Skip to content

What problem could Box solve for you?

← Help shape the future of Box

Additional security to Box Sign links in "completed" emails

Box Sign sends an email to a signer (subject "Completed: [name of document]") after all the documents have been signed. This link gives anyone with the link access to the document in question with no additional authentication (e.g. MFA, password, Box login) needed. This link skips folder or Box Shield settings restricting the use of shared links and cannot be manually removed or expired. Email, without any additional protections, is not considered secure enough for transmittal of certain types of protected information (e.g. patient health information under HIPAA). A bad actor who grabs this post-signing email from a patient who signed a form could use the link to access that patient's health information. Therefore Box Sign in it's current state cannot be used with any forms that ask for this kind of sensitive data. I would request an ability to turn off these post-signing links.

15 votes

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close

We’ll send you updates on this idea

Anonymous shared this idea  ·   ·  Report…  ·  Admin →
How important is this to you?

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • Anonymous commented  ·   ·  Report

    I agree. I believe that BoxSign has issues that could lead to information leaks due to its lack of control functions.
    At the very least, we request that the following functions be implemented as soon as possible: preventing the sending of BoxSign link emails, preventing the issuance of open links (making them operable only from the Sign folder), etc.

  • Ryan Ohlson commented  ·   ·  Report

    While Box Sign allows you to secure a document when sending it for signature (SMS, Password), the document is viewable without the SMS or Password once it is signed. Box Sign automatically sends an email to all parties confirming the completion of the signing process. In that email the link to the completed document is not protected by the same measures as when it was first sent for signature.

    In many cases, the document that is being signed contains extremely sensitive information and thus it is best practice for the document to be protected with the additional layer of authentication even after it is signed.

    Currently, the only way to manage this is for the Box Sign owner to locate the completed files and either remove the Shared Link that Box Sign automatically created or to manually enable a password for the link.

Help shape the future of Box: Box Sign

Categories

Feedback and Knowledge Base

(thinking…)

By entering and viewing this page, you agree to be bound by (1) UserVoice Terms of Service and the (2) Box Community Terms of Use. In the event of a direct conflict between the foregoing terms of service with respect to the Box Community Guidelines, Feedback and Suggestions, the Box Community Terms of Use shall take precedence as between you and Box.