Data Protection Centre/Box/Admin’s Guide to Box Retention Policy

Categories

In this article

  • Understanding Box retention policy
  • Types of retention
  • Files with multiple retention policies
  • Creating a retention policy
  • How Retention Interacts with Trash
  • Retention Policy Reporting
  • Limitations
  • SysCloud backup for Box

Admin’s Guide to Box Retention Policy

19 Feb 2024
5 min read
Anju George
Box retention is a feature of Box Governance that allows you to retain and delete content in Box according to your organization’s compliance policies. Retention policies enable you to prevent accidental or intentional deletion of content until it is no longer legally required or relevant. They also enable you to automatically remove content from Box when it reaches the end of its retention period. 
This article explores Box retention policies in detail, covering the different types of retention policies, how to create one, how retention works in various scenarios, and how to monitor retention policies using retention reports. The article also looks at the limitations of retention policies and why they should not be used as a backup alternative. 

Box retention- article at a glance

Box’s retention policies are a critical feature for data governance and compliance, but they have limitations that could lead to data vulnerabilities and loss:
  • These policies help retain and delete content according to your organization’s compliance needs, preventing accidental or intentional deletion until the content is no longer legally required.

  • Box offers folder-based and metadata-based retention policies, each providing different levels of control and flexibility over content retention.

Read more

1. Understanding Box retention policy

Retention policies in Box are designed to retain specific content for a predetermined period, ensuring that this content is neither accidentally nor intentionally deleted before the end of this period. Retention is part of Box Governance, which is included in all Enterprise Plus plans and available as a paid add-on in other business plans. Administrators can create any number of retention policies to align with their organization's compliance policies. 

End-user interaction: Users can delete files under retention by moving them to Trash but cannot permanently purge them from Trash until the retention period ends. Before retention ends, users can also restore these files from Trash. 

When a file is governed by a retention policy, an indicator is displayed under the "Details" section in the right-hand navigation of the Box interface. This visibility helps users understand the retention status of files and manage them accordingly. 
A retention policy in Box can be applied to: 

  • Content within specified folders

  • Content with specified Classification labels 

  • Content with specified metadata 

  • All new content

To learn more about how retention works for each of these options, refer to the “Apply Policy To” section in this Box documentation.

2. Types of retention in Box

Based on the content that the retention policy is applied to:

1) Folder-based retention policy

Folder-based retention policy in Box applies to all content stored within a specific folder. This means that any file or document placed in the folder automatically inherits the retention policy assigned to that folder. 

Retention period: The administrator sets a specific retention period for the folder. During this time, the files within the folder cannot be permanently deleted, ensuring compliance with organizational policies or regulatory requirements. 

File movement and retention status:

  • If a file is moved from a folder with a retention policy to a folder without one, the file remains governed by the initial retention policy.

  • Moving a file to a different folder with the same retention length keeps the original Time Period value, and the original Disposition Action is evaluated when the file expires.

  • If a file is moved to a folder with a different retention length, the longer retention period takes precedence.

  • For files under a retention policy with an indefinite length moved to a folder with a finite retention length, the retention is based on the date of the file move.

  • Files or folders under a retention policy cannot be transferred out of the enterprise or have their ownership changed to an external party.

  • If a file under retention is copied to another folder not associated with any retention, the copy is not retained.

End of retention period: Once the retention period ends, the files in the folder become eligible for deletion or other disposition actions, as per the policy settings. 

Use case: Folder-based retention is particularly useful for organizations that need to manage documents and files in a collective manner, such as financial records, employee documents, or project files, where all contents of a folder require uniform retention handling. 

Note: When a folder-specific retention policy is created, it will be applied to any individual files within the specified folder that are already in the trash. However, this retention policy does not extend to any subfolders of the specified folder if those subfolders are already in the trash. 

 

2) Metadata-based retention policy

Metadata-based retention policies apply to files that are tagged with specific metadata. Metadata-based retention policy in Box allows for more granular control over individual files and documents, based on specific metadata attributes assigned to them. 

Retention period: The administrator sets a retention period for content with specific metadata. During this period, these files cannot be permanently deleted. 

Updating metadata and its impact on retention policy:

  • If the metadata on a file is updated with a new metadata value with the same retention length, Box maintains the original Time Period value and the file's original Disposition Action will be evaluated upon expiration.

  • When the metadata on a file is updated to a new metadata value with a different retention length, the longer Time Period value takes precedence over the shorter one.

  • If a file under a metadata-based retention policy is moved to a location without any associated retention policy, it remains governed by the initial retention policy linked to its metadata.

  • Removing metadata associated with a retention policy from a file does not remove the file from the governance of the initial retention policy.

End of retention period: Once the retention period ends, the files with specific metadata become eligible for deletion or other disposition actions, as per the policy settings. 

Use case: Metadata-based retention enables customers to configure retention policies at the file-level.  

