diff --git a/src/backupsites.js b/src/backupsites.js
index ec661806b..f66a80369 100644
--- a/src/backupsites.js
+++ b/src/backupsites.js
@@ -513,7 +513,7 @@ async function add(data, auditSource) {
 
     if (constants.DEMO) throw new BoxError(BoxError.BAD_STATE, 'Not allowed in demo mode');
 
-    const { provider, name, config, format, contents, retention, schedule, enabledForUpdates } = data; // required
+    const { provider, name, config, format, contents, retention, schedule, enableForUpdates } = data; // required
     const limits = data.limits || null,
         encryptionPassword = data.encryptionPassword || null,
         encryptedFilenames = data.encryptedFilenames || false,
@@ -549,7 +549,7 @@ async function add(data, auditSource) {
     const sanitizedConfig = await storageApi({ provider }).verifyConfig({id, provider, config });
 
     await database.query('INSERT INTO backupSites (id, name, provider, configJson, contentsJson, limitsJson, integrityKeyPairJson, retentionJson, schedule, encryptionJson, format, enabledForUpdates) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)',
-        [ id, name, provider, JSON.stringify(sanitizedConfig), JSON.stringify(contents), JSON.stringify(limits), JSON.stringify(integrityKeyPair), JSON.stringify(retention), schedule, JSON.stringify(encryption), format, enabledForUpdates ]);
+        [ id, name, provider, JSON.stringify(sanitizedConfig), JSON.stringify(contents), JSON.stringify(limits), JSON.stringify(integrityKeyPair), JSON.stringify(retention), schedule, JSON.stringify(encryption), format, enableForUpdates ]);
 
     debug('add: setting up new storage configuration');
     await storageApi({ provider }).setup(sanitizedConfig);
diff --git a/src/routes/backupsites.js b/src/routes/backupsites.js
index b98265089..a1ca264f5 100644
--- a/src/routes/backupsites.js
+++ b/src/routes/backupsites.js
@@ -85,6 +85,8 @@ async function add(req, res, next) {
     if ('encryptionPasswordHint' in req.body && typeof req.body.encryptionPasswordHint !== 'string') return next(new HttpError(400, 'encryptionPasswordHint must be a string'));
     if ('encryptedFilenames' in req.body && typeof req.body.encryptedFilenames !== 'boolean') return next(new HttpError(400, 'encryptedFilenames must be a boolean'));
 
+    if ('enableForUpdates' in req.body && typeof req.body.enableForUpdates !== 'boolean') return next(new HttpError(400, 'enableForUpdates must be a boolean'));
+
     // testing the backup using put/del takes a bit of time at times
     req.clearTimeout();