Common use of Box Service Access controls Clause in Contracts

Box Service Access controls. 6.1 (A)(i) Physical Access Controls. Box will implement the following suitable measures in order to prevent unauthorized persons from gaining access to the data processing equipment used to process Content. (a) Access authorization for Box Personnel and third parties (b) Keycards and passes (c) Restrictions on keys (d) Appropriate requirements for third parties (e) Identifying of the persons having authorized access (f) Protection and restriction of entrances and exits (g) Establishing security areas especially for deliveries and handover (h) Securing the building (security alarm system, supervision by guards) 6.1( A)(ii) Technical Access controls. Box will implement the following suitable measures to prevent unauthorized reading, copying alteration or removal of the data media, unauthorized input into memory and reading/alteration/deletion of Content. (a) Access authorization requirements (b) Identification of workstation and/or the users accessing Box systems (c) Automatic disablement of user IDs after multiple erroneous passwords entered (d) Logging of events and activities (including monitoring of break-in attempts) (e) Issuing and safeguarding of identification codes (f) Dedicated workstations for users (g) Authenticating authorized persons (h) Use of encryption where deemed appropriate by Box (i) Separating production and non-production environments (j) Automatic session log-off of users that have been inactive for a period in excess of thirty (30) minutes (k)Designating areas in which data media may/must be located‌

Box Service Access controls. 6.1 (A)(i) Physical Access Controls. Box will implement the following suitable measures in order to prevent unauthorized persons from gaining access to the data processing equipment used to process Content. (a) Access authorization for Box Personnel employees and third parties (b) Keycards and passes (c) Restrictions on keys (d) Appropriate requirements for third parties (e) Identifying of the persons having authorized access (f) Protection and restriction of entrances and exits (g) Establishing security areas especially for deliveries and handover (h) Securing the building (security alarm system, supervision by guards) 6.1( A)(ii) Technical Access controls. Box will implement the following suitable measures to prevent unauthorized reading, copying alteration or removal of the data media, unauthorized input into memory and reading/alteration/deletion of Content. (a) Access authorization requirements (b) Identification of workstation and/or the users accessing Box systems (c) Automatic disablement of user IDs after multiple erroneous passwords entered (d) Logging of events and activities (including monitoring of break-in attempts) (e) Issuing and safeguarding of identification codes (f) Dedicated workstations for users (g) Authenticating authorized personspersonnel (h) Use of encryption where deemed appropriate by Box (i) Separating production and non-production environments (j) Automatic session log-off of users that have been inactive for a period in excess of thirty (30) minutes minutes (k)Designating k) Designating areas in which data media may/must be located‌located (l) Designating persons in such areas for authorized handling and removal of data media (m) Controlling the removal of data media (n) Securing the areas in which data media is located (o) Controlled and documented destruction of data media 6.1 (A) (iii) Data Access controls. Box commits that its employees and contractors entitled to use Box’s data processing systems will only access data within the scope and to the extent covered by the respective access permission (authorization). This will be accomplished by: (a) Securing workstations (b) Requirements for user authorization driven by need basis