Box.com (UK) Ltd

Box Content Cloud: A Secure Content Management Platform

Box is a platform that enables file management, collaboration and automated workflows internally and externally. Box comes with enterprise grade security and compliance and an intuitive user experience so not to slow processes down. With a robust API and 1400+ prebuilt integrations these capabilities can be extended into other applications.

Features

• Cloud content management from creation, editing, publishing, storage to disposal
• Seamless internal and external collaboration across all unstructured data
• Unlimited storage, large file sizes, unlimited third-party collaborators, unlimited versions
• Natively integrated advanced AI models, content workflow/approvals and content governance
• Advanced security, automated classification, legal holds, Data Loss Prevention (DLP)
• UK Storage Zone, Ethical Walls, Dynamic Watermarking, eDiscovery, zero-trust, eSignature
• Store, edit and secure PII, OFFICIAL-SENSITIVE and Health Information, GxP
• Access Box from anywhere, with mobile, web, desktop and API
• 1500+ Integrations including Salesforce.com, O365/Teams, Google, Pegasystems, SAP and ServiceNow
• Extensive set of metadata tools, customisable dashboard views, content automation

Benefits

• Streamline agency/vendor/citizen collaboration, while connecting applications and environments.
• Accelerate with AI, Open APIs, content workflows, eSignature, Search, Reporting
• Transform digital engagement with workspaces, VDRs, digital-asset-libraries and citizen portals
• Enhance field operations, case management, record management, create digital experiences
• Protect your important data - detect/prevent threats, protect against ransomware
• Flexible and interoperable platform compatible with SSO, SIEM, CASB tools
• Easily manage content with customisable metadata dashboard views
• Build external, custom portals with white-labeled experiences, including digital claims
• Retire legacy infrastructure, consolidate cloud repositories to reduce storage costs
• Meet data protection and regulatory compliance requirements

£20 a user a month

• Education pricing available
• Free trial available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at gcloud@box.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

109122444167138

Contact

Barnaby Newell
+44(0)203 884 1068
gcloud@box.com

Service scope

• Software add-on or extension: Yes, but can also be used as a standalone service
• What software services is the service an extension to: A content layer for other Software-as-a-Service solutions and/or custom applications.
• Cloud deployment model: Public cloud
• Service constraints: Box has no technical constraints as long as the user is on a current browser (the two latest versions).
• System requirements:
  • Browser access: Latest two versions of major browsers are supported
  • OS: Windows/Windows Server - two latest released versions (64-bit)
  • Android access: Android versions released in last three years
  • IOS and iPadOS: two latest released versions
  • To work online: internet access

