclosure, while Box is in possession of Customer’s Production Data.

Section 2. Information Security Management System. Box will maintain throughout the Term of the Agreement a comprehensive information security management system (the “ISMS”) which includes administrative, technical and physical safeguards designed to: (a) protect and secure Production Data from unauthorized access, use or disclosure; and (b) protect against anticipated threats or hazards to the security or integrity of Customer’s Production Data. The ISMS will be documented and kept current by Box based on changes to industry standard information security practices and legal and regulatory requirements applicable to Box.

Section 3. Standards. Box’s ISMS will, at a minimum, adhere to applicable information security practices as identified in International Organization for Standardization 27001 (ISO/IEC 27001) (or a substantially equivalent or replacement standard) or other authoritative sources (e.g. SSAE 18, SOC1, SOC2).

Section 4. Independent Assessments. On an annual basis, Box has an independent, suitably qualified third- party organization conduct an independent assessment consisting of a Report on Controls at a Service Organization Relevant to Security, Availability, Processing, Integrity, Confidentiality and/or Privacy (SOC2 Type II) or such other comparable assessment at its sole discretion (e.g. ISO 27001 Certification,) and Box will provide a copy of such assessment to Customer upon Customer’s written request to Box. Box also undergoes at least an annual penetration test from independent, suitably qualified third parties, and Box will provide Customer with an executive summary of the most recent penetration test results upon Customer’s written request to Box.

Section 5. Information Security Policies. As part of the ISMS, Box will implement, maintain, and adhere to its internal information security and privacy policies that address the roles and responsibilities of Box Personnel, including both technical and non-technical Box Personnel, who have direct or indirect access to Production Data in connection with providing the Box Service. Box’s information security policies provide for continual assessment and re-assessment of the risks to the security of the Box Service, including: (a) identification of internal and external threats that could result in a Security Breach (as defined below); (b) assessment of the likelihood and potential damage of such threats, taking into account the sensitivity of Production Data; and (c) assessment of the sufficiency of the policies, procedures and information systems of Box, and other arrangements in place, to control risks. Additionally, Box’s information security policies address appropriate protection against such risks. Box’s information security policies shall, at a minimum, include:
(i) organization of information security
(ii) asset management
(iii) human resources security
(iv) physical and environment security
(v) communications and operations management
(vi) access control
(vii) information systems acquisition
(viii) development and maintenance
(ix) information security incident management
(x) business continuity management

Section 6. Information Security Operations.

6.1 Access Controls. In accordance with the ISMS, Box shall maintain appropriate access controls (physical, technical, and administrative), which shall include the following as applicable: 6.1(a) Box Service Access Controls.

6.1(a)(i) Physical Access Controls. Box will implement the following suitable measures in order to prevent unauthorized persons from gaining access to the data processing equipment used to process Production Data:
(a) Access authorizations for Box Personnel and third parties;
(b) Keycards and passes;
(c) Restrictions on keys;
(d) Appropriate requirements for third parties;
(e) Identifying of the persons having authorized access;
(f) Protection and restriction of entrances and exits;
(g) Establishing security areas especially for deliveries and handover;
(h) Securing the building (security alarm system, supervision by guards). 

6.1(a)(ii) Technical Access Controls. Box will implement the following suitable measures to prevent unauthorized reading, copying alteration or removal of the data media, unauthorized input into memory and reading/alteration/deletion of Production Data:
(a) Access authorization requirements;
(b) Identification of workstation and / or the users accessing Box systems;
(c) Automatic disablement of user IDs after multiple erroneous passwords entered;
(d) Logging of events and activities (including monitoring of break-in attempts);
(e) Issuing and safeguarding of identification codes;
(f) Dedicated workstations for users;
(g) Authenticating authorized persons;
(h) Use of encryption where deemed appropriate by Box;
(i) Separating production and non-prod environments;
(j) Automatic session log-off of users that have been inactive for a period in excess of thirty (30) minutes;
(k) Designating areas in which data media may / must be located;
(l) Designating persons in such areas for authorized handling and removal of data media;
(m) Controlling the removal of data media;
(n) Securing the areas in which data media is located;
(o) Controlled and documented destruction of data media.

