ISO 27001 is recognized as the premier information security standard around the world. Our information security management program was validated by an independent third-party, Netherlands-based Ernst & Young CertifyPoint, which maintains ISO accreditation from the Raad voor Accreditatie (Dutch Accreditation Council) as a member of the International Accreditation Forum (IAF). Certificates issued by Ernst & Young CertifyPoint are recognized as valid in all countries with IAF membership.
ISO 27018 is an emerging international standard for privacy and data protection that applies to cloud service providers like Dropbox that process personal information on behalf of their customers. This certification demonstrates our commitment to privacy and data protection practices and provides a basis for which our customers can address common regulatory and contractual requirements or questions.
Dropbox Business provides customers with a SOC 3 assurance report. Click here to view our SOC 3 report.
Our Service Organization Controls 3 (SOC 3) report provides customers with the American Institute of Certified Public Accountants (AICPA) SysTrust Seal of assurance and covers the Security, Confidentiality, Processing Integrity, and Availability Trust Service Principles. This general-use report is an executive summary of our SOC 2 report and includes our independent third-party auditor’s opinion on the effective design and operation of our controls.
Our SOC 3 examinations are performed by Ernst & Young LLP.
Our Service Organization Controls 2 (SOC 2) report provides customers with a detailed level of controls-based assurance and covers the Security, Confidentiality, Processing Integrity, and Availability Trust Service Principles. The 140-page audit report includes a detailed description of our processes and over 100 controls we have in place to protect your data. In addition to including our independent third-party auditor’s opinion on the effective design and operation of our controls, the report also describes the auditor’s test procedures and results for each control.
Our SOC 2 examinations are performed by Ernst & Young LLP.
Our Service Organization Controls 1 (SOC 1) report provides specific assurances to customers who determine that Dropbox Business is a key element of their internal controls over financial reporting (ICFR) program. These specific assurances are primarily used for customers’ Sarbanes-Oxley (SOX) compliance. The independent third-party audit for this report is conducted in accordance with the Statement on Standards for Attestation Engagements No. 16 (SSAE 16) and the International Standards for Assurance Engagements No. 3402 (ISAE 3402). These standards have replaced the deprecated Statement on Auditing Standards No. 70 (SAS 70).
Our SOC 1 examinations are performed by Ernst & Young LLP.
A CSA STAR Level 1 Questionnaire for Dropbox Business is available for download on the Cloud Security Alliance’s web site.
Dropbox Business provides a CSA STAR Level 1 Questionnaire, accessible on the CSA website.
The CSA Security, Trust & Assurance Registry (STAR) is a free, publicly accessible registry that documents the security controls provided by various cloud computing offerings, thereby helping users assess the security of cloud providers they currently use or are considering contracting with. Dropbox is a CSA STAR registrant has completed the Cloud Security Alliance (CSA) Consensus Assessments Initiative Questionnaire (CAIQ). The latest version of the CAIQ, aligned to CSA’s Cloud Controls Matrix (CCM) v.3.0.1, provides answer to almost 300 questions a cloud customer or a cloud security auditor may wish to ask of a cloud provider
Dropbox Business allows customers to use the services in compliance with the vendor obligations imposed by the US Family Education Rights and Privacy Act (FERPA). Educational institutions with students under the age of 13 can also use Dropbox Business consistent with the Children’s Online Privacy Protection Act (COPPA), provided that they agree to specific contractual provisions requiring the institution to obtain parental consent regarding the use of our services.
Dropbox Business is now listed in the United Kingdom (UK) Digital Marketplace for government cloud services procurement. See our listing here.
Dropbox will sign Business Associate Agreements (BAAs) with customers who require them in order to comply with the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH). Please see our “Getting Started with HIPAA” guide and Help Center article for more detailed information.
Dropbox makes available a mapping of our internal practices and recommendations for customers who are looking to meet the HIPAA/HITECH Security and Privacy Rule requirements with Dropbox Business.
Customers interested in requesting these documents or signing a Business Associate Agreement with Dropbox Business can reach out to their account management team or contact our sales team. If you’re a current Dropbox Business team admin, you can sign a BAA electronically from the Account page in the Admin Console.
Dropbox is a Payment Card Industry Data Security Standard (PCI DSS) compliant merchant. However, Dropbox Business is not meant to process or store card holder data or transactions. Dropbox provides customers with a PCI Attestation of Compliance (AoC) regarding our merchant status, available upon request through email@example.com or the Dropbox Business account management team.
Our data center co-location and managed service providers also undergo regular SOC 1, SOC 2, and/or ISO 27001 audits to verify their security practices. Dropbox reviews the results of these audits at least annually as part of our information security management program. In the event these audits have material findings which we determine present risks to Dropbox or our customers, we’ll work with the subservice provider to understand any potential impact to customer data and track their remediation efforts until the issue has been resolved.