When you have high volumes of sensitive data in the cloud, you require superior security, privacy, and compliance controls— and regular reports on their effectiveness.
Service Organization Controls (SOC) reports, known as SOC 1, SOC 2, or SOC 3, are frameworks established by the American Institute of Certified Public Accountants (AICPA) for reporting on the internal controls within an organization.
These reports are essential for controlling and monitoring the protections built within the control base of the data to ensure that those protections are working.
SOC reports are more important than ever due to cloud computing and the trust that must be maintained between a service provider and a customer.
Dropbox constantly communicates to customers that the best security practices are in place and that they are rigorously and routinely verified by an independent third party.
To meet critical security, privacy, and compliance needs, Dropbox is validated by an independent third-party auditor. Dropbox has validated its systems, applications, people, and processes through a series of audits by independent third-party, Ernst & Young LLP.
This certification process confirms that Dropbox follows best practices and meets objective standards on financial reporting, security, privacy, confidentiality, availability, and processing integrity.
SOC reports 1 and 2 are available to existing Dropbox Business and Education customers by request, and anyone with interest can view the SOC 3 examination.
SOC 3 for Security, Confidentiality, Integrity, Availability, and Privacy
The SOC 3 assurance report covers all five Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (TSP Section 100). The Dropbox general-use report is an executive summary of the SOC 2 report and includes the independent third-party auditor’s opinion on the effective design and operation of our controls.
View the Dropbox Business and Dropbox Education SOC 3 examination.
The SOC 2 report is a detailed level of controls-based assurance, covering all five Trust Service Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (TSP Section 100).
It also includes a thorough description of Dropbox’s processes and the 100+ controls in place to protect your data. In addition to our independent third-party auditor’s opinion on the effective design and operation of our controls, the report includes the auditor’s test procedures and results for each control.
Our SOC 2 report includes an audited mapping of our controls to the ISO standards, providing additional transparency to our customers.
The SOC 1 report provides specific assurances for customers who determine that Dropbox Business or Dropbox Education is a key element of their internal controls over financial reporting (ICFR) program. These specific assurances are primarily used for our customers’ Sarbanes-Oxley (SOX) compliance.
The independent third-party audit is conducted in accordance with the Statement on Standards for Attestation Engagements No. 18 (SSAE 18) and the International Standard on Assurance Engagements No. 3402 (ISAE 3402). These standards have replaced the deprecated Statement on Standards for Attestation Engagement No.16 (SSAE 16) and Statement on Auditing Standards No. 70 (SAS 70).