6.1(a)(iii) Data Access Controls. Box commits that Box Personnel entitled to use Box’s data processing systems will only access data within the scope and to the extent covered by the respective access permission (authorization). This will be accomplished by:
(a) Securing workstations;
(b) Requirements for user authorization driven by need basis;
(c) Appropriate confidentiality obligations;
(d) Differentiated access policies based on function and scope (e.g. partial blocking);
(e) Controlling destruction of data media;
(f) Deleting remaining data before changing data media;
(g) Policies controlling the production of backup copies.

6.1(a)(iv) Transmission Controls. Box will implement the following suitable measures to secure Production Data processed through the use of the Box Service:
(a) Authenticating authorized persons;
(b) Securing confidential data media;
(c) Documentation of transfer, retrieval and transmission;
(d) Encrypting external online transmission.

6.1(a)(v) Input Control. Box will provide for the retrospective ability to review and determine the time and the point Production Data is entered into the Box Service by utilizing electronic recording of data processing. 

6.1(a)(vi) Organizational Controls. Box will implement the following suitable measures to maintain its internal organization in a manner that meets the requirements of ISMS:
(a) Maintaining Internal data processing policies and procedures, guidelines, instructions, and/or process descriptions for development, testing and release;
(b) Implementing an emergency/backup contingency plan;
(c) Implementing a formal Business Continuity and Disaster recovery plan.

6.1(a)(vii) Control of separation of data. Box will implement suitable measures to allow the separate processing of Production Data which have been collected for different purposes. Production Data shall be separated such that no third party shall have access thereto unless granted by a User. Content will be logically separated from the data of other customers.

6.2 Encryption. Box will encrypt Production Data at rest within the Box Service using an AES algorithm or another industry-recognized cipher that is at least as secure for encryption of Production Data at rest with a default value of at least 256-bit strength. For Production Data in transit to and from the Box Service, Box provides encryption that is at least as secure as TLS 1.2 unless Customer uses a method of transmission or feature which does not support encryption (such as unencrypted FTP, email, etc.).

6.3 Network and Host Security. Box has network intrusion detection in place. In accordance with its ISMS, Box uses commercially reasonable efforts to ensure that Box Service operating systems and applications that are associated with Production Data are patched or secured to mitigate the impact of security vulnerabilities in accordance with Box’s patch management processes and industry standard practices.

6.4 Data Management. In accordance with its ISMS, Box has information security infrastructure controls in place for Production Data obtained, transported, and retained by Box for the provision of the Box Service. Box will, in accordance with its security policies and processes, destroy, delete, or otherwise make irrecoverable Production Data (a) following the termination or expiration of the Agreement; and (b) upon the disposal or repurposing of storage media containing Content.

6.5 Audit Logging and Monitoring. Box shall implement the following controls for audit logging and monitoring: 

6.5(a) Audit Logging. Audit logging shall be enabled on systems that contain Production Data to capture at a minimum the security-related events defined below:
(i) Account logon (both successful and unsuccessful) and logoff;
(ii) Failed access attempts;
(iii) Account lockouts;
(iv) Elevation of privileges (both successful and unsuccessful), and every use of elevated privileges or actions taken while privilege is elevated;
(v) Creation, modification and deletion (both successful and unsuccessful) of:
   (a) Accounts or logon identifiers;
   (b) Group memberships;
   (c) Access privileges/attributes for Accounts and groups;
   (d) User rights and permissions.
(vi) Changes in account or logon identifier status (both successful and unsuccessful);
(vii) Modifications to, or unauthorized attempts to modify, the security configuration, security function or authorization policy.

6.5(b) Audit Logs. Audit logs shall capture, at a minimum, the information for each security-related event defined below:
(i) User, system or process identifier that triggered the event;
(ii) Description of the event;
(iii) Date and time the event occurred (the date and time must be periodically synchronized to ensure it is accurate); 
(iv) Identifier of the system generating the event (e.g. IP address);
(v) Authorization information associated with the event.

6.5(c) Audit Log Retention. Audit logs shall be retained for not less than ninety (90) days. Audit logs shall be protected from accidental or intentional modification or destruction.

