Skip to main content

Vanderbilt Box Storage Policy

Box provides robust security for stored data. State-of-the-art technology and industry best practices are used for data encryption during transit of data to and from the Box cloud and while data is being stored within Box. However, due to federal, state, local laws and policies, Box should not be used to store, collect or share certain types of regulated and sensitive data.

Vanderbilt University Medical Center faculty and staff should use the VUMC instance and Box Policy detailed at   

A breakdown of permissions by data type is provided below:

Data Type Permitted Not-Permitted Examples
Non-confidential or general business


De-identified human subject research


Data that does not include any information which could be used to identify the individuals involved in the research

Sensitive identifiable human subject research  


Any individually identifiable research data containing sensitive information about mental health, genetics, alcohol & drug abuse, or illegal behaviors

Student educational records (FERPA)



Grades, student transcripts, degree information, disciplinary records and class schedule

Protected health information



Any unique identifying attribute, characteristic, code or combination that allows identification of an individual, and that is combined with medical or health information. Examples include, but not limited to, data of birth, date of death, email addresses, telephone numbers and device ID numbers

Social Security Numbers



Gramm Leach Bliley (GLBA) student loans application information


Student loan information, payment history and student financial aid data
Payment card information (PCI)  

Cardholder name, account number, expiration date, verification number, security code
Export controlled research (ITAR, EAR)  

Data containing research on items such as chemical and biological agents, satellite communications, certain software or technical data, and work on formulas for explosives
FISMA data  

Any government data that is regulated by the Federal Information Management and Security Act, including VA data, FDA data and Medicare data