This analysis describes what Box's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The clause creates a conditional compliance framework: HIPAA-regulated data processing is permitted only through an executed BAA. Without this requirement, Box could not legally handle PHI under HIPAA regulations, and the BAA mechanism establishes the contractual basis for lawful processing of health information.
Users subject to HIPAA obligations must complete a separate contracting step before uploading any Protected Health Information. The provision makes BAA execution a prerequisite condition rather than an optional feature, creating an affirmative obligation for users handling regulated health data.
How other platforms handle this
As between the parties, Luma owns and retains all right, title, and interest, including all related intellectual property and proprietary rights, in and to the Aggregated Data and Usage Data (including any improvements, modifications, and enhancements thereto), the know-how and analytical results ge...
Enterprise customers own their data. Cohere does not claim ownership over the inputs or outputs of enterprise customers.
Apps offering auto-renewing subscriptions must clearly describe the subscription, what the subscription includes, and the length of the subscription. Developers must implement a mechanism to allow users to cancel subscriptions. Apps must not mislead users about the nature of auto-renewing subscripti...
Monitoring
Box has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"Box is not a HIPAA covered entity or business associate by default. If you intend to use the Services to store or process Protected Health Information as defined by HIPAA, you must execute a Business Associate Agreement with Box prior to uploading any such information. Uploading PHI without a signed BAA is a violation of these Terms and may result in immediate account suspension.— Excerpt from Box's Box Terms of Service
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The clause creates a conditional compliance framework: HIPAA-regulated data processing is permitted only through an executed BAA. Without this requirement, Box could not legally handle PHI under HIPAA regulations, and the BAA mechanism establishes the contractual basis for lawful processing of health information.
Users subject to HIPAA obligations must complete a separate contracting step before uploading any Protected Health Information. The provision makes BAA execution a prerequisite condition rather than an optional feature, creating an affirmative obligation for users handling regulated health data.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Box.