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Standard Support is provided during local business hours Monday-Friday with no SLA. ; ; Support Access Method: web/email/chat; ; Targets are provided and are as follows: ; ; Level 1 - Urgent - within 4 business hours; Level 2 - High - within 8 business hours; Level 3 -Normal - within 1 business day; ; Premier and Platinum Support is provided 24 Hours/Day, 365 days/year with the following SLAs: ; ; Level 1 - Urgent - within 1 hour; Level 2 - High - within 2 hours; Level 3 -Normal - within 2 hours; Level 4 - Low - Greater than 2 hours
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: None or don’t know
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: Web chat
• Web chat support availability: 24 hours, 7 days a week
• Web chat support accessibility standard: WCAG 2.1 AA or EN 301 549
• Web chat accessibility testing: Box's accessibility site, a.box.com, is 508 and WCAG 2. 1 level AA compliant.
• Onsite support: No
• Support levels: At Box, we make sure you have the right offering to fit your specific needs. All of our customers - from personal users to our largest enterprise clients - can get the support of a product expert and our self-service Community site. For customers that have purchased a support offering, your Premier Services Lead will be involved during your implementation to make sure that you’re set up for success. Our dedicated team works closely with our product managers and engineers to quickly solve any problems, should they arise. We’ll ensure your experience is catered especially to you. For Platinum clients, your Technical Account Manager stays with you to monitor the health of your Box deployment. Additionally, they will have regular engagements to ensure helpdesk processes are optimised or if you are in need of technical assistance. Here’s what you can expect for Premier and Platinum Offerings: 1) 24/7 Dedicated phone line and Email/Web Support 2) Guaranteed 1-2 Hour First Response Times 4) Custom Shared Help Desk/Escalation Model 5) Off-Hours On-Call Support 6) Resource and Self-Service training
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Box offers several self-service and custom training options, including: how-to videos, implementation best practice documents, training sessions, community portals, webinars, help cards, virtual and in-person training, administrator certification and access to our community knowledge base. User guides and manuals are available for customers to learn about the features of the Box Cloud Collaboration Platform (https://community.box.com). For an additional cost, customers may also sign-up for live virtual training sessions with an instructor that provides live demonstrations of Box features as well as a Question and Answer session (http://community.box.com/t5/Training/ct-p/Training).
• Service documentation: Yes
• Documentation formats: HTML
• End-of-contract data extraction: Customers own their content at all times. Customers can download copies of their content stored in the Box Service at any time during their subscription period.
• End-of-contract process: For 30 days following the expiration of the Termination of the Agreement and/or applicable Subscription Period, a customer may request from Box, limited access to the Box Service solely for purposes of Customer’s retrieval of the Content.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
• Application to install: Yes
• Compatible operating systems:
  • Android
  • IOS
  • MacOS
  • Windows
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: Box provides a rich mobile application experience that is optimised to work on a mobile device. This echoes the primary features of the desktop/web experience with some minor differences to application integrations and editing functions due to the constraints of a mobile based environment
• Service interface: Yes
• User support accessibility: None or don’t know
• Description of service interface: Box has a consistent and user-friendly interface across mobile, web and desktop applications. A single point of search across all content, consistent user permissions for internal and external collaborators, with minimal administrative overhead.
• Accessibility standards: None or don’t know
• Description of accessibility: The Box web application substantially conforms to WCAG 2.0 Level AA. Box can provide its Voluntary Product Accessibility Template (VPAT) for the Box Web Application and Box Drive to customers upon request.; ; Please refer to the following Box Support link on Accessibility for further details: https://support.box.com/hc/en-us/articles/4416792632595-Accessibility
• Accessibility testing: The Box web application substantially conforms to WCAG 2.0 Level AA. Box can provide its Voluntary Product Accessibility Template (VPAT) for the Box Web Application to customers upon request.; ; Please refer to the following Box Support link on Accessibility for further details: https://support.box.com/hc/en-us/articles/4416792632595-Accessibility
• API: Yes
• What users can and can't do using the API: Many of the actions that can be taken using the web UI, can also be done via the API. Full documentation can be found at https://developer.box.com/
• API documentation: Yes
• API documentation formats: HTML
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: Customers have the ability to set up custom branding, as well as incorporate custom information within their Box Enterprise to ensure the look and feel of your organization's Box account best serve your needs.

Scaling

• Independence of resources: Box continuously monitors capacity and availability of the infrastructure to ensure consistent performance.

Analytics

• Service usage metrics: Yes
• Metrics types: Box has robust reporting for admin over actions taken within Box, with audit trail. You can monitor activity and view data about your Box account, the content owned by your account, user activity by generating reports in the Admin Console. Reports can be generated on-demand for specified period. ; ; Box can be intergrated with third party tools for building out visability/insights around the use of Box system. ; ; Access statistcs are also provided to individual users (subject to permissions) so they can understand how the content they've stored within Box has been accessed/shared/edited etc.
• Reporting types:
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Baseline Personnel Security Standard (BPSS)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
  • Other locations
• User control over data storage and processing locations: Yes
• Datacentre security standards: Managed by a third party
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Scale, obfuscating techniques, or data storage sharding
  • Other
• Other data at rest protection approach: Every file uploaded to Box is encrypted using a unique 256-bit AES data encryption key and a FIPS 140-2 validated level 1 cryptographic module.Box further secures the data encryption keys with a key wrapping encryption strategy, by which the data encryption key for each file is encrypted with a key encryption key, creating a secure encryption token. This second level of encryption also uses 256-bit AES encryption.
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Box Customers are able to export their data by downloading their Content through the web application, API, and FTP.
• Data export formats:
  • CSV
  • Other
• Other data export formats:
  • Content uploaded to Box will retain the original format
  • Text Based Documents
  • Presentations
  • Audio Files
  • Video Files
  • Images
  • Flash/Mobile Video Files
  • 3D (Graphics and Modeling) Files
• Data import formats:
  • CSV
  • Other
• Other data import formats:
  • Content uploaded to Box will retain the original format
  • Text Based Documents
  • Presentations
  • Images
  • Audio Files
  • Video Files
  • Flash/Mobile Video Files
  • 3D (Graphics and Modeling) Files

