Box and Privacy Readiness: Keeping up with the US state privacy laws

At Box, we are committed to protecting the privacy of our customer’s data and we care deeply
about maintaining transparency and the trust of our customers. Last year, we updated you on
Box’s compliance with the California Consumer Privacy Act (CCPA) (as amended by the
California Privacy Rights Act) and the Virginia Consumer Data Protection Act.

Today, we want to update you on new state privacy laws coming into effect July 1, 2023, the
Colorado Privacy Act, and the Connecticut Data Privacy Act, as well as the Utah Consumer
Privacy Act effective on December 31, 2023. We’ve implemented initiatives to ensure our
customers can continue to utilize Box’s product offerings in a manner that is compliant with these
new privacy laws. These evolving laws indicate a rising emphasis on safeguarding personal data,
and we anticipate further advancements in privacy regulations the federal and state levels in
future.

We appreciate that you - our customers - may have questions about how service providers like
Box are securing your personal data and adhering to the applicable privacy obligations. To
support you in meeting your due diligence obligations, we’ve outlined the measures we’ve
taken below to ensure our customers can continue using the Box Service in compliance with the
growing number of U.S. state privacy laws.

New U.S. state privacy Laws: Our commitment to securing your data.

We’ve updated our US Data Processing Addendum: Our US Data Processing Agreement (US
DPA) has been revised to include specific privacy provisions relevant to state privacy laws in
Colorado, Connecticut, and Utah. It provides information about Box’s personal data processing,
the security measures we have in place, and how we handle consumer rights requests, among
other aspects. To start the US DPA signature process, submit your request form here. Our team
will promptly provide additional information if required. For queries regarding this process or
the request form, please email [email protected].

We've updated our Privacy Notice: We remain committed to ensuring transparency about how we may collect, process, store, share and safeguard personal data. We've revised our Privacy Notice to incorporate the new privacy requirements in Colorado, Connecticut, and Utah. While a recent California court order has delayed enforcement of the CPRA regulations until March 29, 2024, we have updated the California section of the Privacy Notice to reflect the current guidance issued by the California Privacy Protection Agency (CPPA). To view the updated Privacy Notice and to learn more about how consumers may exercise their privacy rights in applicable jurisdictions, please review our Regional Information Notice. 

We’ve maintained best-in-class compliance certifications: We approach security uniquely at
Box, combining a seamless user experience with unparalleled protection, advanced visibility,
and meticulous control. Our commitment to privacy and security means achieving and
maintaining top-tier security and privacy compliance certifications, including:

• ISO 27001
• ISO 27018
• ISO 27017
• PCI-DSS
• Cloud Computing Compliance Control Catalogue (C5)
• Trusted Cloud Data Protection Profile (TCDP)
• FedRAMP Moderate
• HIPAA/HITECH Act
• FINRA - SEC 17a-4
• SOC 1 - SSAE18 Type II
• SOC 2 / SOC 3 - AT-C 205 Type II
• DoD Cloud SRG - Impact Level 4

By maintaining these compliance certifications, we assure our customers that Box can support
them in meeting their due diligence obligations. To learn more about Box’s certifications, visit
the Trust Center.

We continue to enforce data protection obligations with service providers and contractors:
Service providers and contractors that process personal data are required to undergo a
stringent review and due diligence process. Box's third-party risk management team evaluates
each provider's adherence to security, privacy, and regulatory compliance. We enforce strict
compliance with data protection laws, security measures, confidentiality, and international data
transfer requirements through written agreements. Box expressly prohibits subprocessors that
support the Box Service from selling or sharing personal information, retaining, or using
personal information outside of the direct relationship with Box, and combining personal
information received from Box with data obtained from other sources.

What’s Ahead:
As the privacy landscape in the U.S. continues to shift, you can rest assured Box will stay ahead
of the curve and remain committed to supporting our customers’ data privacy and protection
needs.

Despite our unwavering commitment to delivering products and services with top-tier privacy
protection, security, and compliance, the information provided above should not be construed
as legal advice. We strongly encourage customers to perform their own due diligence when
assessing compliance with relevant privacy and data security laws.

Should you have any questions please contact [email protected]