Telefonica UK Limited

Box Software Service from O2

Box is a powerful online storage and collaboration tool allowing businesses of all sizes to share and store content online. Box makes sharing and collaborate easily, both inside and outside the organisation. And with the Box app for smartphones, tablets, laptops and desktops, your team can work together virtually anywhere.


  • Reporting and tracking
  • Strong Content Management capability
  • Lock your file whilst you are editing helping version control
  • Levels of permissions
  • Mobile Apps- Box has apps for iPhone, iPad, Android, Blackberry
  • Desktop Apps Automatically sync files between your computer and Box
  • Box has Cabinet Office SIRO approval to hold "Official" data


  • Mobile Apps- Access your files on any device
  • Administrators can maintain central view of accounts through admin console
  • Add view edit and organise files in familiar folder structure
  • Advanced Collaboration
  • Granular Administrative Control
  • Enterprise Security and Compliance
  • Box Platform and Partner Ecosystem
  • Storage options from 100 GB to unlimited storage
  • External collaboration Share files inside and outside of your company
  • Access your files on any device


£20.00 per user per month

Service documents


G-Cloud 11

Service ID

1 3 6 2 3 3 9 6 0 1 0 5 3 7 6


Telefonica UK Limited

Neil Cruden


Service scope

Service scope
Software add-on or extension Yes, but can also be used as a standalone service
What software services is the service an extension to Box can be used as an extension to Salesforce,
DocuSign, Microsoft O365, etc to serve as an
enterprise's central content management system.
Cloud deployment model Public cloud
Service constraints Box has no technical constraints as long as the user is on a current browser (the two latest versions). System requirements A recent browser that supports JavaScript.
System requirements Recent browser supporting JavaScript

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Standard Support is provided during local business hours Monday-Friday with no SLA.
Support Access Method: web/email/chat
Targets are provided and are as follows:
Level 1 - Urgent - within 4 business hours
Level 2 - High - within 8 business hours
Level 3 -Normal - within 1 business day

Premier and Platinum Support is provided 24 Hours/Day, 365 days/year with the following SLAs:

Level 1 - Urgent - within 1 hour
Level 2 - High - within 2 hours
Level 3 -Normal - within 2 hours
Level 4 - Low - Greater than 2 hours
Support Access Method: web/phone/email
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support Web chat
Web chat support availability 9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard None or don’t know
How the web chat support is accessible For Standard Support Customers, via support website
Web chat accessibility testing Not applicable to the service
Onsite support No
Support levels O2 are able to offer Service Desk and Phone support.

Box make sure you have the right offering to fit your specific needs. All of our customers - from personal users to our largest enterprise clients - can get the support of a product expert and our self-service Community site.

For customers that have purchased a support offering, your Premier Services Lead will be involved during your implementation to make sure that you’re set up for success. Our dedicated team works closely with our product managers and engineers to quickly solve any problems, should they arise. We’ll ensure your experience is catered especially to you.

For Platinum clients, your Premier Services Specialist stays with you to monitor the health of your Box deployment. Additionally, they will have regular engagements to ensure helpdesk processes are optimized or if you are in need of technical assistance.

Here’s what you can expect for Premier and Platinum Offerings:
1) 24/7 Dedicated phone line and Email/Web Support
2) Guaranteed 1-2 Hour First Response Times
4) Custom Shared Help Desk/Escalation Model5) Off-Hours On-Call Support
6) Resource and Self-Service training
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started User guides and manuals are available for customers to learn about the features of the Box Cloud Collaboration Platform (Error! Hyperlink reference not valid. For an additional cost, customers may also sign-up for live virtual training sessions with an instructor that provides live demonstrations of Box features as well as a Question and Answer session (
Service documentation Yes
Documentation formats HTML
End-of-contract data extraction Customers own their content at all times. Customers can download copies of their content stored in the Box Service at any time during their subscription period.
End-of-contract process Box’s standard termination terms and conditions are included in the
Box Service Agreement. Customers upon written request, Box can
grant Customer's Administrator limited access to the Box Service
solely for purposes of Customer's retrieval of the Content for 30
days following the expiration or the termination of the agreement.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 11
  • Firefox
  • Chrome
  • Safari 9+
Application to install Yes
Compatible operating systems
  • Android
  • IOS
  • MacOS
  • Windows
  • Other
Designed for use on mobile devices Yes
Differences between the mobile and desktop service Box allows you to view, edit and collaborate on files directly from your mobile device. Whether you have an iPhone, iPad, Android, Windows or Blackberry device, all files stored in your Box account will automatically be synced to your mobile device, so you’ll always have the most up-to-date content, wherever you go.
Service interface No
What users can and can't do using the API Box Platform is a cloud content management API that allows you to bring Box's powerful content services to your custom apps. With Box Platform you can build engaging and interactive content experiences in your apps while meeting the security and compliance needs of your business. For more information, please visit:
API documentation Yes
API documentation formats HTML
API sandbox or test environment No
Customisation available Yes
Description of customisation Customers have the ability to set up custom branding, as well as incorporate custom information within their Box Enterprise to ensure the look and feel of your organization's Box account best serve your needs.


Independence of resources Box continuously monitor capacity and availability of the infrastructure to ensure consistent performance.


