Security & Data Use
This page explains exactly what permissions the 5S Ethos for Box integration requests, how your data moves through the integration, what we store and for how long, and the safeguards we apply. We aim to give Box and Box users a clear, honest picture so you can make an informed decision before connecting your account.
Permissions we request
When you connect 5S Ethos to Box, you authorize the integration through Box OAuth. You explicitly grant the permissions below during that flow, and you can review or revoke them at any time from your Box account settings. We request only the scopes needed to deliver the features you use.
- Read file content — lets the integration read the contents of the specific files you reference or act on, so they can be processed by the AI features you request. We do not bulk-scan your entire Box account; we read only what a given action requires.
- Read file metadata — lets the integration read file attributes (such as name, type, size, folder location, and timestamps) needed to locate the right item and present results in context.
- Write / create / update files and metadata — lets the integration write results back to Box when you ask it to — for example, creating a new file, updating an existing file, or applying or updating metadata. Write actions happen only at your request; the integration does not modify your content on its own.
Each permission is granted by you through the standard Box OAuth consent screen. You may revoke access to 5S Ethos at any time in Box (Account Settings → Apps / authorized applications), which immediately ends the integration's ability to read or write your Box data.
How your data flows
The integration processes only the content and metadata you reference for a given task. The typical flow is:
- You authorize the integration through Box OAuth, granting the scopes listed above.
- You ask the integration to act on specific files or folders. The integration reads only the content and metadata you reference for that task.
- That content is sent to the AI provider, [AI Provider], for processing in order to produce the result you requested.
- Results are returned to you for review.
- When you request it, the integration writes results back to Box — creating or updating a file and/or its metadata.
Content is processed for the sole purpose of delivering the feature you requested. We do not access files you have not referenced, and write-backs occur only when you ask for them.
What we store, and for how long
Some Box-derived data may be stored or cached on the integration's own infrastructure to operate the service reliably. This infrastructure is hosted with [Hosting Provider] in region [Region].
- What we store: [job records, embeddings, cached results], along with the OAuth tokens needed to maintain your connection and basic operational logs.
- How long: stored data is retained for [Retention Period], after which it is deleted or anonymized in the normal course of operation.
- On disconnect: when you revoke access in Box or request deletion, we delete your stored OAuth tokens and associated Box-derived data within [Deletion Timeframe], except where retention is required for legal or security obligations.
We store the minimum needed to provide the service and do not retain your Box content beyond what is described here.
Sub-processors
We rely on a small set of vetted service providers to deliver the integration. Each is bound by contract to appropriate confidentiality and data-protection terms.
- Box — the platform you connect; source and destination of your files and metadata.
- [AI Provider] — performs the AI processing of referenced content to produce your results.
- [Hosting Provider] — hosts the integration's infrastructure and stored data in region [Region].
How we protect data
- Encryption in transit: all data exchanged with Box, the AI provider, and your browser is protected with TLS.
- Encryption at rest: stored data, including OAuth tokens and any cached Box-derived data, is encrypted at rest.
- Access controls / least privilege: access to systems and data is limited to authorized personnel on a need-to-know basis, with the minimum privileges required.
- Secure token storage: Box OAuth tokens are stored securely and used only to perform actions you request.
- Logging and monitoring: we maintain operational logging and monitoring to detect and respond to anomalous activity.
- Independent assurance: [SOC 2 / penetration testing details, if applicable].
AI processing & model training
Your content is processed only to deliver the features you request. We want to be unambiguous about how it is — and is not — used:
- Customer content is never used to train AI models, ours or the provider's.
- Customer content is not sold and is not used for advertising.
- The AI provider, [AI Provider], is bound by contract to process content solely to provide the service and not to train on it.
Your controls
- Revoke access at any time in Box (Account Settings → Apps / authorized applications). Revoking immediately ends the integration's access to your Box data.
- Request export or deletion of the data we store about you by contacting us.
- Read our full Privacy page for details on data handling, and visit Support for help.
Incident response
We maintain an incident-response process to identify, contain, and remediate security incidents. If an incident affects your data, we will notify affected users and, where required, the relevant authorities, generally within [Notification Timeframe] of confirming the incident, with information about what happened and the steps we are taking.
Compliance
We design our data practices to align with applicable requirements, including [GDPR / CCPA / Box Trust requirements as applicable]. If you have specific compliance questions, contact us using the details below.
Contact
For security questions or to report a concern, contact dev@launchindustries.biz. For general help, contact dev@launchindustries.biz.