Protect your most valuable content with event-based retention

Event-based retention

What is your organization's most valuable content? ? Is it your contracts, your employee files, your customer proposals or your secret formula? No matter what, all of this content needs to be protected from accidental or malicious deletion and must be retained to meet business and regulatory obligations. But only some of it needs to be retained indefinitely. Most content will reach a point where the risk and cost associated with retaining it outweighs its value, and that’s where event-based retention comes in. 

Why disposition matters

Keeping content indefinitely has long been the default. Not making decisions on disposition and keeping content “just in case” is, unfortunately, the status quo. In the past, the primary motivation to delete content was the cost savings associated with storage reduction (or at least reducing the rate of storage growth).  And now, with unlimited cloud storage, even that motivation has been eliminated. Not disposing of content as outlined by policies is problematic and increases risk for several reasons:

  • Increased eDiscovery cost - From identification and preservation all the way through production and presentation, the eDiscovery lifecycle is a funnel. In order to produce relevant content, all of the identified content needs to be culled and analyzed. Processing content that should have been disposed of is both costly and time consuming.
  • Increased burden for Data Subject Requests - With legislation like GDPR, CCPA and a host of other privacy regulations that have been passed or are pending, over retention of data introduces additional cost and risk. Organizations are required to dispose of customer, and in some cases employee data, when it is no longer needed.  Failing to do so can result in fines and, at a minimum, searching, producing and remediating the excess content results in increased response time, staff burden and potential customer ill-will.
  • Loss of productivity - Remember that time you were searching for last year's proposal to that big steel company and instead found the 2005 pictures of Larry in accounting dressed as Superman? While sometimes results can be amusing, oftentimes, the process of sifting through obsolete, valueless content is time consuming and frustrating. 
  • Failed compliance - Having retention policies, but not automating them, essentially results in documenting your failure to comply. Policies indicate what your organization has determined is the correct way to dispose of content based on regulatory and business requirements. Not automating these policies, not disposing of content, or leaving it up to the initiative or whim of employees, introduces inconsistencies and can raise questions during the litigation process.

What is event-based retention?

Over 50% or more, depending on your industry, of your retention policies are triggered from some event. These policies, outlined by industry or corporate regulations, provide guidance on how to safeguard business critical content and keep you compliant.

With event-based retention, the retention period is linked to the existence of a particular trigger event, such as an account closure or employee separation, rather than just the time since creation.

Simply put, it uses the value of a metadata date field to trigger the start of the retention period. The value of this date corresponds to when a business event occurred (e.g. when contracts renew, employees leave, and sometimes come back, assets retire). These events, many of which will occur in the future, signal the start of the retention period. 

How Box meets your needs

Box allows retention policies to be applied in several different ways. Policies can be applied globally to all new content, to all content in a specified folder or via the application of metadata. Now, with the release of event-based retention you can choose either the Box create/upload date or a specific metadata field as the start date. 

By applying a template, you can associate metadata to a file or to a folder and cascade the metadata to the folder contents. Once the metadata requirements are met the content is held indefinitely. Once the metadata start date field is populated, the retention period is calculated. As an example, you may have a project folder where all the content needs to be retained and protected against deletion for the duration of the project. Once the project ends, all content, regardless of when it was created, is retained for 5 years, then disposed of.


In the same manner, event-based retention pertains to employee departures, contract expirations, asset retirements, etc. For a full explanation of how to configure retention policies, please refer to our knowledge base article.

What else is new?

We have also recently made enhancements to our trash policies. Determining who can empty trash helps you achieve the right balance of loss prevention and content cleanliness. Box Governance customers have been able to choose between four options for who can empty the trash:

  • Everyone
  • No one (including policies)
  • Admin
  • Admins and Co-Admins

Our latest option “Policy Only” allows you to set policies to automatically dispose of content while preventing emptying the trash by any user. Soon, we will be adding an option to restrict the emptying of trash to an Allow list of users.

Box is constantly working to help you achieve compliance in a straightforward, frictionless manner. For a deep dive, be sure to check out the Box Governance Deployment Kit. So, set your policies, live by them and increase your productivity and compliance!