Box deployment guidance

Service description

Box is a cloud-hosted file storage service that supports file sharing and collaboration, through a set of synced editing, commenting, and task assignment functions, along with delegated file and folder security. Box.com is available to UC via Internet2’s Net+ services.

Important Notes

  • Pricing for the services is tiered based on the location population.
  • There is a HIPAA BAA available for Box.com.

Sensitive data guidance

Green: Permitted
Yellow: Consult
Red: Not permitted
Data Type Data Use Guidance Comments
Credit Card (PCI-DSS) Not permitted No PCI agreement.
Export Control Consult Consult with data proprietor UC location office of research.
Electronic Protected Health Information (ePHI) subject to HIPAA Consult HIPAA BAA available, consult with data proprietor and appropriate UC location (e.g. privacy official, information security, compliance officer).
Human Subject Research Consult Consult with data proprietor and UC location office of research.
Intellectual Property Consult Consult with data proprietor and appropriate UC location authority (e.g. tech transfer, office of research, campus counsel).
IT Security Information
(e.g. administrative passwords, network diagrams)
Permitted When appropriately configured.
Other Sensitive Institutional Info
(e.g. Fundraising, Attorney/Client Privileges)
Consult Consult with data proprietor and appropriate UC location authority (e.g. privacy official, development office, campus counsel, information security officer).
Personally Identifiable Information (PII)
Tied to state notification breach laws, Login credentials, SSN, Drivers license
Consult Consult with appropriate UC location authority (e.g. privacy official, risk officer, campus counsel, information security officer).
Public Information Permitted
Research Data
AnimalGeneral (non-Humanoid Subject Research)
Consult Consult with data proprietor and UC location office of research.
Student Education Records (FERPA) Permitted Consult with data proprietor and UC location authority.

UC location responsibilities

  • Individual users are on a named user basis. Accounts cannot be shared.
    • Accounts can be reassigned.
  • Box allows integration of third party marketplace applications. The contracts for these apps are NOT covered by the Box agreement, and must be considered separately. Third-party apps may incur additional costs, have different data security controls, and additional risks and liabilities. Carefully decide what 3rd party apps to allow or disable.
  • Campus is responsible for integrating Box into directory environment (LDAP/SSO/Shibboleth).
  • Box will provide customer success team for implementation process.
  • Box is built with secure data storage as a basic protocol, but due to the nature of sharing, it is up to each location and each user to implement appropriate security controls and to comply with applicable University policies, notably policies relating to the protection of University data and the UC Electronic Communications Policy.

Vendor responsibilities

Procurement Services contacts

View a ist of contacts for each campus.

Costs

  • Pricing is location-wide, tiered based on location population.  It is based on Internet2’s pricing structure.
  • The costs are payable annually in advance.
  • Educational pricing is pre-negotiated as part of the agreement.

Link to contract

You can view a copy of the agreements in the Contracts Database. Please contact your local procurement department for login credentials.

UC location links and contacts for this service

Visit the website or contact the individuals below for more information about this service at your location.

Location Contact Guidance
UC Davis
UC Riverside
UC Merced procurement@ucmerced.edu
UC Berkeley http://box.berkeley.edu
UC Santa Cruz
UC Santa Barbara
UCLA
UC San Diego Cloud and Web Services (cws@ucsd.edu)
UC Irvine Isaac Straley
UC San Francisco
Lawrence Berkeley National Labs Stephen Lau
Division of Ag & Natural Resources Gabriel Youtsey