6.6 Physical and Environmental Security. Box shall:
(a) Implement physical access control mechanisms (e.g. electronic access control, locks) to ensure only authorized persons can obtain physical access to facilities from which the Box Service is provided;
(b) Lock and/or have strong access controls in place to control access to all of its data centers, equipment rooms, telecommunication closets and utilities;
(c) Conduct at least annual inspections of the perimeter and all access control mechanisms to provide assurance that its hardware cannot be easily manipulated or bypassed to gain unauthorized access;
(d) Establish protocols to protect against damage from fire, flood, earthquake, explosion, civil unrest and other forms of natural or man-made disaster at Box facilities and data centers;
(e) Require any individuals within the facilities are able to be immediately identified (e.g. using identification badges, visual recognition or other means);
(f) Monitor access/egress points by security staff and/or recorded with security cameras twenty-four (24) hours a day, seven (7) days a week at a facility that contains Production Data. Security camera recordings shall be stored for no less than sixty (60) days;
(g) Require unique registry for all visitors and maintain access control logs at data centers.

6.7 Equipment Security. Box shall:
(a) Protect its systems and other equipment to reduce the risk from environmental threats and hazards and opportunities for unauthorized access;
(b) Protect equipment that is power-dependent from power failures, surges and other electrical anomalies;
(c) Protect all power, telecommunication and network cabling from unauthorized access and damage;
(d) Maintain its systems and other equipment to ensure its continued availability and integrity;
(e) Implement exit procedures to control unauthorized removal of systems and other equipment.

6.8 Training. Box shall provide regular training (or require regular training to be provided) to Box Personnel on security and privacy requirements to the extent applicable to their roles. Such training shall occur at least annually and upon initial employment.

6.9 User Controls. Notwithstanding the foregoing, Customer understands and agrees that it is responsible for provisioning its Users in appropriate roles within the Box Service with the appropriate levels of access to Production Data . The Box Service shall enable Customer to configure Customer’s Box Service instance. Notwithstanding anything to the contrary in this Security Exhibit, Customer understands and acknowledges that Customer will be solely responsible for implementing and maintaining access and security controls on its own devices and systems.

Section 7. Security Breach Management.

7.1 Notice. For the purposes of this Agreement, a “Security Breach” means a confirmed incident in which an unauthorized individual or entity (i) gains unauthorized access to stored Production Data in Box production databases, file stores, or object storage and/or (ii) exfiltrates, copies, exports, or otherwise removes Production Data from Box systems without authorization by passing or defeating a Box-controlled authentication or access-control mechanism. A Security Breach does not include (a) unsuccessful intrusion attempts or scans that do not result in access to stored Production Data, (b) unauthorized access to non-production, test, backup or development environments, or (c) disclosures resulting from Customer’s actions or misconfiguration. Box will promptly notify Customer of any confirmed Security Breach. Box will cooperate with Customer’s reasonable requests for information regarding any such Security Breach, and Box will provide regular updates on the Security Breach and the investigative action and corrective action taken. Notification will be delivered to the Administrator(s) of Customer’s Box Service account (“Notification Email Address”). Customer is solely responsible for ensuring that the Notification Email Address associated with Customer’s account is current and valid.

7.2 Remediation. In the event Box knows of a Security Breach, Box will, at its own expense: (a) investigate the Security Breach; (b) provide Customer with a remediation plan to address the Security Breach and to mitigate the incident and reasonably prevent any further incidents, upon Customer’s written request; (c) remediate the effects of the Security Breach in accordance with such remediation plan; and (d) reasonably cooperate with Customer and any law enforcement or regulatory official investigating such Security Breach.

7.3 User Activity Breaches. Customer is advised to require multi-factor authentication (MFA) for all Users and implement least-privilege access controls consistent with Box’s security guidance. Customer acknowledges that accounts without MFA are at a higher risk of unauthorized access (e.g., phishing, credential stuffing, brute-force attacks, credential theft). Box may take necessary mitigative and remedial actions in the event of a Security Breach with respect to affected accounts, including temporary suspension and requiring immediate corrective measures (e.g., enabling MFA, applying least-privilege permissions, or resetting passwords), before restoring access to accounts which do not comply with Box's security guidance, and notice of such measures may constitute notice of a Security Breach as appropriate. Box is not liable for any security incident, Security Breach, loss, or damage to the extent caused by Customer's failure to enable or maintain MFA or least-privilege access controls.