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

• Guaranteed availability: For Customers with Standard Support Service, Box will use commercially reasonable efforts to meet an Uptime Percentage of at least 99.9%.
• Approach to resilience: Box employs an active-active data center model, which ensures the simultaneous availability of content from multiple data centers within Google Cloud Platform (GCP)'s infrastructure. In scenarios where a specific data center or geographic region is impacted by an adverse event, the unaffected data centers within GCP seamlessly support the Box Service. Additionally, Box has a well-established Disaster Recovery (DR) testing process conducted at least annually. This testing rigorously assesses the efficacy of DR processes and procedures, confirming the ability to transition production services to an alternate Data Center effectively. Notably, database restoration tests are also conducted annually as a part of this comprehensive disaster recovery testing. This approach underscores our commitment to maintaining a high level of redundancy, reliability, and availability in the face of potential disruptions.
• Outage reporting: Customers can visit status.box.com for communications on the availability of Box services. From the Box status page, customers can also subscribe to email notifications for whenever Box creates, updates, or resolves an incident.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
• Access restrictions in management interfaces and support channels: Box Business and above accounts come equipped with a comprehensive Admin Console which is the Box administrator's tool for adding users, building groups, customising security settings, etc. Admins must login to their Box account before they are able to access the Admin Console. Configuration changes can only be performed once the admin is logged in. Customers may choose to enable 2factor authentication or use SSO integrations to further secure their account. Box has various user accounts, roles and folder permissions for access management to a customer's content.To submit support cases, users must login to Box Community using their Box credentials.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: Schellman & Company LLC
• ISO/IEC 27001 accreditation date: Original Registration Date: 27/08/2020; Issue Date: 17/08/2023
• What the ISO/IEC 27001 doesn’t cover: The Information Security Management System (ISMS) certifications applies to the Box Cloud Content Management Platform and all supporting infrastructure as operated in the locations listed in the Appendix and the Statement of Applicability.
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: Yes
• Who accredited the PCI DSS certification: Schellman & Company, LLC
• PCI DSS accreditation date: 21/8/2023
• What the PCI DSS doesn’t cover: The following services are not included in the scope of Box’s PCI DSS compliance certification and should not be used to process, store, or transmit credit card information: i. Using FTP with Box ii. Email to Files to Folder iii. View API iv. Box Notes v. Box Relay (note: Cardholder data can be stored in customer content that is part of a Box Relay workflow as content within the workflow meets PCI requirements. However, cardholder data cannot be stored in metadata fields which includes Relay Workflow Title, Workflow Description, and Flow Name.)
• Cyber essentials: No
• Cyber essentials plus: No
• Other security certifications: Yes
• Any other security certifications:
  • SOC 1 (SSAE 18) Type II, SOC 2 Type II
  • SOC 3, ISO 27001, ISO 27017, ISO 27018, ISO 27701
  • FINRA/SEC 17a-4
  • PCI Data Security Standard (DSS)
  • HIPAA/HITECH
  • GxP Validation, FedRAMP (Moderate)
  • Department of Defense Security Requirements Guide
  • EU&UK Controller & Processor Binding Corporate Rules
  • UK & EU Standard Contractual Clauses
  • APEC Cross Border Privacy Rules APEC Privacy Recognition for Processors

