The International Organization for Standardization (ISO) has developed a series of world-class standards for information and societal security to help organisations develop reliable and innovative products and services. Dropbox has certified its data centres, systems, applications, people and processes through a series of audits by an independent third party – Netherlands-based EY CertifyPoint.
ISO 27001 is recognized as the premier information security management system (ISMS) standard around the world. The standards also leverages the security best practices detailed in ISO 27002. To be worthy of your trust, we’re continually and comprehensively managing and improving our physical, technical and legal controls at Dropbox. Our auditor, EY CertifyPoint, maintains its ISO 27001 accreditation from the Raad voor Accreditatie (Dutch Accreditation Council). View the Dropbox Business and Dropbox Education ISO 27001 certificate.
ISO 27017 is an international standard for cloud security that provides guidelines for security controls applicable to the provision and use of cloud services. Our Shared Responsibility Guide explains several of the security, privacy and compliance requirements that Dropbox and its customers can solve together. View the Dropbox Business and Dropbox Education ISO 27017 certificate.
ISO 27018 is an international standard for privacy and data protection that applies to cloud service providers like Dropbox who process personal information on behalf of their customers and provides a basis for which customers can address common regulatory and contractual requirements or questions. View the Dropbox Business and Dropbox Education ISO 27018 certificate.
ISO 22301 is an international standard for business continuity that guides organisations on how to decrease the impact of disruptive events and respond to them appropriately if they occur by minimising potential damage. The Dropbox Business continuity management system (BCMS) is part of our overall risk management strategy to protect people and operations during times of crises. View the Dropbox Business and Dropbox Education ISO 22301 certificate.
Service Organization Controls (SOC) reports, known as SOC 1, SOC 2 or SOC 3, are frameworks established by the American Institute of Certified Public Accountants (AICPA) for reporting on internal controls implemented within an organisation. Dropbox has validated its systems, applications, people and processes through a series of audits by an independent third party, Ernst & Young LLP.
The SOC 3 assurance report covers all five Trust Service Principles of Security, Confidentiality, Processing Integrity, Availability and Privacy (TSP Section 100). The Dropbox general-use report is an executive summary of the SOC 2 report and includes the independent third-party auditor’s opinion on the effective design and operation of our controls. View the Dropbox Business and Dropbox Education SOC 3 examination.
The SOC 2 report provides customers with a detailed level of controls-based assurance, covering all five Trust Service Principles of Security, Confidentiality, Processing Integrity, Availability and Privacy (TSP Section 100). The SOC 2 report includes a detailed description of Dropbox’s processes and the more than 100 controls in place to protect your stuff. In addition to our independent third-party auditor’s opinion on the effective design and operation of our controls, the report includes the auditor’s test procedures and results for each control. Our SOC 2 report (sometimes referred to as a SOC 2+ report) also includes an audited mapping of our controls to the ISO standards mentioned above, providing additional transparency to our customers. The SOC 2 examination for Dropbox Business and Dropbox Education is available upon request through our sales team or (for existing Dropbox Business customers) support.
The SOC 1 report provides specific assurances for customers who determine that Dropbox Business or Dropbox Education is a key element of their internal controls over financial reporting (ICFR) program. These specific assurances are primarily used for our customers’ Sarbanes-Oxley (SOX) compliance. The independent third-party audit is conducted in accordance with the Statement on Standards for Attestation Engagements No. 18 (SSAE 18) and the International Standard on Assurance Engagements No. 3402 (ISAE 3402). These standards have replaced the deprecated Statement on Standards for Attestation Engagement No.16 (SSAE 16) and Statement on Auditing Standards No. 70 (SAS 70). The SOC 1 examination for Dropbox Business and Dropbox Education is available upon request through our sales team or (for existing Dropbox Business customers) support.
The CSA Security, Trust & Assurance Registry (STAR) is a free, publicly accessible registry that offers a security assurance programme for cloud services, thereby helping users assess the security posture of cloud providers they currently use or are considering contracting with.
Dropbox Business and Dropbox Education have received both the CSA STAR Level 2 Certification and Level 2 Attestation. CSA STAR Level 2 requires a third-party independent assessment of our security controls by EY CertifyPoint (for Certification) and Ernst & Young LLP (for Attestation), based on the requirements of ISO 27001, SOC 2 Trust Service Principles and the CSA Cloud Controls Matrix (CCM) v.3.0.1. Dropbox has also completed the CSA STAR Level 1 Self-Assessment for Dropbox Business and Dropbox Education. The Self-Assessment is a rigorous survey based on CSA’s Consensus Assessments Initiative Questionnaire (CAIQ), which aligns with the CCM, and provides answers to almost 300 questions a cloud customer or a cloud security auditor may wish to ask. View our CSA STAR Level 1 and Level 2 Certification and Attestation on the CSA website.
