Box & CPRA Readiness: Preparing for what’s ahead in US state privacy laws

At Box, securing our customers’ content and protecting their privacy rights is at the heart of our cloud content management platform and product offerings. That is why, early on, we made a commitment to offer customers a cloud content management platform and product offering that not only met, but surpassed industry standards and privacy requirements. In 2020, California voters overwhelmingly supported Proposition 24, more commonly known as the California Privacy Rights Act (CPRA). The CPRA makes significant amendments to California’s existing privacy law, the California Consumer Privacy Act of 2018 (CCPA).

With the CPRA’s provisions coming into effect January 1, 2023, we understand that you - our customers - may have additional questions on how service providers like Box safeguard your personal data. To support you in meeting your due diligence obligations, we’ve highlighted below the efforts we’ve made to ensure our customers can continue to utilize Box’s product offerings in a manner that is compliant with California’s privacy laws.

CPRA and our commitment to securing your personal data

We’ve updated our US Data Processing Addendum.Box now offers a US-specific Data Processing Agreement (US DPA), which includes a specific set of privacy provisions relevant to California’s amended privacy law. The US DPA includes information relating to Box’s processing of customer personal information, the security controls we implement to protect customer personal information, and how we handle consumer rights requests, amongst other provisions. To begin the US DPA signature process, please submit your request form here and our team will respond promptly with any additional information required. For questions regarding this process and request form, please email

We’ve updated our Privacy Notice. We are committed to protecting the privacy of customer data and we care deeply about maintaining transparency and the trust of our customers. As part of this commitment, we’ve updated our privacy notice to further explain how we collect, use and share your personal information. Specifically, we've updated the California section of ourRegional Information Notice to include an updated list of the categories of personal information Box may have collected, along with how consumers in CA may exercise their privacy rights.

Maintaining best-in-class compliance certifications. At Box, we approach security with a unique perspective, matching our seamless end-user experience with an unmatched level of frictionless security, enhanced visibility, and meticulous control. We make the security of our customers’ data our number one priority, and we reflect that goal at every point in our solution. We rigorously manage data in a manner that meets business, legal, security, and regulatory needs. Our commitment to protecting the privacy and security of our corporate and customer data has resulted in Box leading the pack in security and privacy compliance certifications. By maintaining the compliance certifications below, our customers can rely on Box to support them in meeting their due diligence obligations. To learn more about Box’s certifications, visit theTrust Center.

  • ISO 27001
  • ISO 27018
  • ISO 27017
  • Cloud Computing Compliance Control Catalogue (C5)
  • Trusted Cloud Data Protection Profile (TCDP)
  • FedRAMP Moderate

Enforcing data protection obligations with our service providers and contractors. We require all service providers and contractors to go through a rigorous review and due diligence process. Box’s third-party risk management team assesses each service provider and contractor on its adherence with security, privacy, and compliance regulations and industry standards. Box requires all service providers and contractors to maintain contractual, organizational and technical safeguards for the duration of their engagement with Box. Our written agreements enforce compliance with applicable data protection laws, security controls, confidentiality and international data transfer requirements. Box’s subprocessors that support the Box Service are expressly prohibited from:

  • Selling or sharing personal information
  • Retaining, using, or disclosing personal information for any purpose other than the business purpose specified in the contract
  • Retaining, using, or disclosing personal information outside of the direct relationship between the service provider/contractor and Box
  • Combining personal information received from Box with personal information received from other sources.

What's Ahead

With the start of the 118th U.S. Congress, all eyes are on Washington to pass a federal privacy law. Until then, companies will continue to prepare for an array of recently passed privacy laws in Virginia, Colorado, Utah and Connecticut. As the privacy landscape in the United States continues to evolve, we remain vigilant in our commitment to supporting our customers’ data privacy protection needs.

While we maintain our steadfast commitment to offering products and services with best-in-class privacy protection, security, and compliance, the information provided above does not, and is not intended to, constitute legal advice; we strongly encourage our customers to perform their own due diligence when assessing compliance with relevant privacy and data security laws.  In addition, please note that the information provided above concerning CPRA is subject to change as finalized guidance is pending from regulatory agencies in California.

Should you have any questions please contact