Trust Center
Built for organisations that take trust seriously.
Everything you need to evaluate Boxes — security posture, compliance, privacy, subprocessors, AI governance. Reports available under NDA from security@boxes.sh.
Security overview
Encryption, access controls, vulnerability management.
Compliance reports
SOC 2 Type II, ISO 27001, HIPAA, GDPR — available under NDA.
Data Processing Agmt
GDPR Article 28 compliant DPA. Self-serve and customisable.
Privacy policy
How we handle personal data — GDPR + CCPA disclosures.
AI governance
How agents act, what we never train on, capability scopes.
Subprocessors
Third-party services that process customer data — full list.
AI governance commitments
- • We do not train models on customer content. This is contractually committed in our ToS and DPA.
- • Every agent action is cryptographically signed. Tamper-evident audit log with five-year retention.
- • Capability scopes are enforced server-side. Agents cannot exceed their granted permissions.
- • Human approval gates are configurable. Default to "human-in-the-loop" for any new agent capability.
- • Customer-controlled model routing. Bring your own LLM. Disable third-party inference per workspace.
- • Pre-action visibility. Every draft viewable before send, with confidence and rationale.
Need something specific?
Audit reports, custom DPAs, security questionnaires — security@boxes.sh