Service usage metrics Yes
Metrics types When something changes in a Box user's account, Box logs an event
for the user. The event is a description of the object that changed and
what caused it to change. The object can be any Box object that the
user owns or collaborates on. Box records events in admin reports and
uses them to send messages to the Box sync client about account
activity. The Box Enterprise Administrator can retrieve these events
through the Box Admin Console Reports or use the Box API to stream
these events to a SIEM tool.
Reporting types
  • API access
  • Regular reports


Supplier type Reseller providing extra support
Organisation whose services are being resold Box

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
  • Other locations
User control over data storage and processing locations Yes
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach Another external penetration testing organisation
Protecting data at rest Other
Other data at rest protection approach Every file uploaded to Box is encrypted using a unique 256-bit AES data encryption key and a FIPS 140-2 validated level 1 cryptographic module. Box further secures the data encryption keys with a key wrapping encryption strategy, by which the data encryption key for each file is encrypted with a key encryption key, creating a secure encryption token. This second level of encryption also uses 256-bit AES encryption.
Data sanitisation process Yes
Data sanitisation type Deleted data can’t be directly accessed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach Box Customers are able to export their data by
downloading their Content through the web
application, API, and FTP.
Data export formats
  • CSV
  • Other
Other data export formats Content uploaded to Box will retain the original format.
Data import formats
  • CSV
  • Other
Other data import formats
  • Content uploaded to Box will retain the original format
  • Text Based Documents
  • Presentations
  • Images
  • Audio Files
  • Video Files
  • Flash/Mobile Video Files
  • 3D (Graphics and Modeling) Files

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Availability and resilience
Guaranteed availability For Customers with Standard Support Service, Box will use
commercially reasonable efforts to meet an Uptime Percentage of at
least 99.9%.
Approach to resilience Box is a Software as a Service (SaaS) offering and is accessible
globally via the internet. Customer files uploaded to Box are stored
within Box’s processing facilities in the United States. Box maintains
two primary processing facilities in California and one alternate
processing facility in Nevada. Box also utilizes Amazon Web Services
(AWS) S3 to provide storage of encrypted customer files. Customers
may also choose to implement Box Zones, which allows them to store
encrypted-at-rest content with another leading cloud storage provider in
Europe or Asia.
Outage reporting Customers are able to monitor Box outages and subscribe to updates

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
Access restrictions in management interfaces and support channels Box Business and above accounts come equipped with a
comprehensive Admin Console that gives administrators complete
control of their accounts. Admins must login to their Box account before
they are able to access the Admin Console. Configuration changes can
only be performed once the admin is logged in. Customers may choose
to enable two-factor authentication or use SSO integrations to further
secure their account. In order to submit support cases, users must login
to the Box Community site using their Box login credentials. Users
submitting support cases via the phone may be required to verify their
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Dedicated link (for example VPN)

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users have access to real-time audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 BSI
ISO/IEC 27001 accreditation date Effective Date: 10/5/2016; Original Registration Date: 10/05/2013
What the ISO/IEC 27001 doesn’t cover The Information Security Management System (ISMS) certifications applies to the Box Collaboration Platform and all supporting infrastructure as operated in the locations listed in the Appendix and the Statement of Applicability dated February 20, 2018.
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications
  • ISO 27018
  • SOC-1/SSAE-16/ISAE3402 Type II
  • SOC-2 Type II
  • SEC 17a-4
  • Privacy Shield
  • Binding Corporate Rules
  • FIPS 140-2

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes Box's security policies adhere to the requirements of ISO 27001. Box can provide the ISO 27001 certification upon customer request.

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach Box has a formal change management process for application and
infrastructure changes. In addition, configuration and release
management tools have been implemented. The code repository
supports versioning and consistency across eh environment and
provides the ability to roll-back changes. Box also maintains baseline
configurations for production servers to facilitate the configuration
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach Box undergoes continuous monitoring through independent
assessments and internal audits. Box utilizes third-parties to perform
penetration testing at least annually to assess the vulnerability of Box
systems. Vulnerabilities identified are evaluated and remediation
plans are implemented as needed.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach Box employs multiple automated mechanisms to assist in the security
monitoring of Box’s infrastructure including but not limited to: •
Vulnerability scanning• Firewall management• Log aggregation,
search, and alerting• Application error logging• Network intrusion
detection• Host intrusion detection• Malware detection• Endpoint
management• Network taps• Threat intelligence management: The
Security team is alerted of suspicious events identified by Box’s
security monitoring tools. All security events are handled by Box’s
Security Incident Response Team (SIRT) in accordance with the
Security Incident Response Process.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach Box has established an Incident Management process to provide a
consistent and organized approach for handling security (including
confidentiality) and availablity incidents. Incident tickets are either
generated by Box's various monitoring tools automatically, or Box
tickets are opened manually by the Security and Technical
Operations teams. Customers may also submit customer support
incidents via email, phone, or the Box Community site, which may
result in a creation of a security or availability incident ticket. The
Incident Response Plan (IRP) provides a methodology and
framework by which Box's incident responders can work to ensure a
complete and consistent response.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks No


Price £20.00 per user per month
Discount for educational organisations Yes
Free trial available Yes
Description of free trial The Individual Plan is a free service that is limited to one user and
offers mobile sync and sharing features, limited storage, encryption
at rest, access to Box Marketplace Applications, and multi-factor
Link to free trial Please contact O2 for access to the free trial.

Service documents

Return to top ↑