We use independent third-party auditors to test our systems and controls against some of the most widely-accepted security standards and regulations in the world, such as ISO 27001 and SOC 2. These reviews occur at least annually and are conducted by globally-respected audit and security firms that are independent and thorough in their inspections. For example, our ISO 27001 certification is performed by Ernst & Young CertifyPoint, which maintains ISO accreditation from the Dutch Accreditation Council.
Our security team performs automated and manual application security testing on a regular basis to identify and patch potential security vulnerabilities and bugs on our desktop, web, and mobile applications. We also work with third-party security specialists, as well as other industry security teams and the security research community. See our responsible disclosure policy for guidelines on discovering and reporting security vulnerabilities.
A critical part of any information security management program is the continual improvement of security programs, systems, and controls. To this end, Dropbox is committed to soliciting feedback from different internal teams, customers, internal and external auditors, and using this feedback to develop improved processes and controls.