Dropbox will sign business associate agreements (BAAs) with Dropbox Business or Dropbox Education customers who require them in order to comply with the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH). Please see our “Getting started with HIPAA” guide and help center article for more detailed information.
Dropbox makes available a third-party assurance report evaluating our controls for the HIPAA/HITECH Security, Privacy and Breach Notification rules, as well as a mapping of our internal practices and recommendations for customers who are looking to meet the HIPAA/HITECH Security and Privacy rule requirements with Dropbox Business or Dropbox Education.
Customers interested in requesting these documents can reach out to our sales team. If you’re currently a Dropbox Business or Dropbox Education team admin, you can sign a BAA electronically from the Account page in the Admin Console.
Note: The ability to sign an electronic BAA via the Admin Console is available only to US-based customers that are not using Dropbox Paper. Dropbox does not offer HIPAA/HITECH support for Dropbox Paper.
The Cloud Computing Compliance Controls Catalog (C5) is a framework established by the German Federal Office for Security in Information Technology (Bundesamt fur Sicherheit in der Informationstechnik - BSI) for reporting on security controls applicable to the provision of cloud services. The C5 attestation helps organisations with demonstrating their information security practices conform with BSI’s “Security Recommendations for Cloud Providers”. C5 builds upon existing international security standards such as ISO 27001 and CSA STAR. In order to receive the C5 attestation report, Dropbox’s systems, processes and controls were validated by an independent, Germany-based, third-party auditor, Ernst & Young GmbH. The independent audit is conducted in accordance with the the International Standard on Assurance Engagements No. 3000 (ISAE 3000).
The report includes a detailed description of Dropbox’ system, applications, processes and controls, as well as our independent auditor’ test procedures and results for each control. The C5 report for Dropbox Business and Dropbox Education is available upon request through our sales team or (for existing Dropbox Business customers) support.
*Dropbox Paper is not included in the scope of the C5 report.
Dropbox complies with the EU-US and Swiss-US Privacy Shield frameworks as set forth by the US Department of Commerce regarding the collection, use and retention of personal information transferred from the European Union, the European Economic Area and Switzerland to the United States. Adhering to the Privacy Shield Principles ensures that an organisation provides adequate privacy protection under the EU data protection directive.
The General Data Protection Regulation 2016/679, or GDPR, is a European Union regulation that marks a significant change to the existing framework for processing personal data of individuals in the EU. The GDPR introduced a series of new or enhanced requirements that will apply to companies like Dropbox which handle personal data. It took effect on 25 May 2018 and replaced the EU Directive 95/46 EC, better known as the Data Protection Directive. Dropbox is GDPR-compliant so that customers can use Dropbox to facilitate their GDPR compliance. For more information, please see this help centre article.
Dropbox Business and Dropbox Education allows customers to use the services in compliance with the vendor obligations imposed by the US Family Education Rights and Privacy Act (FERPA). Educational institutions with students under the age of 13 can also use Dropbox Business or Dropbox Education consistent with the Children’s Online Privacy Protection Act (COPPA), provided that they agree to specific contractual provisions requiring the institution to obtain parental consent regarding the use of our services.
Dropbox Business is listed in the United Kingdom (UK) Digital Marketplace for government cloud services procurement. View our listings on the UK Digital Marketplace website for Dropbox Business Standard Plan, Dropbox Business Advanced Plan and Dropbox Enterprise Plan.
*Dropbox Paper is not included in the UK Digital Marketplace G-Cloud listing.
Dropbox is a Payment Card Industry Data Security Standard (PCI DSS) compliant merchant. However, Dropbox Business, Dropbox Education and Dropbox Paper are not meant to process or store credit card transactions. The PCI Attestation of Compliance (AoC) for our merchant status is available upon request through our sales team or (for existing Dropbox Business customers) support.
Our data centre co-location and managed service providers also undergo regular SOC 1, SOC 2 and/or ISO 27001 audits to verify their security practices. At least annually, Dropbox reviews the results of these audits, or performs vendor security reviews if an audit report is not available, as part of our information security management programme. In the event that these audits or reviews have material findings that we determine present risks to Dropbox or our customers, we’ll work with the service provider to understand any potential impact to customer data and track their remediation efforts until the issue has been resolved.