Information security

Dropbox has established an information security management framework describing the purpose, direction, principles, and basic rules for how we maintain trust. This is accomplished by assessing risks and continually improving the security, confidentiality, integrity, and availability of the Dropbox Business systems. We regularly review and update security policies, provide security training, perform application and network security testing (including penetration testing), monitor compliance with security policies, and conduct internal and external risk assessments.

Security policies

  • Information security. Policies pertaining to user and Dropbox information, with key areas including device security; authentication requirements; data and systems security; restrictions on and guidelines for employee use of resources; and handling of potential issues

  • Physical security. How we maintain a safe and secure environment for people and property at Dropbox

  • Incident response. Our requirements for responding to potential security incidents, including assessment, communication, and investigation procedures

  • Logical access. Policies for securing Dropbox systems, user information, and Dropbox information, covering access control to corporate and production environments

  • Physical production access. Our procedures for restricting access to the physical production network, including management review of personnel and de-authorization of terminated personnel

  • Change management. Policies for code review and managing changes that impact security by authorized developers to application source code, system configuration, and production releases

  • Support. User metadata access policies for our support team regarding viewing, providing support for, or taking action on accounts

Access control

Employee access to the Dropbox environment is maintained by a central directory and authenticated using a combination of strong passwords, passphrase protected SSH keys, two-factor authentication, and OTP tokens. Our internal policies require employees accessing production and corporate environments to adhere to best practices for the creation and storage of SSH private keys. Remote access requires the use of VPN protected with two-factor authentication, and any special access is reviewed and vetted by the security team.

Dropbox employs technical access controls and internal policies to prohibit employees from arbitrarily accessing user files and to restrict access to metadata and other information about users’ accounts. As Dropbox becomes an extension of our customers’ infrastructure, they can rest assured that we are responsible custodians of their data.

Network security

Dropbox diligently maintains the security of our back-end network. Dropbox identifies and mitigates risks via regular application, network, and other security testing and auditing by both dedicated internal security teams and third-party security specialists.

Our network security and monitoring techniques are designed to provide multiple layers of protection and defense. We employ industry-standard protection techniques, including firewalls, network security monitoring, and intrusion detection systems to ensure only eligible traffic is able to reach our infrastructure. Access to the production environment is restricted to only authorized IP addresses, which are reviewed on a quarterly basis to ensure a secure production environment.

Change management

A formal Change Management Policy has been defined by the Dropbox Engineering team to ensure that all application changes have been authorized prior to implementation into the production environments. All changes are stored in a version control system and are required to go through automated Quality Assurance (QA) testing procedures to verify that security requirements are met. Our software development lifecycle (SDLC) requires adherence to secure coding guidelines, as well as screening of code changes for potential security issues via our QA and manual review processes. The Dropbox Security team is responsible for maintaining infrastructure security and ensuring that server, firewall, and other security-related configurations are kept up-to-date with industry standards.

Find more details about our security architecture in our Dropbox Business security whitepaper.