SOC reports are vital for trust and transparency

When you have high volumes of sensitive data in the cloud, you require superior security, privacy and compliance controls – and regular reports on their effectiveness.

A diagram of three sequential units

What SOC reports are and why they’re important

Service Organisation Controls (SOC) reports, known as SOC 1, SOC 2 or SOC 3, are frameworks established by the American Institute of Certified Public Accountants (AICPA) for reporting on the internal controls within an organisation.

These reports are essential for controlling and monitoring the protections built within the control base of the data to ensure that those protections are working.

SOC reports ensure the best security practices

SOC reports are more important than ever due to cloud computing and the trust that must be maintained between a service provider and a customer.

Dropbox constantly communicates to customers that the best security practices are in place and that they are rigorously and routinely verified by an independent third party.

Explore our security practices

How SOC 1, SOC 2 and SOC 3 reports are validated

Assessed by an independent third party

To meet critical security, privacy and compliance needs, Dropbox is validated by an independent third-party auditor. Dropbox has validated its systems, applications, people and processes through a series of audits by independent third party, Ernst & Young LLP.

Follows best practices and objective standards

This certification process confirms that Dropbox follows best practices and meets objective standards on financial reporting, security, privacy, confidentiality, availability and processing integrity.

SOC reports 1 and 2 are available to existing Dropbox Business and Education customers by request, and anyone with interest can view the SOC 3 examination.

SOC 3 for Security, Confidentiality, Integrity, Availability and Privacy

SOC 3 for Security, Confidentiality, Integrity, Availability and Privacy
The SOC 3 assurance report covers all five Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality and Privacy (TSP Section 100). The Dropbox general-use report is an executive summary of the SOC 2 report and includes the independent third-party auditor’s opinion on the effective design and operation of our controls.

View the Dropbox Business and Dropbox Education SOC 3 examination.

SOC 2 Compliance for Security, Confidentiality, Integrity, Availability and Privacy

The SOC 2 report is a detailed level of controls-based assurance, covering all five Trust Service Criteria for Security, Availability, Processing Integrity, Confidentiality and Privacy (TSP Section 100).

It also includes a thorough description of Dropbox’s processes and the 100+ controls in place to protect your data. In addition to our independent third-party auditor’s opinion on the effective design and operation of our controls, the report includes the auditor’s test procedures and results for each control.

Our SOC 2 report includes an audited mapping of our controls to the ISO standards, providing additional transparency to our customers.

SOC 1 report/SSAE 18/ISAE 3402 (formerly SSAE 16 or SAS 70)

The SOC 1 report provides specific assurances for customers who determine that Dropbox Business or Dropbox Education is a key element of their internal controls over financial reporting (ICFR) program. These specific assurances are primarily used for our customers’ Sarbanes-Oxley (SOX) compliance.

The independent third-party audit is conducted in accordance with the Statement on Standards for Attestation Engagements No. 18 (SSAE 18) and the International Standard on Assurance Engagements No. 3402 (ISAE 3402). These standards have replaced the deprecated Statement on Standards for Attestation Engagement No.16 (SSAE 16) and Statement on Auditing Standards No. 70 (SAS 70).

The SOC 1 examination for Dropbox Business and Dropbox Education is available upon request through our sales team or (for existing Dropbox Business customers) support.