Which standards and regulations does Dropbox Business comply with?
ISO 27001 (Security) and ISO 27018 (Privacy and Data Protection)
ISO 27001 is recognized as the premier information security standard around the world. Our information security management program was validated by an independent third-party, Netherlands-based Ernst & Young CertifyPoint, which maintains ISO accreditation from the Raad voor Accreditatie (Dutch Accreditation Council) as a member of the International Accreditation Forum (IAF). Certificates issued by Ernst & Young CertifyPoint are recognized as valid in all countries with IAF membership.
ISO 27018 is an emerging international standard for privacy and data protection that applies to cloud service providers like Dropbox that process personal information on behalf of their customers. This certification demonstrates our commitment to privacy and data protection practices and provides a basis for which our customers can address common regulatory and contractual requirements or questions.
SOC 3 for Security, Confidentiality, Integrity, and Availability
Dropbox Business provides a Service Organization Controls 3 (SOC 3) assurance report, which can be found here.
Our SOC 3 report provides customers with the American Institute of Certified Public Accountants (AICPA) SysTrust Seal of assurance and covers the Security, Confidentiality, and Processing Integrity Trust Service Principles. This general-use report is an executive summary of our SOC 2 report and includes our independent third-party auditor's opinion on the effective design and operation of our controls.
Our SOC 3 examinations are performed by Ernst & Young LLP.
SOC 2 for Security, Confidentiality, Integrity, and Availability
Dropbox Business provides a Service Organization Controls 2 (SOC 2) assurance report upon request.
Our Service Organization Controls 2 (SOC 2) report provides customers with a detailed level of controls-based assurance, covering the Security, Confidentiality, Processing Integrity, and Availability Trust Service Principles. The SOC 2 report includes a detailed description of our processes and the more than 100 controls we have in place to protect your stuff. In addition to our independent third-party auditor's opinion on the effective design and operation of our controls, the report includes the auditor's test procedures and results for each control.
Our SOC 2 examinations are performed by Ernst & Young LLP.
SOC 1 / SSAE 16 / ISAE 3402 (formerly SAS 70)
Dropbox Business provides a SOC 1 / SSAE 16 / ISAE 3402 report upon request.
Our SOC 1 report provides specific assurances for customers who determine that Dropbox Business is a key element of their internal controls over financial reporting (ICFR) program. These specific assurances are primarily used for our customers' Sarbanes-Oxley (SOX) compliance. The independent third-party audit for this report is conducted in accordance with the Statement on Standards for Attestation Engagements No. 16 (SSAE 16) and the International Standard on Assurance Engagements No. 3402 (ISAE 3402). These standards have replaced the deprecated Statement on Auditing Standards No. 70 (SAS 70).
Our SOC 1 examinations are performed by Ernst & Young LLP.
Cloud Security Alliance: Security, Trust, and Assurance Registry (CSA STAR)
Dropbox Business provides a CSA STAR Level 1 Questionnaire, accessible on the CSA website.
The CSA Security, Trust & Assurance Registry (STAR) is a free, publicly accessible registry that documents the security controls provided by various cloud computing offerings, thereby helping users assess the security of cloud providers they currently use or are considering contracting with. Dropbox is a CSA STAR registrant and has completed the Cloud Security Alliance (CSA) Consensus Assessments Initiative Questionnaire (CAIQ). The latest version of the CAIQ, aligned to CSA's Cloud Controls Matrix (CCM) v.3.0.1, provides answers to almost 300 questions a cloud customer or a cloud security auditor may wish to ask of a cloud provider.
HIPAA / HITECH
Dropbox will sign business associate agreements (BAAs) with customers who require them in order to comply with the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH). Please see our "Getting started with HIPAA" guide and help center article for more detailed information.
Dropbox makes available a third-party assurance report evaluating our controls for the HIPAA/HITECH Security, Privacy, and Breach Notification rules, as well as a mapping of our internal practices and recommendations for customers who are looking to meet the HIPAA/HITECH Security and Privacy rule requirements with Dropbox Business.
For customers subject to HIPAA/HITECH, remember that a BAA must be in place before you transfer PHI into your Dropbox account. You can learn more about this process, and request a BAA, by contacting our sales team. Or, if you're a current Dropbox customer, you can contact your account manager.
Students and Children (FERPA and COPPA)
Dropbox Business allows customers to use the services in compliance with the vendor obligations imposed by the US Family Education Rights and Privacy Act (FERPA). Educational institutions with students under the age of 13 can also use Dropbox Business consistent with the Children's Online Privacy Protection Act (COPPA), provided that they agree to specific contractual provisions requiring the institution to obtain parental consent regarding the use of our services.
UK Digital Marketplace G-Cloud 6
Dropbox Business is now listed in the United Kingdom (UK) Digital Marketplace for government cloud services procurement. You can find our listing here.
Dropbox is a Payment Card Industry Data Security Standard (PCI DSS) compliant merchant. However, Dropbox Business is not meant to process or store credit card transactions. Dropbox provides customers with a PCI Attestation of Compliance (AoC) for our merchant status. Click here to request the report.
U.S.–E.U. and U.S.–Swiss Safe Harbor
Dropbox is certified and complies with the U.S.–EU Safe Harbor framework as set forth by the U.S. Department of Commerce and the European Commission regarding the collection, use, and retention of personal data from EU member states. Dropbox is also certified and complies with the U.S.–Swiss Safe Harbor framework as set forth by the U.S. Department of Commerce and the Federal Data Protection and Information Commissioner of Switzerland. More information on the Safe Harbor framework can be found at http://export.gov/safeharbor, including a searchable list with our current certification status.
Where can I get more information?
Compliance and certification documents can be requested by contacting our sales team at firstname.lastname@example.org or by contacting your account management team. We’ll update this page with any new certifications or compliance standards as we receive them.
Learn more about Dropbox Business standards and regulations compliance.