Box and Security

What kinds of data may I store on Box?




Research data subject to export controls

Exports include:
  • Verbal communication
  • Transfer of written documents
  • Transfer of U.S. computer software to a foreign national whether in the U.S. or abroad if the technology is controlled by export regulations

Human subjects research data containing personally identifiable information (PII)

PII includes:
  • A user name or email address, in combination with a password or security question and answer
  • First name or first initial in combination with any one or more of the following:
    • SSN
    • drivers license or state ID number
    • Account number, credit or debit card number, in combination with security code, access code, or password
    • Unique electronic ID number or routing code, in combination with security code, access code, or password
    • Unique biometric data, such as fingerprint, voice print, or retina or iris image, or other unique physical representation
Request Approval
  Needs Approval  
Human subjects research data that is coded as long as the decryption table is not stored on Box Yes    
Research data that does not contain PII and is not subject to export controls Yes    

Social Security Numbers - Cannot be stored in Box
Request Exception from SSN Usage Policy

Drivers License Numbers
Request Approval
  Needs Approval  
Credit Card Numbers     No
Bank Account Numbers
Request Approval
  Needs Approval  
Electronic protected health information as defined by HIPAA
Request Approval
  Needs Approval  

Data classified as public

Public data consists of institutional data that has been intentionally released to the public by a person with authority to do so and (or) a class of data defined as part of the public record. There may be copyright, Creative Commons or other expectations placed on the data, but it is generally available for public consumption.


Data classified as non-public as long as it does not contain any of the non-allowed items in this chart

Non-public data consists of data that is not protected by regulatory requirements, but should be protected from public view. This data might include (but is not limited to) academic, research, athletic, public service or administrative data that is restricted for reasons related to public or individual safety, competition, ongoing development or is otherwise sensitive in nature.


Data classified as confidential

Confidential data is strictly protected by federal, state, university, professional code or other binding regulation. Any data that could, by itself or in combination with other such data, be used for identity theft, fraud or other such crimes should be treated as confidential data. (excludes SSN)

Request Approval

  Needs Approval