Section 8. Business Continuity and Disaster Recovery. Box implements and maintains business continuity and disaster recovery capabilities designed to minimize disruption of providing the Box Service to Customer in the event of a disaster or similar event. Box shall review its business continuity and disaster recovery plans on at least an annual basis and update such plans, as needed in accordance with generally accepted industry standards. Further, Box will perform (or have a qualified third party perform) at least annual testing of its business continuity and disaster recovery capabilities and provide to Customer, upon written request, a summary of Box’s business continuity and disaster recovery capabilities, including related testing performed during the last year.

Section 9. Subprocessors. Box requires that, prior to engaging in any Processing, a Subprocessor must enter into a written Agreement with Box agreeing to meet Box’s security and privacy standards. Subprocessors authorized to perform services on behalf of Box shall commit to an appropriate obligation of confidentiality, in no event be less protective than the Agreement. Box, at its sole discretion and in accordance with its vendor management program, will perform periodic vendor assessments for security and privacy. Box will only permit Subprocessors’ to access what is necessary to provide the Box Service and any associated services. Box will remain liable for all responsibilities and obligations of Box under the terms and conditions of the Agreement, even if such responsibilities and obligations are performed by Box’s Subprocessors. Information regarding current Subprocessors that may Process Production Data, including Customer Personal Data, can be found on the Box Subprocessor website found here: https://www.box.com/legal/subprocessors. This Subprocessor list may be updated from time to time by Box. Customer and its Users may subscribe to updates to this list on the Subprocessor website.

Section 10. Background Checks. Where legally permitted and in accordance with local law and custom, Box shall perform the following background checks:
(a) For US-based employees, on hire, Box's background checks include: SSN Trace, Criminal County and Federal Search (7-Year Address History), Multi-State Instant Criminal Check, Nationwide Sex Offender Registry Check, OFAC Check, OIG/GSA Combined Search, and Education Verification. Box also uses E-Verify and confirms employment eligibility via the Form I-9 for all employees.
(b) For Canada-based employees, on hire, Box’s background check consists of Canada Criminal Search (CPIC).
(c) For UK-based employees, on hire, Box performs ID verification, criminal record checks in the UK, credit and address check verification (6 years for address), and employment history check (maximum of 5 years of employment history or two prior employers).
(d) For Germany, Poland and Japan-based employees, Box cannot agree to perform any types of background checks as background checks are not permitted by law in Japan.
(e) For France and Netherlands-based employees (but not based in the UK, Germany or Poland), on hire, Box performs ID verification, international criminal checks, credit and address check (up to 6 years for address), education check and employment history check (maximum of 5 years of employment history or two prior employers), where legally permitted and in accordance with local law and custom.
(f) For Australia-based employees, on hire, Box performs ID verification, international criminal checks, credit and address check (up to 5 years for address), and employment history and reference check (maximum of 5 years of employment history or two prior employers).
(g) For Subprocessors, Box’s policy is to require material Subprocessors to perform background checks for their personnel performing services for Box in accordance with applicable local laws and customs, to the extent related directly to the Box Service.

Support Services and Service Level Commitments

The following terms and conditions apply unless an Order indicates the purchase of Enhanced Services and incorporates a separate data sheet describing what Support Services are included with the Enhanced Services.

Section 1. Definitions.
Capitalized terms not otherwise defined elsewhere in this Agreement shall have the following meaning: 

“Business Response Credit” means the credit that may be available to a Customer that has subscribed to the Business Services under the applicable Order and as specified Response Times below. 

“Downtime" means any period during which the Customer is unable to access the Box Service, as measured at the Box network by industry standard tools, due to an Issue which prevents the majority of Customer’s Users from accessing Content, expressly excluding Scheduled Downtime. 

“Issue” means a single, reproducible issue or problem affecting the functionality of the Box Service for Customer. 

“Enhanced Response Credit” means the credit that may be available to a Customer that has subscribed to one of the Enhanced Support Services under the applicable Order and as specified under Response Times below. 

“Enhanced SLC Credit” means the credit that may be available to a Customer that has subscribed to one of the Enhanced Support Services under the applicable Order and as specified under Service Level Commitments below. 

“Support Services” means telephone, email or web-based assistance in the resolution of Issues reported by Customer to Box. Available Support Services are: 

“Standard Support Services” which is included the Customer’s purchase of the Box Service; 

“Business Services” which is purchased by the Customer and identified under the applicable Order; or 

“Premier Services” or “Platinum Services” (together, “Enhanced Support Services”) which are purchased by the Customer and identified under the applicable Order. For the avoidance of doubt, Enhanced Support Services are separate from Enhanced Services as may be included in the Order. 

