Retention is part of Box Governance. Box Governance is included in all Enterprise Plus plans and is available as a paid add-on to all other business plans.
Retention policies enable you to retain certain content in Box for a specified period of time, and to remove content at end of that specified period of time. At its core, retention ensures content does not get deleted accidentally or intentionally until the content is out of the retention period.
While there is no formal technical limitation to the number of retention policies an administrator can create in Box Governance, in general, create enough retention policies to align with your organization's compliance policies. A 1-to-1 relationship between retention polices in Box and compliance policies in your organization will make enforcement relationships clear in any potential compliance audits.
Note: Retention polices do not retain bookmarks.
- Retention Application
- What End Users See
- Event - Based Retention
- Modifiable and Non-modifiable Retention
- Retention Policy Reporting
- Files with Multiple Retention Polices
- Retention Policies and Legal Hold Policies
- How Retention Interacts with Trash
- Retention Examples
Retention Application
A retention policy specifies how retention gets applied to content in your organization. The options for how retention get applied include:
- Content within specified folders
- Content with specified Classification labels
- Content with specified metadata
- All new content
See the Retention Tab section in Governance Settings for details about each option.
What End Users See
Users can delete retained files by sending them to Trash. However, users cannot purge files from Trash until the files’ retention period has ended. Before that time, users can also restore files from Trash to their original location. If the original location has been deleted, users can choose a new folder in which to restore the files.
When a file is governed by a retention policy, an indicator displays under the Details section in the righthand navigation. You also see this information by clicking the More options arrow to the right of the file name and then selecting Properties > General Info .
For folder-based retention, certain actions can modify the retention policy associated to a file.
- If you move a file from a folder with a retention policy to a folder without a retention policy, the file is still governed under the initial retention policy.
- If you move a file carrying a retention policy to a folder with the same retention length, Box preserves the Time Period value and will evaluate the original Disposition Action when the file expires.
- If you move a file carrying a retention policy to a folder with a different retention length, the longer retention expiration date takes precedence over the shorter one.
- If you move a file carrying a retention policy with an indefinite retention length to a folder carrying a retention policy with a finite retention length, the file will be retained based on the date of the file move.
- You cannot transfer a file or folder with a retention policy outside of the enterprise. You also cannot change the folder owner to an external party, or move an individual file to a folder owned by an external user.
- If you copy a file under retention to another folder not associated with any retention, the copy is not retained.
For metadata-based retention, certain actions can modify the retention policy associated to a file.
- If you remove the custom metadata that is carrying a retention policy from a file, the file is still governed by the initial retention policy.
- If you update the custom metadata on a file to a new metadata value with the same retention length, Box preserves the Time Period value and will evaluate the original Disposition Action when the file expires.
- If you update the custom metadata on a file to a new metadata value with a different retention length the longer Time Period value takes precedence over the shorter one.
- If you change the Time Period from one finite value to another finite value (e.g. 3 years to 5 years), the file will be retained based on the upload date of the file to Box.
- If you change the Time Period from indefinite to a finite value, the file will be retained based on the date the Time Period was updated.
- You cannot transfer a file or folder with a retention policy outside of the enterprise. You also cannot change the folder owner to an external party, or move an individual file to a folder owned by an external user.
Finally, if more than one retention policy is actively applied to a file via folder-based retention, metadata-based retention, or both, then one with the longer expiration date takes precedence.
Event-Based Retention
Event-based retention allows Admins and Co-Admins to create policies where retention doesn’t start until a specified business event occurs. For example:
- A company needs to ensure employee records do not get deleted accidentally or intentionally (i.e., retained “indefinitely”) throughout one’s employment; then retain for 3 years after the employee departure. In this scenario, employee departure is the business event.
- A pharmaceutical company needs to collaborate a research study with an external research firm. Per the contractual agreement, the study ends on a certain date, and content needs to be deleted right after that day. In this scenario, study end date is the business event.
Please reach out to your Support or Customer Success, as event-based retention is an advanced capability and may require some design and planning.
Modifiable and Non-modifiable Retention
With Box Governance, you can create both non-modifiable and modifiable retention policies.
Non-modifiable retention policies are designed to allow certain financial services customers to electronically store and retain records in a manner that complies with SEC Rule 17a-4. Once set, non-modifiable retention policies cannot be shortened in duration, and content under retention cannot be removed from active or inactive retention policies.
Not all businesses that want to use retention policies need to comply with the stringent regulatory requirements of SEC Rule 17a-4. Modifiable retention policies allow customers to implement retention policies with the ability to modify them later. This will allow for both the creation and modification of policies, including shortening of retention policies, as well as making policy changes retroactively to content already under retention.
