1. 1 1 Securing (Accountability for) Cloud Content Peter McGoff – SVP and General Counsel

2. 2 2 Definition of Accountability In the context of corporate data governance: “Accountability is the obligation to act as a responsible steward of the personal information of others, to take responsibility for the protection and appropriate use of that information beyond mere legal requirements, and to be accountable for any misuse of that information.” (Galway Project)

3. 3 3 We’re focused on serving the complex needs of enterprises of all sizes. Box is a leader in the enterprise content collaboration space.

4. 4 4 Box Architecture Design Principles Secure: Control, visibility and integration Enterprise-grade: Scale, reliability and speed Sustainable: Rapid innovation, quality and simplicity User Focus: Elegant and user-friendly

5. 5 5 Users IT Superior Solution for Users and IT

6. 6 6 Box Investment in the Enterprise * Upcoming 2007–20082009–20102011–20122013+ 100 employees 1K+ employees 10K+ employees 100K+ employees Admin Console Identity Integration Full-text Search Activity Reporting Admin Files Trusted Access Advanced Reports Box Accelerator Two-Factor Login Device Pinning Collaboration Controls Content Policies * Metadata Content Workflow eDiscovery *

7. 7 7 Intelligence (visibility, monitor, report, search – all across the platform) Users (identity mgmt.; who has access to what content?) Devices (secure physical and virtual endpoints) Apps (secure physical and virtual endpoints) Content Redefining Cloud Content Security

8. 8 8 End to End Security User and group controls Powerful Admin control tools Reporting API Advanced search BI platform integrations Alerting and notifications Audit trail logging Hardened datacenters Active threat detection 24x7x365 NOC monitoring Most secure cloud platform Broad compliance footprint Stringent vendor/supplier security requirements SecurityAdminsPlatform 256-bit AES encryption FIPS 140-2 Module (NIST std.) SSAE16 Type II datacenters SSO, AD, and authentication Deep sharing permissions ISO 27001-2005 vendor/supplier baseline

9. 9 9 Users: Centralize Identity and Access Permissions and Smart Links Identity Management: AD, SSO and 2FA Trusted Access Management

10. 10 Native Two-step Auth Expanding choice for all For admins: –Require for all users –Or, permit opt in For end users: –Opt-in for their account –Secures web, mobile, partner apps Broad SSO partnerships Users: Access Control Choices

11. 11 Advanced search By user, content type, date, size and context Quick, powerful targeted queries Reporting, Audit, & SIEM Full audit trail logging Fast reporting BI and real-time alerts Strong partnerships Intelligence: Monitor, Search, Audit

12. 12 Comprehensive, global compliance program SSAE16 Type II, SOC1 and SOC2 Fully tested and verified by 3 rd party Safe Harbor, EU and Swiss International data privacy controls and enforcement HIPAA and HITECH Trusted platform for PHI, PHRs and medical research ISO 27001 Global information security and systems controls

13. 13 Don’t forget: Disaster Recovery and Business Continuity Planning Disaster Recovery (DR) – Technology and plans to get the Site “back up and running” with minimum disruption to customers Business Continuity Plan (BCP) – Box has a roadmap plan for continuing operations under adverse conditions such as a regional catastrophe or criminal attack.