“Scheduled Downtime” means a scheduled time period in which the Box Service is unavailable for use, and upon notice to Customer where practical. 

“Uptime Percentage" means the total number of minutes in a calendar month minus the number of minutes of Downtime experienced in such calendar month, divided by the total number of minutes in such calendar month.

Section 2. Support Services.

2.1 Support Services. During the Subscription Period, Box will provide to Customer the applicable Support Services. If Customer has not purchased Business Services or one of the Enhanced Support Services, then Standard Support Services will be provided. Support Services do not include: (a) physical installation or removal of the Box Software and any User Guides; (b) visits to Customer’s site; (c) any professional services associated with the Box Service, including, without limitation, any custom development, data modeling, code review and application architecture/infrastructure design; (d) training; or (e) the set-up, configuration and use of the Box Service.

Box's obligations do not extend to any ongoing test or training instances of the Box Service provided to Customer or Downtime, Issues or errors that are caused by: 
(i) Third-party hardware or software;
(ii) Use of the Box Service in violation of the terms of the Agreement;
(iii) Use of the Box Service other than in accordance with any User Guide or the express instructions of Box;
(iv) A Force Majeure Event as defined in the Agreement; or
(v) For users of Box KeySafe, failure to adhere to one or more of the requirements set forth in the then- current technical documentation applicable to KeySafe KMS, including required software updates, or any service degradation or downtime (scheduled or unscheduled) experienced by Hosting Partner.

2.2 Case Prioritization. When contacting Box for support, Customer will assign a priority to the Issue in accordance with the table below. Box will provide an acknowledgement of a reported Issue to Customer and a support agent will provide a response within the target timeframes specified for the applicable support level (“Response”). Upon review of the Issue, and following Box’s initial response to the Customer, Box may change the case prioritizations in accordance with the following descriptions:

2.3 Standard Services Response Times. If Customer has Standard Support Services, Box will use commercially reasonable efforts to meet the following target Response Times during the hours/days, as outlined below.

Support Hours: 6AM – 6 PM Customer local time, Monday – Friday
Support Language: English
Support Access Method: Web/Email
Support Response Method: Web/Email
Number of Support Requests: Unlimited

Response Times:
Level 1 – Urgent: Within 4 business hours
Level 2 – High: Within 8 business hours
Level 3 – Normal: Within 1 business day

2.4 Business Services Response Times. If Customer has purchased Business Services, Box will respond in accordance with the Response Times below. If Box fails to meet the response times, Customer may be entitled to a response time credit as outlined below (“Business Response Time Credit”): 

Support Response Hours: 24 hours/day, 365 days/year
Support Language: English
Support Access Method: Web/Phone/Email
Support Response Method: Web/Phone/Email
Number of Support Requests: Unlimited

Response Times:
Level 1 – Urgent: Within 2 hours
Level 2 – High: Within 4 hours
Level 3 – Normal: Within 4 hours
Level 4 – Low: Greater than 4 hours 

2.5 Enhanced Support Services Response Times. If Customer has purchased one of the Enhanced Support Services, Box will respond in accordance with the Response Times below (for cases submitted in English). If Box fails to meet the response times, Customer may be entitled to a response time credit as outlined below (“Enhanced Response Time Credit”). The below response times apply to cases submitted in English.

Support Response Hours: 24 hours/day, 365 days/year
Support Language: English or local language (based on availability)
Support Access Method: Web/Phone/Email
Support Response Method: Web/Phone/Email
Number of Support Requests: Unlimited

Response Times:
Level 1 – Urgent: Within 1 hour
Level 2 – High: Within 2 hours
Level 3 – Normal: Within 2 hours
Level 4 – Low: Greater than 2 hours

2.6 Business Services and Enhanced Support Services Response Time Credits. If Customer has purchased Business Services or one of the Enhanced Support Services and Box fails to meet the applicable Response Times associated with Business Services or Enhanced Support Services, Customer may be entitled to a response time credit as outlined below (“Response Time Credit”).