The following table describes the difference between modifiable and non-modifiable retention policies.
| Modifiable Retention Policy | Non-modifiable Retention Policy | |
|---|---|---|
| Designed for SEC Rule 17a-4(f)/FINRA compliance | ❌ | ✅ |
| Add folders | ✅ | ✅ |
| Remove folders | ✅ | ❌ |
| Add metadata | ✅ | ✅ |
| Remove metadata | ✅ | ❌ |
| Lengthen duration | ✅ | ✅ |
| Shorten duration | ✅ | ❌ |
| Convert policy | ✅ | ❌ |
| Retire policy | ✅ | ✅ |
| Delete policy | ✅ | ❌ |
| Change disposition action | ✅ | ✅ |
| Change notification | ✅ | ✅ |
Retention Policy Reporting
The Reports section of the Admin Console offers multiple reports on retention policies:
- The Retention report contains information about a selected retention policy, along with a list of all of the files the policy covers.
- The Disposition report contains information about the disposition of content in your Box account affected by retention policies.
Find out how to run retention and disposition reports in the Admin Console.
Files with Multiple Retention Polices
More than one retention policy can be applied to a file. In the case where multiple retention policies apply to a file, retention is maintained on the file until it reaches the end of the retention period with the latest date of all the policies applied to it. The policy with the latest retention period end date when multiple policies apply is sometimes referred to as the "winning" policy.
For example, a file was created on January 1, 2022 and has no additional versions. It has the following retention policies that apply to it:
- Policy 1: 1-year retention, applied to the file on January 10, 2022
- Policy 2: 6-month retention, applied to the file on February 1, 2022
- Policy 3: 2-month retention, applied to the file on December 1, 2022
While policy 1's retention period is longest, its retention period expires on January 10, 2023, and policy 3's retention period expires on February 1, 2023. So policy 3 "wins," and in a Disposition report, it would be the policy listed as applying to the file.
Retention Policies and Legal Hold Policies
Files can be subject to both retention and legal hold policies. If a file is subject to a retention policy with a disposition action of Permanently Delete, and if the file is also subject to a legal hold policy when the retention period ends, it will not be deleted until the legal hold is lifted.
How Retention Interacts with Trash
Users can delete retained files by sending them to the Trash. However, they cannot purge files from Trash until the files' retention period has ended. Before that time, they can also restore files from Trash to their original location. If the original location has been deleted, they can choose a new folder in which to place the files after they have restored them. Additionally, below is the prioritization for content deletion (from highest precedence to lowest).
- Legal Hold
- Trash (if set to either Nobody or Never Delete)
- Retention Policy (with Disposition Action = Permanently Delete Content)
- Trash (any other setting)
Example: If Trash is purged every 30 days, but a file is to be retained for 6 years, the file will not be purged from the user’s Trash until the retention period has ended, in this case, for 6 years.
In addition, if Trash is set to Nobody (No user or policy can delete content), retention policy with disposition action set to Permanently delete content will not permanently delete content that has reached the end of the retention period.
File Disposition Upon Retention Expiration
When retention policies are configured with an end-of-policy Disposition Action, content is queued for deletion after its applicable retention period expires. While files identified for deletion are often deleted the same day the retention period ends, disposition timeframes may vary and cannot be guaranteed. Additionally, for enterprises with extremely large volumes of content, delays in disposition may occur in some cases. Lastly, Box Governance's disposition identification process can affect disposition timing in the following rare scenarios:
| Scenario | Result |
|---|---|
| As part of a customer sandbox experiment, you apply a retention policy of one day to a file. | The disposition identification process is run on customer sandboxes daily, so the file is now eligible for deletion after one day elapses. |
| Given a file that is under an Event-Based Retention (EBR) policy of three years, you set the retention start date to exactly three years ago. | The disposition status will be recognized in the next disposition identification process. and the file will be eligible for immediate deletion when the process runs. |
| Given a file that was uploaded to Box five years ago, you apply a retention policy of three years to the file's parent folder. | The disposition status will be recognized in the next disposition identification process. and the file will be eligible for immediate deletion when the process runs. |
Retention Examples
Here are a few customer examples for retention:
- A company needs to retain employee records for 3 years after employee departure.
- A financial institution wants to manage their loan process through Box, retaining the final documents for 6 years for compliance requirements.
- A manufacturing company wants to share reports with vendors through Box, and these reports are only relevant for 30 days.
Retention policies apply to all file versions. That means when a retention policy is applied to a file, it applies to all existing versions of that file as well as to future versions of that file. Here's an example of folder-based or enterprise policy:
- Version 1 of a file has a 7-day retention period
- Version 2 is uploaded 3 days later
The 7-day retention period applies to Version 2, but starts from when Version 2 was uploaded. In other words, Version 2 will be retained for 7 days from the upload date -- 4 days after Version 1 would have been deleted. However, for event-based retention, all versions will have the same expiration date based on the metadata start date set on the file. This is because metadata template is not version specific.
Admins and Co-Admins with explicit permission to manage policies) can create retention policies and can apply those policies:
- At the global (entire enterprise) level (note this option is not retroactive)
- At the folder level
- To content with specific metadata
As part of retention policies, you define the retention period and when the retention period starts. Retention periods can start:
- When files are added or uploaded to Box
- On dates defined in or by file metadata (event-based retention)
This makes it easier to properly retain unstructured data and ensure regulatory mandates are met.
Retention policies are available via the Admin Console, API, and Tier 1 SDKs.