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards:
  • ISO/IEC 27001
  • Other
• Other security governance standards: SOC 1 (SSAE 18) Type II; - SOC 2 Type II; - SOC 3; - ISO 27001; - ISO 27017; - ISO 27018; - ISO 27701; - FINRA/SEC 17a-4; - PCI Data Security Standard (DSS); - HIPAA and HITECH; - GxP Validation; - ISMAP; - FedRAMP (Moderate)
• Information security policies and processes: Box has established an information security management system program primarily based on ISO 27001 and NIST 800-53. As part of this program, Box has developed policies and procedures that define the information security rules and requirements for maintaining security and compliance, and for safeguarding our customers’ data including policies on information security, acceptable use, data management and data retention, breach management, privacy impact assessments, etc. Box's information security policies and standard operating procedures (SOPs) are reviewed, updated, and approved by management at least annually. Box has a Global Security policy. The Global Security policy and other security policies are reviewed and updated annually, and are required to be read and acknowledged annually by all employees and contractors. Concepts within the security policies are also included in our annual employee trainings. Non-compliance to Box policies, including security policies, follow a standard disciplinary process that could lead up to termination.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: Box has a formal change management process for application and infrastructure changes. In addition, configuration and release management tools have been implemented. The code repository supports versioning and consistency across the environment and provides the ability to roll-back changes.; ; Box also maintains baseline configurations for production servers to facilitate the configuration process.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: Box performs internal automated vulnerability scanning within the Box production environment, which is inclusive of network, OS, and database scans at least monthly. Box performs authenticated and unauthenticated network and OS scans, authenticated configuration scans against databases, and authenticated Web Application scans. A ticket is automatically created for each vulnerability identified and we have patching SLAs associated with the risk rating of each vulnerability. Critical vulnerabilities are patched within 48 hours and High vulnerabilities are patched within 30 days.; ; Box also performs external vulnerability scans quarterly by Approved Scanning Vendor. Furthermore, Box utilizes third-parties to perform penetration testing annually.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: Box employs multiple automated mechanisms to assist in the security monitoring of Box’s infrastructure including but not limited to: • Vulnerability scanning• Firewall management• Log aggregation, search, and alerting• Application error logging• Network intrusion detection• Host intrusion detection• Malware detection• Endpoint management• Network taps• Threat intelligence management The Security team is alerted of suspicious events identified by Box’s security monitoring tools. All security events are handled by Box’s Security Incident Response Team (SIRT) in accordance with the Security Incident Response Process.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: Box has established an Incident Management process to provide a consistent and organized approach for handling security (including confidentiality) and availability incidents. Incident tickets are either generated by Box's various monitoring tools automatically, or Box tickets are opened manually by the Security and Technical Operations teams. Customers may also submit customer support incidents via email, phone, or the Box Community site, which may result in a creation of a security or availability incident ticket. The Incident Response Plan (IRP) provides a methodology and framework by which Box's incident responders can work to ensure a complete and consistent response.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: Yes
• Connected networks: Other
• Other public sector networks: Box has the capability to provide direct peering with PSN.

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Covid-19 recovery
  • Tackling economic inequality
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  Box is committed to leading positive change in our world through its environmental, social, and governance (ESG) initiatives.; Please refer to Box’s FY24 Environmental, Social and Governance (“ESG”) Fact Sheet: https://t.co/xdhpYHd9X9 which highlights Box’s ESG commitments to protect our planet, invest in people and communities, and act with integrity.

  Covid-19 recovery

  Box is committed to leading positive change in our world through its environmental, social, and governance (ESG) initiatives.; Please refer to Box’s FY24 Environmental, Social and Governance (“ESG”) Fact Sheet: https://t.co/xdhpYHd9X9 which highlights Box’s ESG commitments to protect our planet, invest in people and communities, and act with integrity.

  Tackling economic inequality

  Box is committed to leading positive change in our world through its environmental, social, and governance (ESG) initiatives.; Please refer to Box’s FY24 Environmental, Social and Governance (“ESG”) Fact Sheet: https://t.co/xdhpYHd9X9 which highlights Box’s ESG commitments to protect our planet, invest in people and communities, and act with integrity.

  Equal opportunity

  Box is committed to leading positive change in our world through its environmental, social, and governance (ESG) initiatives.; Please refer to Box’s FY24 Environmental, Social and Governance (“ESG”) Fact Sheet: https://t.co/xdhpYHd9X9 which highlights Box’s ESG commitments to protect our planet, invest in people and communities, and act with integrity.

  Wellbeing

  Box is committed to leading positive change in our world through its environmental, social, and governance (ESG) initiatives.; Please refer to Box’s FY24 Environmental, Social and Governance (“ESG”) Fact Sheet: https://t.co/xdhpYHd9X9 which highlights Box’s ESG commitments to protect our planet, invest in people and communities, and act with integrity.

Pricing

• Price: £20 a user a month
• Discount for educational organisations: Yes
• Free trial available: Yes
• Description of free trial: 14 day free trial available at Box.com
• Link to free trial: https://www.box.com/en-gb/free-trial/ccr

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at gcloud@box.com. Tell them what format you need. It will help if you say what assistive technology you use.