BBAA Atlas

Does Box offer EU data residency?

Box, Inc. · Content Management · official site ↗

EU residency on higher tiersEU-US DPF + SCCsDPA available
Where does Box store EU data — and who can touch it?
Box offers EU data residency only on higher plan tiers, and relies on the EU-US Data Privacy Framework plus SCCs for transfers.
Box offers EU data residency through Box Zones — an enterprise add-on requiring a Business Plus or higher plan — backed by EU-US DPF certification, approved Binding Corporate Rules and SCCs, with a self-serve DPA.

EU data residency

Can you keep data in the EU?
Box Zones lets admins pin storage to a region including Europe (e.g. France). It is a paid add-on that requires a Business Plus plan or higher, the Zones add-on count must match the core licence count, and it is not available during trials — so EU residency is enterprise/add-on gated.
Transfer mechanism
Box maintains EU-US, UK and Swiss DPF certifications and incorporates the updated EU SCCs (2021) and UK SCCs into its DPA; it also holds approved Processor and Controller Binding Corporate Rules for the EU and UK.

Sub-processors

Who else processes your data? · 8 listed
Box publishes a sub-processor list (~8 primary entities: AWS, Google, Microsoft, IBM, plus AI providers OpenAI and Anthropic that apply only when Box AI is enabled, and support vendors). Box offers an opt-in subscription for change notices; AI-model sub-processors apply only to customers who enable Box AI. current sub-processor list ↗

Data Processing Agreement (DPA)

Does Box sign a DPA?
Box offers a customer-signable DPA (with SCCs included) via its privacy-in-Europe flow; it has long positioned this as a self-serve, electronically signable agreement for current Box customers. Confirm the current signing flow for your agreement. DPA ↗
What the trust-badge pages don't tell you
Box's transfer story is unusually strong (DPF + approved BCRs + SCCs), but EU data-at-rest residency is a separate paid Box Zones add-on gated to Business Plus and above — don't assume the BCRs imply EU hosting.
Last checked 2026-06-02confidence: high · GDPR terms, residency regions and sub-processors change — confirm current terms with Box, Inc. and run your own transfer impact assessment. This is not legal advice.
$249/moto monitor up to 25 vendors' DPA & residency
$3,000/yr, incl. cited bulk export

Monitor your whole vendor list for DPA & residency changes

The free lookup answers one vendor at a time. Teams running EU vendor intake track dozens and need to know the moment a sub-processor, residency region or DPA term changes. Leave your work email and we'll set up monitoring + a cited export for your list.

We'll reply to set up your vendor list and confirm pricing. No card, no checkout here.

Get notified when this changes

Compliance isn't one-and-done. Leave your email and we'll alert you when any vendor's BAA or HIPAA status we cover changes.

One email per change. No newsletter, no selling your address.

Frequently asked questions

Does Box offer EU data residency?
Only on higher tiers. Box Zones lets admins pin storage to a region including Europe (e.g. France). It is a paid add-on that requires a Business Plus plan or higher, the Zones add-on count must match the core licence count, and it is not available during trials — so EU residency is enterprise/add-on gated.
Where does Box send my data, and does it rely on SCCs?
Box maintains EU-US, UK and Swiss DPF certifications and incorporates the updated EU SCCs (2021) and UK SCCs into its DPA; it also holds approved Processor and Controller Binding Corporate Rules for the EU and UK.
Who are Box's sub-processors?
Box publishes a sub-processor list (~8 primary entities: AWS, Google, Microsoft, IBM, plus AI providers OpenAI and Anthropic that apply only when Box AI is enabled, and support vendors). Box offers an opt-in subscription for change notices; AI-model sub-processors apply only to customers who enable Box AI. See the current list at https://www.box.com/legal/subprocessors.
Does Box sign a GDPR Data Processing Agreement (DPA)?
Yes — Box offers a customer-signable DPA (with SCCs included) via its privacy-in-Europe flow; it has long positioned this as a self-serve, electronically signable agreement for current Box customers. Confirm the current signing flow for your agreement.
Is Box GDPR compliant?
Box can be used in a GDPR-compliant way, but compliance depends on your configuration, not just the vendor: Box offers EU data residency through Box Zones — an enterprise add-on requiring a Business Plus or higher plan — backed by EU-US DPF certification, approved Binding Corporate Rules and SCCs, with a self-serve DPA. You are the controller — confirm the current DPA, residency and sub-processor terms with Box, Inc. and run a transfer impact assessment before processing EU personal data. This is not legal advice.

Sources

Box — Zones (data residency)
https://www.box.com/zones
Supports: EU region storage as a Business Plus+ add-on, not available in trialdated: 2026-06-02
Box — Privacy in Europe
https://www.box.com/privacyineurope
Supports: EU-US/UK/Swiss DPF, updated EU/UK SCCs, approved BCRs, signable DPAdated: 2026-06-02
Box — Sub-processors
https://www.box.com/legal/subprocessors
Supports: Public sub-processor list; AI sub-processors scoped to Box AI enablementdated: 2026-06-02
This page is cited public information, not legal or compliance advice. Whether Box can lawfully process your EU personal data depends on your plan, configured region, contract and a transfer impact assessment you control. Always confirm current terms with Box, Inc. before sending EU personal data.

Check another vendor

AirtableEU residency on higher tiersAmplitudeEU data residency availableAsanaEU residency on higher tiersAtlassian (Jira & Confluence)EU data residency availableCalendlyNo EU data residencyDatadogEU data residency available

Browse all 25 vendors →