Governance Settings

Governance settings let you configure Box to manage your content governance needs. 

Retention Tab

The Retention tab is where you configure content retention policies. Retention defines how long content is kept even if it has been put in Trash. Content cannot be permanently deleted, even if it is in Trash, if it is under retention policy and the retention time has not expired. This section lists the settings for retention policies and describes each setting.

Policy Name

Enter a short but descriptive name. 250 characters maximum.

Policy Description

Enter an optional description that provides a summary of the policy purpose and function. 500 characters maximum.

Retention Type

Defines whether the retention policy is modifiable or non-modifiable.

A modifiable retention policy allows to to change any of its settings. However, it does not meet certain regulatory requirements, such as SEC (Securities and Exchange Commission) Rule 17a-4(f), which defines specific requirements for regulated entities that retain records on electronic storage media.

See the Modifiable and Non-modifiable Retention section in About Retention and Retention Policies for additional details.

Apply Policy To

Determines the content that the retention policy applies to.

Important

Because retention policies are designed to meet regulatory requirements such as FINRA, this setting cannot be changed for a non-modifiable policy once it is enabled. The exception is that folders and metadata can be added to retention policies.

Select from:

• Content within specific folders to retain content within specific folders. When you select this option, you will select one or more folders in the next step of retention policy creation. Once the policy is enabled, it applies to, or is cascaded to, all content in the selected folder(s), all files and everything in every sub-folder.

  Note

  Once a retention policy is applied to a folder, if any file or sub-folder is moved out of that folder, the retention policy still applies, and that holds true no matter where the move or how often the move. The one exception is that if a file or folder is moved into a folder where a retention policy with longer retention is defined, that policy is then applied to the moved file or folder.

• Content with specific metadata to retain content based on content metadata. When you select this option, you will select one or more metadata options in the next step. If you select multiple metadata options, the retention policy will be applied to content that matches any of the selected metadata.
• Content with specific classifications to retain content based on classification labels applied to that content. When you select this option, you will select one or more classification labels in the next step. If you select multiple classification labels, the retention policy will be applied to content that has any of the classification labels applied.

  Note

  Once a retention policy is applied to a file based on that file having a classification label, if the classification label is changed (or removed), the retention policy still applies to the file.

• All new content to apply the retention policy to all future content added or uploaded to Box while the retention policy is active.

Time Period Duration

Determines the period of time that the content that matches to retention policy will be retained and is based on the Start Date setting.

Important

This setting cannot be changed once the policy is started.

Select from:

• 30, 60, or 90 days
• 1, 3, 6, or 10 years
• A custom number of days or years
• An indefinite period of time

Start Date

Determines the start of the retention period. Select:

• Box upload/creation date to have the retention period start when content is added or uploaded to Box.
• Specific metadata start date to have the retention period start from a date defined by content metadata. These dates can be fixed dates other than add/upload dates or dates based on events. For example, a contract might have to be retained for a specific period of time after it is signed, so you could base retention on the signing date recorded in metadata. Or employment documents might need to be retained for a specific period of time after an employee separates from the company, so you could base retention on a separation date recorded in metadata.

Disposition Action

Determines what happens automatically to content managed by the retention policy when the retention period ends. Disposition action is not evaluated until a file reaches retention expiration. That means if admins change their mind and update the disposition on the retention policy, it will apply to all files under that policy that haven't expired.

Select from:

• None to have nothing happen when the retention period expires. Users with the appropriate permissions will then be able to delete the content manually.
• Permanently delete content to have content permanently deleted, whether or not in Trash, when the retention period ends. When you choose this option, you can also select to allow folder owners and co-owners to extend the permanent deletion date.

  Note

  The Permanently delete content option is not available if the People who can permanently delete content in Trash setting in Enterprise Settings > Content & Sharing > Trash is set to Nobody (No user or policy can delete content).

All current files on the disposition page are displayed, regardless of the disposition action selected. Notifications can be sent for both permanently delete content and none settings, as notifications are dependent on the policy settings.

Certain retention behaviors and disposition actions are tracked within the Disposition Report. Dispositions page access can be configured in the Content & Sharing tab within Enterprise Settings.

Disposition action logic

The disposition action column shows the most conservative disposition action from all policies applied to the file. For example, FileX is retained by two policies:

• Policy A – 3 years policy with disposition action = permanent delete
• Policy B – 5 years policy with disposition action = none (winning policy)

File X will be shown with a disposition date from the winning policy (i.e. the policy with the longest duration), which in this case is 5 years. The disposition action will follow the most restrictive rule applied, i.e., permanent delete.

Files on the list are sorted by disposition date in ascending order.

Email Notification

Determines which managed users will receive a weekly disposition email notification. 

Everyone who is granted access to the dispositions page will automatically receive new disposition notifications, if notifications are enabled at the policy level. These will contain a link to the dispositions page.

When notifications are enabled, they are sent by email on Wednesdays to users who are configured to receive them and have any files they own, or collaborate on, where the file is expiring in the next 14 days. The notification permutations are:

People who have retention disposition notifications turned on will only receive new notifications if they have also been granted access to the disposition page. Otherwise, they will continue to get legacy notifications. 

If they have access, users can access the dispositions page by selecting More from the left-hand side navigation bar. They don’t have to wait for a notification; these serve only as a reminder.

Legal Holds Tab

The Legal Holds tab tab is where you configure content legal hold policies. Legal holds define what content is kept and (optionally) for how long even if it has been put in Trash.

Legal Hold Policies

This section lists the settings for legal hold policies and describes each setting.

Legal Hold Name

Enter a short but descriptive name. 250 characters maximum.

Description

Enter an optional description that provides a summary of the policy purpose and function. 500 characters maximum.

Apply Policy To

Determines who or what the policy applies to. Select from:

• User (Custodians) to define one or more custodian users for the policy. The policy will capture all files and file versions that the user owns, is collaborated into, or viewed (acted upon), optionally within a defined date range. See About Legal Holds in Box Governance for the list of all custodian actions.
• Folders to define folders for the policy. All content in all folders and sub-folders defined in the policy will be held. 

Date Range - Content Creation

Available only when User (Custodians) is selected in Apply Policy To. Optional. Determines the date range for the policy. All files and versions that the custodian acts on, as described in About Legal Holds in Box Governance, within the date range will be retained.

If you do not set a Start Date value, the policy will apply to relevant content as soon as it is enabled.

If you do not set an End Date value, the policy will apply to relevant content until the policy is retired.

Legal Hold Exports

This section lists the settings for legal hold exports and describes each setting. 

Export Name

Enter a short but descriptive name. 250 characters maximum.

Folders

Available only in folder-based legal holds, select one ore more of the folders included in the legal hold.

Custodians

Available only in custodian-based legal holds, enter one or more custodian names, separated by commas or new lines.

File Type

Determines the types of files included in the export. Select:

• Any Type (default) - to include all of the files in the legal hold
• One or more of the listed types - to include only the types of files you select

Date Range

Required. Determines the date range for the files to be included in the export. Select:

• Use uploaded date - to include files based on the date when they were uploaded to Box
• Use content creation date - to include files based on the date they were created

Note

While the date range determines which files get included in the export, it is the latest version of those files that are exported.