Response Time Credits: Customer will be eligible to receive a Response Time Credit, provided that:
(a) Customer has purchased Business Services or one of the Enhanced Support Services;
(b) Customer has opened a support ticket for an Issue; and
(c) Box fails to meet the response times for Level 1 and Level 2 support tickets three (3) times during the given calendar month;

Collectively, a “Response Credit Event”.

In the event that Customer incurs a Response Credit Event, Customer will receive a Response Time Credit of fifteen (15%) percent of the fees paid by Customer for the applicable Business Support Service or Enhanced Support Service for the month the Response Credit Event occurred. The Response Time Credit will be calculated on a straight-line, pro-rated basis with respect to any fees paid in advance. Notwithstanding anything to the contrary, in no event will the total amount of Response Time Credits exceed the applicable Business Services or Enhanced Support Services fees paid by Customer for the corresponding month. For clarity, for the purpose of calculating Response Time Credits, calendar months are calculated based on US Pacific Time Zone.

The Response Time Credit is Customer's sole and exclusive remedy for any failure by Box to meet any response time performance obligations pertaining to the Box Service as set out in this Exhibit A.

Customer is not eligible to receive Response Time Credits during any period of time when payments owed are past due.

For Customer Orders placed through Box, Response Time Credits will be issued by Box, as determined in its sole discretion, either by applying to future billing cycle(s) or as a refund against annual fees earlier paid. For Customer orders placed through a Box Reseller, Response Time Credits, if any, will be issued as provided in the applicable agreement between Customer and Box Reseller.

2.7 Key Rotation. If Customer is purchasing KeySafe KMS, Box may assist Customer in the implementation of the initial key. If Customer changes the key (“Key Rotation(s)”), Customer will coordinate with Box, and Customer will be solely responsible and liable for any such Key Rotations. Customer acknowledges that if it improperly manages the Key Rotation, then: (a) Customer may not be able to decrypt or otherwise access its Content; and (b) Box will not be able to help Customer decrypt or otherwise access the Content. In no event will Box be responsible or otherwise liable for the Key Rotations or impacts of the Key Rotations.

Section 3. Service Level Commitments

3.1. Standard Support Services. If Customer has Standard Support Services, Box will use commercially reasonable efforts to meet an Uptime Percentage of at least 99.9%.

3.2. Business Services. If Customer has purchased Business Services, Box will use commercially reasonable efforts to meet an Uptime Percentage of at least 99.9%.

3.3 Enhanced Support Services. If Customer has purchased one of the Enhanced Support Services, Box will use commercially reasonable efforts to meet an Uptime Percentage of at least 99.9%. If Box fails to the meet the Uptime Percentage Customer will receive Enhanced SLC Credits as follows:

Customers who have purchased one of the Enhanced Support Services will be eligible to receive SLC Credits provided that:

(a) Customer has reported an Issue related to a Downtime event by filing a ticket with Box support within fifteen (15) days of the Downtime event; and
(b) once Customer receives the Uptime Percentage report provided by Box and confirms Uptime Percentage as below 99.9% in the month the issue was experienced, Customer has provided Box a written claim request for Enhanced SLC Credits within fifteen (15) days of the date of uptime percentage report.

The Enhanced SLC Credits will be equal to the SLC Credit percentage multiplied by the fees paid by Customer for the Box Service that are attributable to the corresponding calendar month (calculated on a straight line, pro-rated basis with respect to any fees paid in advance) and then pro-rated for based on affected Users. Notwithstanding anything to the contrary, in no event will the total amount of Enhanced SLC Credits, if any, exceed the fees paid by Customer for the Box Service in the corresponding month. For clarity, for the purpose of calculating Enhanced SLC Credits, calendar months are calculated based on US Pacific Time Zone. The Enhanced SLC Credit is Customer's sole and exclusive remedy for any failure by Box to meet any service level obligations pertaining to the Box Service as set out in this Exhibit A. Customer is not eligible to receive Enhanced SLC Credits during any period of time when payments owed are past due.

For Customer Orders placed through Box, Enhanced SLC Credits will be issued by Box, as determined in Box’s sole discretion, either by applying to future billing cycle(s) or as a refund against annual fees earlier paid. For Customer orders placed through a Box Reseller, Enhanced SLC Credits, if any, will be issued as provided in the applicable agreement between Customer and the Box Reseller.