Statement on Encryption Full compliance with Lot 3 requirements is not available at this time Requirement 1: Files can be encrypted before upload into the cloud. This is not a service we natively offer. Any encryption prior to storing the data on Box could be done by a third party provider, for example Box partners such as Cipher Cloud or Code Green Networks. Requirement 2: Files are encrypted at rest as well as in transit. All files uploaded to Box are encrypted at rest using 256-bit AES encryption. For files in transit, AES 256 is a supported cipher, however we default to use RC4-128 encryption. We do this to mitigate a known vulnerability in SSL called the BEAST attack, which an attacker could use to hijack someone's web session when other ciphers (including AES 256) are used. 128 bit encryption is currently considered safe and secure. This applies to every Box account from personal accounts to our largest Enterprise accounts https://support.box.com/hc/en-us/articles/200520608-Enhanced-Security also have the security white paper but thats 8 pageshttps://www.box.com/resources/case-studies/security-whitepaper/ Requirement 3: Encryption keys are controlled by the file owner or their administering institution. Box encrypts data in in transit as well as at rest (as detailed in Question 19) but, at this time, does not offer customer management of their encryption keys. By default, Box manages all encryption keys in order to facilitate searching, sharing and collaboration. Box supports file-level encryption, whereby all content uploaded will be encrypted with a unique key (DEK) using an industry-standard cipher. DEKs are then encrypted by a rotating a key encryption key (KEK) using an AES 256-bit cipher. KEKs are stored on an internal key server, internal to the Box network but isolated on a different network segment from the file servers. Encryption and decryption will happen at the borders of the Box network and will be transparent to clients. Box uses the AES algorithm for encrpytion with a default value of 256-bit strength. Access is provided based on the principle of least privilege, and implemented using a combination of network, physical and application access controls 1