Regional Information

Last Updated: July 1, 2020

Asia-Pacific Economic Cooperation (“APEC”)

APEC Cross Border Privacy Rules (“CBPR”) System: Box, Inc.’s privacy practices, described in the Privacy Notice, comply with the APEC CBPR System. The APEC CBPR system provides a framework for organizations to ensure protection of Personal Data transferred among participating APEC eco nomies. More information about the APEC framework can be found at: http://www.apec.org/Groups/Committee-on-Trade-and-Investment/~/media/Files/Groups/ECSG/CBPR/CBPR-PoliciesRulesGuidelines.ashx.

APEC Privacy Recognition for Processors (“PRP”) System: Box, Inc.’s privacy practices, described in this Privacy Notice, comply with the APEC PRP System . The APEC PRP System provides a framework for data processors to demonstrate their ability to effectively implement a data controller’s privacy requirements . More information about the APEC PRP framework can be found at: https://www.apec.org/~/media/Files/Groups/ECSG/2015/APEC PRP Rules and Guidelines.pdf.

Europe

Binding Corporate Rules: Box, Inc., and the Box group of companies use Box’s Processor and Controller Global Binding Corporate Rules ("BCRs") as the basis for Box’s approach to global data privacy protection. Box’s Processor BCRs and Controller BCRs were authorized by the European data protection authorities, as will be listed at the European Commission website.

Box’s Processor BCRs ena ble Box to transfer Personal Data that Box processes on behalf of Customers from European Economic Area ("EEA") countries to non - EEA countries. Box’s Controller BCRs enable Box to transfer Personal Data within the Box group of companies globally, where Box acts as a data controller. Box’s BCRs will be available at:

• Box Processor Binding Corporate Rules
• Box Controller Binding Corporate Rules

EU - U.S. Privacy Shield and Swiss - U.S. Privacy Shield: Box, Inc. participates in and has certified its compliance with the EU - U.S. Privacy Shield Framework and the Swiss - U.S. Privacy Shield Framework. For more information about our Privacy Shield certifications, please see this Box EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield Notice.

United States

California Residents: Starting January 1, 2020, under the California Consumer Privacy Act (CCPA), California Residents have the right to request the following information from Box by emailing privacy@box.com and Box will provide such information to you upon verification of your request:

• The categories of personal information Box collects about you;
• The categories of sources from which your personal information is collected;
• The business purpose for collecting your personal information;
• The categories of third parties with whom Box shares your personal information; and
• The specific pieces of personal information Box has collected about you.

In addition, you can find the following information in the corresponding Box Privacy Notice Sections:

Box uses our own and third-party cookies to enhance, customize, improve and notify you about our Services. California residents may choose to opt-out from the "sale" or sharing of their digital activity. For more information on how we use cookies or to adjust your preferences please visit our Cookie Notice.

California Residents who have an established business relationship with Box may also choose to opt out of Box’s disclosure of personal information about them to third parties for direct marketing purposes. You may change your preferences at any time by emailing privacy@box.com.

If you elect to exercise any of your rights under CCPA, Box will not deny services, provide a different price or rate for our services, or provide a different level of service to you because you exercised such rights.