The EU General Data Protection Regulation (GDPR) is the most significant piece of European privacy legislation in the last twenty years. It replaces the 1995 EU Data Protection Directive (European Directive 95/46/EC), strengthening the rights that EU individuals have over their data, and creating a uniform data protection law across Europe.

Box will comply with applicable GDPR regulations as a data controller when they take effect on 25th May 2018.

Where Do We Stand?

We are committed to address EU data protection requirements applicable to us as a data controller. These efforts have been critical in our ongoing preparations for the GDPR:

Data Control: Our ability to fulfil our commitments as data controller of our customer’s personal data is part of our compliance with GDPR. Our responsibility is to contact all parties we hold personal data on and ensure agreements and procedures contain appropriate provisions for personal data we store. We shall also balance the risks and responsibilities between us as data controller and third-party data processors where we transfer customer data we control.

Third-party audits and certifications: Box undertakes independent third party audits that review its Customer Assurance Programme’ internal controls and processes. The audit covers internal governance, vendor management, production operations, change management, data backups, and product development processes. It evaluates that we have the appropriate controls and processes in place and that they are actively functioning appropriately in accordance with related standards.



The audits offer independent verification that our practices offer a recognised standard of security measures. Furthermore, assuring our system is designed to cover key elements of data processing and integrity. As all customers are concerned with their data and its security, Box has integrated its controls into its operating procedures. These procedures span the organisation, teams or functions that provide service or support to our clients on our platform.

The key components include:

  • Corporate Governance: how we provide oversight of our business and people
  • Change Management: how we make sure changes are tracked and properly reviewed
  • Access Control and Management: who has access to our platform operations and how this access is
  • Data Redundancy and Backup: how data is kept safe and stored in the event of adversity.

Data portability: The GDPR includes certain requirements on data controllers for the portability of personal data. The data our customers store in Box is theirs. We provide secure portability and are continually working to enhance the robustness of our data export capabilities.

Stay informed: Stay abreast of updated regulatory guidance as it becomes available and consider consulting a legal expert to obtain guidance applicable to you. We recommend regular review of the Information Commissioner’s website, which is the UK representative within the EU working group: Article 29.

Download GDPR Policy