For instance, consider a financial services firm with a client portal for accessing financial documents, where each client has their own set of folders in Box. Clients may hold various insurance policies, each requiring different retention periods as per industry regulations. With metadata-based retention, the firm can set retention policies based on the type of insurance policy, rather than based on the file’s location in Box, which allows them to continue supporting a client-based folder structure while properly retaining the files and meeting industry regulatory requirements. 

Note: If more than one retention policy is actively applied to a file via folder-based retention, metadata-based retention, or both, then the one with the longest expiration date takes precedence.

Based on whether the retention settings can be modified once the policy has been created:

1) Modifiable retention

Modifiable retention policies are those that can be altered after they have been set. This flexibility allows organizations to adjust the duration of a retention period based on changing legal requirements, business needs, or other factors. 

  • Administrators can extend or shorten the retention period as needed. 

  • Policies can be updated to reflect changes in compliance regulations or organizational data management strategies.

Modifiable policies provide organizations with the flexibility to manage their data retention practices dynamically, ensuring that they can adapt to changes without being locked into a fixed policy that may no longer serve their needs.

2) Non-modifiable retention

Non-modifiable retention policies are fixed and cannot be altered once they are set. This rigidity is particularly important for compliance with certain regulatory standards that require guaranteed retention periods without alteration. 

  • Once set, the retention period cannot be shortened, ensuring compliance with strict regulatory requirements.

  •  Ideal for industries subject to regulations like SEC Rule 17a-4, which mandates that certain records be preserved in a non-erasable and non-rewritable format.

  • Reduces the risk of accidental or intentional deletion of critical data before the end of the mandated retention period.

The following table lists the difference between modifiable and non-modifiable retention policies:
FeatureModifiable Retention PolicyNon-modifiable Retention Policy
Designed for SEC Rule 17a-4(f)/FINRA compliance

Add folders

Remove folders

Add metadata

Remove metadata

Lengthen duration

Shorten duration

Convert policy

Retire policy

Delete policy

Change disposition action

Change notification

(Table source: https://support.box.com/hc/en-us/articles/360043694374-About-Retention-and-Retention-Policies

Based on the start of the retention period: 

You can configure the retention period to start based on when the content was uploaded to Box or based on a specific event/action. 

Event-based retention

Event-based retention allows Admins and Co-Admins to create policies where the retention period begins when a predefined business event occurs. This event could be anything significant to the organization's operations or compliance requirements, such as the end of a contract, termination of employment, or completion of a project. 

Use case: Event-based retention is particularly useful for complying with legal and regulatory requirements that dictate records must be kept for a certain period after an event occurs. 

For example, a company needs to ensure that employee records are retained for 3 years after the employee exits the company, and then deleted. In this scenario, employee departure is the business event that marks the beginning of the retention period.  

3. Files with multiple retention policies

A file can be subject to multiple retention policies simultaneously. When this occurs, retention is maintained on the file until it reaches the end of the retention period with the latest date of all the policies applied to it. The policy with the latest retention period end date when multiple policies apply to a file is often referred to as the "winning" policy. 
For example, consider a file that was created on January 1, 2024, that has no additional versions. It has the following retention policies applied to it: 
  • Policy 1: 1-year retention, applied to the file on January 10, 2024 
  • Policy 2: 6-month retention, applied to the file on February 1, 2024 
  • Policy 3: 2-month retention, applied to the file on December 1, 2024 
While Policy 1's retention period is the longest, its retention period expires on January 10, 2025, whereas Policy 3's retention period expires on February 1, 2025. Therefore, Policy 3 is recognized as the "winning" policy, and in a Disposition report, it would be the policy listed as applying to the file. 

Note: Files can be subject to both retention and legal hold policies. A file subject to both retention (with disposition action of “Permanently delete) and legal hold policies will not be deleted upon the retention period's expiration if the legal hold is in place. Deletion occurs only after the legal hold is lifted. Learn more about legal hold policies in Box.

4. Creating a retention policy

To create a retention policy, follow the below steps:

  • Step 1: Go to the Box Admin Console and select “Governance.”

  • Step 2: Select the “Retention” tab. Click “Create Retention Policy.”

  • Step 3: Enter the retention policy details. To learn more about each retention setting before configuring it, refer to the “Retention Tab” section in this box documentation. Click “Next.”

  • Step 4: In the Apply Policy To setting:  - If you selected Content within specific folders, click “Select Folders”, and then select one or more folders.  - If you selected Content with specific metadata, click “Select Metadata”, and then select one or more metadata items. 

  • Step 5: Click “Next." Review the policy details.

  • Step 6: In the Retention Policy Warning dialog box, click any necessary confirmation check boxes, and then click “Start Policy.”

