Box Sign links in "completed" emails are insecure
Box Sign sends an email to a signer (subject "Completed: [name of document]") after all the documents have been signed. This link gives anyone with the link access to the document in question with no additional authentication (e.g. MFA, password, Box login) needed. This link ignores folder or Box Shield settings restricting the use of shared links and cannot be manually removed or expired. Email, without any additional protections, is not considered secure enough for transmittal of certain types of protected information (e.g. patient health information under HIPAA). A bad actor who grabs this post-signing email from a patient who signed a form could use the link to access that patient's health information. Therefor, Box Sign in it's current state cannot be used with any forms that ask for this kind of sensitive data. I would request an ability to turn off these post-signing links.
Box Sign provides additional security by allowing recipients to be modified to add functionality such as passwords, require box login and require 2FA. More information can be found here: