Retention is available as a paid, add-on feature .
Retention policies enable you to retain certain content in Box for a specified period of time, and to remove content at end of that specified period of time. At its core, retention ensures content does not get deleted accidentally or intentionally, until the content is out of the retention period.
- Retention Examples
- Event - Based Retention
- What End Users See
- Creating a Retention Policy
- Editing a Retention Policy
- Adding Folders to a Retention Policy
- Retiring a Retention Policy
- Retention Policy Reporting
- How Retention Interacts with Trash
Retention Examples
Here are a few customer examples for retention:
- A company needs to retain employee records for 3 years after employee departure.
- A financial institution wants to manage their loan process through Box, retaining the final documents for 6 years for compliance requirements.
- A manufacturing company wants to share reports with vendors through Box, and these reports are only relevant for 30 days.
Retention policies apply to all file versions. That means when a retention policy is applied to a file, it applies to all existing versions of that file as well as to future versions of that file. Here's an example of folder-based or enterprise policy:
- Version 1 of a file has a 7-day retention period
- Version 2 is uploaded 3 days later
The 7-day retention period applies to Version 2, but starts from when Version 2 was uploaded. In other words, Version 2 will be retained for 7 days from the upload date -- 4 days after Version 1 would have been deleted. However, for event-based retention, all versions will have the same expiration date based on the metadata start date set on the file. This is because metadata template is not version specific.
Admins and Co-Admins with explicit permission to manage policies) can create retention policies and can apply those policies:
- At the global (entire enterprise) level (note this option is not retroactive)
- At the folder level
- At the file level (via API only)
- To content with specific metadata
As part of retention policies, you define the retention period and when the retention period starts. Retention periods can start:
- When files are added or uploaded to Box
- On dates defined in or by file metadata (event-based retention)
This makes it easier to properly retain unstructured data and ensure regulatory mandates are met.
Retention policies are available via the Admin Console, API, and Tier 1 SDKs.
Event - Based Retention
Event - based retention allows Admins and Co - Admins to create policies where retention doesn’t start until a specified business event occurs. For example:
- A company needs to ensure employee records do not get deleted accidentally or intentionally (i.e., retained “indefinitely”) throughout one’s employment; then retain for 3 years after the employee departure. In this scenario, employee departure is the business event.
- A pharmaceutical company needs to collaborate a research study with an external research firm. Per the contractual agreement, the study ends on a certain date, and content needs to be deleted right after that day. In this scenario, study end date is the business event.
Please reach out to your Support or Customer Success, as event-based retention is an advanced capability and may require some design and planning.
What End Users See
Users can delete retained files by sending them to Trash. However, users cannot purge files from Trash until the files’ retention period has ended. Before that time, users can also restore files from Trash to their original location. If the original location has been deleted, users can choose a new folder in which to restore the files.
When a file is governed by a retention policy, an indicator displays under theDetails section in the righthand navigation. You also see this information by clicking theMore options arrow to the right of the file name and then selectingProperties > General Info .
- If
- If
- If you move a file carrying a retention policy with an indefinite retention length to a folder carrying a retention policy with a finite retention length, the
- You
Creating a Retention Policy
Note
Retention policies are designed to meet regulatory requirements such as FINRA and, when configured properly, enable customers to meet compliance and regulatory requirements. This means once retention is applied to content, it CANNOT be removed or shortened, which means the policy's Time Period and Apply Policy To settings cannot be changed, and folders CANNOT be removed.
- Go to Admin Console > Governance.
- Click the Retention tab.
- Click Create Retention Policy.
- Enter the retention policy details. For more information, see the Retention Tab section in Governance Settings.
- Click Next.
- In the Apply Policy To setting:
- If you selected Content within specific folders, click Select Folders, and then select one or more folders.
- If you selected Content with specific metadata, click Select Metadata, and then select one or more metadata items.
- Click Next.
- Review the policy details.
- In the Retention Policy Warning dialog box, click any necessary confirmation check boxes, and then click Start Policy.
Note
When a folder-specific retention policy is created, the retention policy will be applied to any individual files from within the specified folder that are already in the trash. The retention policy will not be applied to any subfolders from within the specified folder that are already in the trash.
Editing a Retention Policy
Note
Retention policies are designed to meet regulatory requirements such as FINRA and, when configured properly, enable customers to meet compliance and regulatory requirements. This means once retention is applied to content, it CANNOT be removed or shortened, which means the policy's Time Period and Apply Policy To settings cannot be changed, and folders CANNOT be removed.
- To edit a retention policy, open the Admin Console.
- In the lefthand navigation, click Governance.
- Within the Retention tab, locate the policy you want to edit, and click on it. The policy details screen displays.
- Next to the Retention Policy Details section, click Edit.
- Making the changes you want, then click Save.
Note To verify that your retention policy is in fact applied, in your admin console click Reports > Create Report and then navigate to User Activity > Policies > Retention Policy Applied.
Adding Folders to a Retention Policy
Because retention policies are designed to meet regulatory requirements such as FINRA, their configuration cannot be changed once the polices are enabled. The exception is that folders can be added to retention policies. This enables customers who onboard their business users to Box in phases to add those business units to existing retention policies, rather than having to create separate policies with identical configuration. When you add a folder to a retention policy, all files in the folder and in its subfolders are subject to the retention policy.
- In the Admin Console, go to Governance > Retention.
- Click the name of a retention policy to view its details.
- In the Applied To section, click View.
- Click Add Folders (
).
- Search for and select one or more folders.
- Click Choose.
- Review the folders that you added. Once you save your changes to the policy, the added folders cannot be removed. (Existing folders have a lock icon (
) next to them and cannot be removed at all. Added folders can be removed before you save your changes. To do so, hover over the folder you want to remove and click Remove.)
- Click Save.
- In the Retention Policy Warning dialog box, click any necessary confirmation check boxes, and then click Start Policy.
Retiring a Retention Policy
- In the left
- Within the
Retention Policy Reporting
Find out how to run a retention policy report in the Admin Console.
How Retention Interacts with Trash
- Trash (if set to either Nobody or Never Delete)
- Retention Policy (with Disposition Action = Permanently Delete Content)
- Trash (any other setting)
File Disposition Upon Retention Expiration
When retention policies require file deletion when the retention period ends, files identified for deletion are normally deleted on the day the retention period ends. There is a rare and unusual situation where this would not happen, and that is because for efficiency purposes, the process to identify file to delete by policy runs once every 14 days.
This would not affect most retention policies because retention is typically measured in years. This disposition identification process can affect the following scenarios:
Scenario | Result |
---|---|
As part of a customer sandbox experiment, you apply a retention policy of one day to a file. | The disposition identification process is run on customer sandboxes daily, so the file is now eligible for deletion after one day elapses. |
Given a file that is under an Event-Based Retention (EBR) policy of three years, you set the retention start date to exactly three years ago. | The disposition status will be recognized in the next disposition identification process. and the file will be eligible for immediate deletion when the process runs. |
Given a file that was uploaded to Box five years ago, you apply a retention policy of three years to the file's parent folder. | The disposition status will be recognized in the next disposition identification process. and the file will be eligible for immediate deletion when the process runs. |