Data Management Plan resource wording: Box

This article contains details about Box security relevant to writing Data Management Plans or providing data security information about box resources used in an IRB study.


What is some wording I could use in my data management plan or IRB application about the security of Box?


Approved Content Types

Box has been approved for the following content types at

  • Attorney-Client Privileged Information
  • IT Security Information
  • Other Sensitive Institutional Data
  • Personally Identifiable Information (PII)
  • Protected Health Information (HIPAA)
  • Sensitive Identifiable Human Subject Research
  • Social Security Numbers with IA Consultation only
  • Student Education Records (FERPA)
  • Student Loan Application Information (GLBA)

See the most current listing of data types allowable.

Security Features

Box has the following security features that can be used in the DMP or other description of security for the services offered by Box:

  • Box maintains SOC 1, 2 and 3 reports — issued by an independent third-party assessor — which is based on the SSAE 16 standard.
  • Box has completed the Cloud Security Alliance (CSA) self assessment.
  • Box has not received the Cloud Security Alliance STAR certification and does not currently have a plan for this yet.
  • Box utilizes NIST 800-53 as an industry standard security framework. 
  • FedRAMP, like FISMA, is based off the NIST 800-53 standard of controls. Box is FISMA compliant. Box has been granted an Authority to Operate and is listed on as a FedRAMP Moderate compliant system.

See the Box Data Privacy Policy for more information.


All Backups remain within the United States.


  • Box's Encryption at Rest uses FIPS 140-2 validated encryption (CMVP #2583).
  • Box's encryption in transit supports up to TLS 1.2 which uses FIPS approved cipher suites.


Box logs all User and Administrator actions. Audit logs are available to the customer on demand via the Admin Console or through the Audit API. Box has integrations with Splunk and other SIEMs through our Audit API.

Media Sanitization

Box sanitizes media by destroying all decommissioned or failed digital media used in the Box production environment. Box has documented procedures on media handling. 

Privilege Separation

Box uses logical separation built into the Box application code and stores content, metadata, and encryption keys all in separate and distinct locations. This provides logical separation of content and prevents different users/enterprises from seeing one another’s information as well as prevents insider threat from Box employees. Additionally, data is backed up to Amazon servers for data redundancy. All connections made to Box (whether from the Web Browser, Mobile Application or Box Sync) are made using TLS encryption. Also, Box restricts Production access to only necessary technical personnel whose day-to-day job responsibilities require access.

Box logically separates data using built-in application logic controls. Each customer is assigned a unique Enterprise ID. All users within that enterprise are assigned a unique User ID that is tied to the Enterprise ID. When users upload content to Box, content is associated with the User ID and Enterprise ID. Users only permitted to view content that they have permission to within the enterprise and/or where granted as a collaborator.

Vulnerability Scanning

  • Box performs vulnerability scanning at least quarterly in accordance with PCI requirements.
  • Box performs both internal and external vulnerability scans.


  • Mac
  • PC
  • Web

Additional notes


Refer to the ITS-provided Vendor Assessment for full details. Only the most likely used details are above.


Article ID: 1597
Tue 5/26/20 9:31 PM
Thu 8/27/20 10:02 AM