Customer Responsibilities:
Application Features
Application Updates
Users or their delegated support services (e.g., managed workstations) are responsible for regularly updating client software to their modern versions.
Endpoint Plugins
Users are responsible for updating and maintaining all plugins they choose to install on their endpoints. All plugins must meet Yale’s Minimum Security Standards (MSS).
Cloud Plugins/Add-ons
To request a Box cloud-based plugin/add-on, please contact the ITS Help Desk to obtain an "Add-in request form". Once the form is submitted, a service team member will review the request to ensure the plugin/add-on satisfies Yale’s business requirements and meets Yale’s MSS.
Customer Security Responsibilities:
Data Security
Yale University follows a shared responsibility model for data security. Users are responsible for understanding their data’s risk level and ensuring they do not violate any Yale policies, standards, or procedures while using this service. Regular Box at Yale is approved for moderate-risk data, and Secure Box is approved for high-risk data; users are responsible for working with their data appropriately according to Yale’s MSS.
Secure Box
Secure Box users are only permitted to share file links with other Secure Box users and should never share public links to high-risk data. Secure Box users may only collaborate with users from the following addresses:
- @yale.edu
- @ynhh.org
- @va.gov
Data Access Management
By default, access to data is restricted solely to the user who owns the data. Users are responsible for ensuring they only share data and collaborate with authorized parties. Users should periodically review shared data and collaboration permissions, purging or removing access to data that is no longer needed.
Individual Account Data Migrations
Users are responsible for migrating data from their Box at Yale accounts. In particular, when customers leave the University, they are responsible for migrating data before their account is deleted:
Students
Students using regular Box at Yale may convert their Box at Yale accounts to personal Box accounts upon graduation. After graduation, students will receive an email with migration instructions.
Faculty & Staff
Faculty and Staff who leave Yale will lose access to Box at Yale immediately and are not permitted to convert their Box at Yale accounts to personal Box accounts. Faculty and staff are responsible for reviewing shared data and transferring ownership as necessary before their account is terminated and data is lost.
ITS Responsibilities
Oversight, Knowledge, and Support
Application Information
Box at Yale is responsible for providing knowledge documentation and how-to articles to the ITS Help Desk and Desktop Support Providers (DSPs). Application information, guides, and best practices will also be available to end users through the Box at Yale service page.
Application Future Planning
Box at Yale is responsible for regularly evaluating Box applications and planning a technology roadmap to ensure the services offered remain relevant and continue to meet the Yale community’s needs. The service team will engage in continuous collaboration with customers and the Information Security Office to improve platform security and promote customer security compliance.
New Application Features
As a normal part of the application lifecycle, Box will periodically release new application features. For mandatory features implemented by the vendor, the service team will notify customers in advance if the feature’s implementation will significantly impact the service offering. In addition, the service team will provide the community with sufficient knowledge documentation to support the new feature’s use.
For optional features released by the vendor, the service team will evaluate the feature and its future impact to confirm it is consistent with the service offering’s commitment to stability, performance, and security. If the service team determines that the feature should be enabled, the community will be provided with sufficient knowledge documentation to support the new feature’s use.
Application Requests & Support
Box at Yale is responsible for resolving all in-scope support requests. The ITS Help Desk and Desktop Support Providers are responsible for assisting with application installation, troubleshooting application issues, and answering how-to questions. Box at Yale will assist with any issues that the Help Desk cannot resolve and/or that require escalation.
License Negotiation
Box at Yale is responsible for negotiating Yale’s Box license with vendor management and the Box vendor. The Box at Yale service team will notify customers if any changes to the license terms occur.
Security
Platform Security
Box at Yale is responsible for ensuring the cloud environment meets Yale’s MSS. All stored and transferred data will be encrypted, and malicious files will be detected and automatically quarantined.
Metadata
Similar to files stored in local and remote file systems, files stored in the Box cloud contain metadata, such as data type, date, ownership, access, and contact information. This information is available to anyone with access to the data.
Monitoring & Auditing
Box at Yale is responsible for monitoring and logging all identities who access data stored in the Box cloud. If the monitoring system detects any security compliance violations, automated alerts will be sent to the service team and the Information Security Office. If necessary, the service team will perform a complete system and access audit to pinpoint the origins and extent of any security breaches and remediate issues accordingly.
Cloud Plugins/Add-ons
Box at Yale is responsible for working with the Information Security Office to complete a Security Planning Assessment (SPA) using the submitted “Add-in request form” for cloud plugins/add-ons. The SPA will assess potential security concerns and ensure the plugin/add-on meets Yale’s MSS. If the SPA identifies any MSS violations, the service team will ask the customer who submitted the original request to either withdraw it or update it to meet the MSS.
Availability & Recovery
Cloud Services Availability Communications
Box at Yale is responsible for ensuring in-scope applications and services are consistently available to the Yale community. Box will send service health alerts for planned maintenance and unplanned outages, and the service team is responsible for passing this information to the Yale community through the ITS Status Page.
File Recovery
For regular Box at Yale users, files deleted from the Box cloud will remain in Box Trash for 30 days, and users can recover these files using self-service tools. Upon request, the service team can recover deleted files for an additional 30 days after they are discarded from Box Trash. After 60 total days, deleted files will be permanently unrecoverable. To request assistance, please contact the ITS Help Desk.
For Secure Box users, files deleted from the Box cloud will remain in Box Trash forever. Users can always recover these files using self-service tools.