Refer to the below Box documentations for related topics on managing retention policies: 

5. How Retention Interacts with Trash

Deleting retained files: Users can delete files that are under a retention policy by sending them to Trash. However, these files cannot be permanently purged from Trash until their retention period has ended. This mechanism prevents accidental or intentional deletion of important content before the end of its mandated retention period. 

Restoring files from Trash: Before the end of the retention period, users can restore files from Trash to their original location. If the original location no longer exists, users can choose a new folder for restoring the files.  

Prioritization for content deletion: The system prioritizes content deletion based on several factors, with the highest precedence given to legal holds, followed by Trash settings (if set to either "Nobody" or "Never Delete"), retention policies with a disposition action of "Permanently Delete Content", and finally, Trash settings with any other configuration. 

For example:  Trash settings are configured in such a way that Trash is purged every 60 days, but a file is subject to a retention policy with a retention period of 6 years, the file will not be purged from the user’s Trash until the retention period has ended, in this case, for 6 years. 
Similarly, if Trash setting is set to “Nobody (No user or policy can delete content)”, a retention policy with disposition action set to “Permanently delete content” will not permanently delete content that has reached the end of the retention period. 

6. Retention Policy Reporting

To view reports on retention policies in your organization, navigate to the Reports section of the Box Admin Console. 

6.1. Retention report

The retention report contains information about a selected retention policy and a list of all the files the policy covers. It contains data up to 48 hours prior to the report being generated and does not include files that have already met their retention requirements.  

To learn more about the details included in the retention report, refer to the Box documentation

6.1.1. How to run a retention report

To run a retention report, follow the below steps:

  • Step 1: In the Box Admin Console, navigate to “Reports.”

  • Step 2: Click “Create Report.”

  • Step 3: Select a Retention report type and click “Next.” You will be taken to the page where your existing retention policies are listed.

  • Step 4: Hover your mouse cursor over the retention policy you want a report for and click “Report.” Click "Generate."

6.2. Disposition report

The Disposition report contains information about the disposition of content in your Box account affected by retention policies. The report shows the files that are scheduled to be disposed of as a result of disposition actions defined in retention policies.   

To learn more about the details included in the disposition report, refer to the Box documentation

6.2.1. How to run a disposition report

To run a disposition report, follow the below steps:

  • Step 1: In the Box Admin Console, navigate to “Reports.”

  • Step 2: Click “Create Report.”

  • Step 3: From the report types given, select “Disposition” and click “Next.”

  • Step 4: Choose the columns to be included in the report. Refer to the section “Disposition Report Data Columns” in this Box documentation for detailed description for each data column.

  • Step 5: Select the Date Range, Disposition Action, Retention Policy Type, and Retention Policy. Refer to the section “Disposition Report Filters” in this Box documentation for details. There is also the option to select one or more files or folders to limit the report to only the files or the files within the folders you select.

  • Step 6: Click “Run.”

7. Limitations of using Box retention policies as a backup alternative

While Box retention policies are important for data governance and compliance, they should not be used as a backup alternative due to the following limitations:

  • No protection against data corruption: Retention policies do not protect against data corruption. If a file becomes corrupted, the retention policy will retain the corrupted version of the file.

  • Dependence on platform availability: Relying on Box for both storage and "backup" means your data is not protected against an outage or loss of service from Box itself. It is recommended to have a backup of your data outside the cloud to ensure data availability in the event of cloud outages.

  • Limited restoration capabilities: While retention policies can prevent data from being permanently deleted, they do not offer the granular restoration capabilities of a backup solution, such as restoring data to a specific point in time.

  • Not designed for disaster recovery: Retention policies are primarily designed for compliance and governance, not for disaster recovery in case of data loss events such as cyberattacks.

  • Cost considerations: Retention policies are part of Box Governance, which is available only in Enterprise Plus plans or as a paid add-on.

8. SysCloud backup for Box

SysCloud backup for Box provides automated, secure cloud backup for all your Box data. With SysCloud, admins can:  

  • Automate backups and error management tasks 

  • Restore data from any point-in-time backup snapshots with all sharing permissions and folder- structure intact

  • Restore data to any Box account with sharing permissions and folder-structure intact

  • Export files, folders, or an entire Box account

Learn more about SysCloud backup for Box

Recommended content

How to Recover Deleted Files in Box: A Complete Guide

Read our comprehensive guide on how to recover deleted Box files using native restore options and third-party cloud backup tools, along with best practices to prevent accidental deletions."

Read now 
SysCloud vs. Box Native Retention

Learn how SysCloud addresses the data retention and restoration gaps for Box data across various subscription plans.

Read now 
Get actionable SaaS administration insights

We don’t spam. Unsubscribe anytime.

In this article

  • Understanding Box retention policy
  • Types of retention
  • Files with multiple retention policies
  • Creating a retention policy
  • How Retention Interacts with Trash
  • Retention Policy Reporting
  • Limitations
  • SysCloud backup for Box

Try Box backup for free

Start 30-Day Free Trial
Certifications
Certifications