Spotlight on data protection

Meet the highest bar in Europe

gdpr

Get in-region data protection with the Content Cloud

At Box, securing our customers’ content is our top priority. Whether you're looking to process and/or transfer your data from the European Economic Area (EEA) or the United Kingdom (U.K.), we're here to help you with your data protection obligations. We pair our seamless end-user experience with an unmatched level of frictionless security, enhanced visibility, and meticulous control.

The global impact of Europe's data protection laws

The European Union GDPR and U.K. Data Protection Act harmonizes data privacy laws and regulations across the region, enhances data protection for E.U. and U.K. data subjects, and reshapes the way organizations approach data privacy. If you do business in E.U. or U.K., you'll need to comply with these data protection laws. Below we've outlined the recent evolution of data privacy regulations and guidance, as well as the steps we've taken to ensure we offer the privacy, security, and compliance you need.

 

eu data protection july 2020

In July 2020, the Court of Justice of the European Union (CJEU) invalided the E.U.-U.S./Swiss-U.S. Privacy Shield Framework in the landmark "Schrems II" decision. The CJEU also confirmed that Standard Contractual Clauses (SCCs) remain a valid data transfer mechanism. Read more in our blog post.

eu data protection nov2020

In November 2020, data protection authorities in the EEA issued draft guidance, and the European Commission released a draft version of its updated SCCs. The European Commission also deliberated on a potential adequacy decision for the U.K. Find out more in our blog post.

eu data protection june2021

In June 2021, The European Data Protection Board (EDPB) published its guidance on Supplementary Measures and Guarantees. Additionally, the European Commission adopted a new set of SCCs for data transfers. To learn more, check out our blog post.

Sign your dpa

Request to Sign your DPA 

 

Box is committed to protecting the privacy of personal data. No matter the changing landscape, including the CJEU's Schrems II decision to invalidate Privacy Shield, the United Kingdom’s departure from the European Union (Brexit) or the issuance of updated SCCs by the European Commission, we’ve made it easy for our customers to maintain a lawful data transfer mechanism.

To offer the most flexible options to customers when it comes to transfers of personal data, our updated Data Processing Addendum (DPA) now includes the recently updated EEA SCCs published on 4 June 2021 by the European Commission and references the forthcoming new U.K. SCCs. To review Box’s DPA click here. To execute a DPA, please submit your request via the link below.  We’ll communicate with you in the event of any issues.  

 

Request to sign your DPA

data privacy

Our commitment to data privacy

 

Customer and end-user privacy rights are fundamental to Box. That’s why we committed early on to provide a cloud-based content management platform and product portfolio that not only met, but surpassed industry standards.

Following the issuance of the European Data Protection Board's (EDPB) guidance, we understand that our customers may have additional questions about how Box safeguards customer personal data. To support our customers in meeting their due diligence obligations as controllers and to comply with our own Article 28 obligations as a processor, we’ve created a Due Diligence and Supplementary Measures Report (Report), which will be made available upon request. To request for the Report, please contact privacy@box.com.

View an update below on what we’ve done since the EDPB published its guidance on Supplementary Measures and Essential Guarantees for cross-boarded data transfers.

See the update

Content cloud

How our products help you maintain seamless compliance

keysafe
Box KeySafe

Enhance your encryption key management strategy.

governance
Box Governance

Meet data retention obligations.

box shield
Box Shield

Detect and protect against malware attacks.

Data protection beyond Europe

California Consumer Privacy Act (CCPA)

At Box, we understand that CCPA readiness can be a challenge. By providing one platform to secure content management, collaboration, and workflow, Box bridges the gap in CCPA readiness by making it easier to control where your data is stored and how it's accessed, along with data minimization, enhanced security measures, and the timely response to California consumer requests. To learn more about how Box can support your CCPA-readiness journey, click here.

Asian Pacific Economic Cooperation (APEC)

Box is proud to be certified under the APEC Cross-Border Privacy Rules (CBPR) and Privacy Recognition for Processors (PRP) systems, the gold standard in regional data privacy compliance. Maintaining compliance with the APEC, CBPR, and PRP systems ensures personal data is protected as it's transferred among the participating APEC economies. To learn more about Box's APEC CBPR and PRP certifications, please visit our regional information page.

To learn more about Box's ongoing commitment to privacy, security, and compliance, please visit our Trust Center.

FAQ

Does Box maintain privacy and information security certifications?
What is Box KeySafe?
What proactive steps has Box taken to further establish technical and organizational safeguards in response to the supplementary measures and essential guarantees guidance issued by the European Data Protection Board (EDPB)?
How does Box safeguard my personal data?
What steps has Box taken to protect personal information following the Court of Justice of the European Union (CJEU) July 2020 decision to invalidate the adequacy of Privacy Shield in the "Schrems II" case?
Does Box use subprocessors?