{"en":"This page is not currently available in your language.","id":"Halaman ini sekarang belum tersedia dalam bahasa Anda.","ms":"Laman ini kini belum boleh didapati dalam bahasa anda.","es_ES":"Esta página no está disponible en tu idioma en este momento.","da_DK":"Denne side er i øjeblikket ikke tilgængelig på dit sprog.","fr":"Cette page n'est actuellement pas disponible dans votre langue.","de":"Diese Seite ist zurzeit nicht in Ihrer Sprache verfügbar.","en_GB":"This page is not currently available in your language.","pl":"Ta strona aktualnie nie jest dostępna w Twoim języku.","it":"Al momento questa pagina non è disponibile nella tua lingua.","nl_NL":"Deze pagina is momenteel niet beschikbaar in je taal.","nb_NO":"Denne siden er for øyeblikket ikke tilgjengelig på språket ditt.","ru":"На данный момент эта страница недоступна на вашем языке.","zh_TW":"此頁面目前沒有您語言的版本。","sv_SE":"Denna sida är för närvarande inte tillgänglig på ditt språk.","th_TH":"หน้านี้ยังไม่มีให้บริการในภาษาของคุณในขณะนี้","zh_CN":"本页面暂无您所需的语言版本。","ja":"申し訳ありませんが、このページは選択した言語ではご利用になれません。","pt_BR":"Esta página não está disponível no momento em seu idioma.","ko":"현재 이 페이지는 한국어 번역이 제공되지 않습니다.","es":"Esta página aún no está disponible en tu idioma.","uk_UA":"На даний момент ця сторінка недоступна на вашій мові.","en_AU":"This page is not currently available in your language."}

Under the hood: Architecture overview

Dropbox is designed with multiple layers of protection, including secure data transfer, encryption, network configuration and application-level controls distributed across a scalable, secure infrastructure.

File infrastructure

Dropbox users can access files and folders at any time from a number of interfaces, including the desktop, web and mobile clients, or via third-party applications connected to Dropbox. Each has security settings and features that process and protect user data whilst ensuring ease of access. All of these clients connect to secure servers to provide access to files, allow file sharing with others and update linked devices when files are added, changed or deleted.

Dropbox distributed file infrastructure

Our file infrastructure is comprised of the following components:

Block servers

Block servers process files from the Dropbox applications by splitting each file into blocks, encrypting each block using a strong cipher and synchronising only blocks that have been modified between revisions. When a change is made, new or modified blocks are processed and transferred to the storage servers.

Metadata servers

Basic information about user data (including file names and types), called metadata, is kept in its own discrete storage service separate from file blocks. Metadata acts as an index for data in users’ accounts, and is sharded and replicated as needed to meet performance and high availability requirements.

Storage servers

The actual contents of users’ files are stored in encrypted blocks with this service. Each individual encrypted file block is retrieved based on its hash value, and an additional layer of encryption is provided for all file blocks at rest using a strong cipher.

Notification service

This is a separate service dedicated to monitoring if changes have been made to Dropbox accounts. No file data or metadata is stored or transferred here. Instead, clients establish a long poll connection to this service and wait for a change, which then signals a change to the relevant clients.

Dropbox Paper infrastructure

Dropbox users can access Paper docs at any time from the web and mobile clients, or through third-party applications connected to the Dropbox Paper application. All of these clients connect to secure servers to provide access to Paper docs, allow doc sharing with others and update linked devices when docs are added, changed or deleted.

Dropbox Paper distributed file infrastructure

Dropbox Paper infrastructure is comprised of the following components:

Paper application servers

The Paper Application Servers process user requests, render the output of edited Paper docs back to the user and perform notification services. Paper Application Servers write user edits to the Paper Databases, where they are placed in persistent storage. Communication sessions between the Paper Application Servers and Paper Databases are encrypted using a strong cipher.

Paper image servers

Images uploaded to Paper docs are stored and encrypted at rest on the Paper Image Servers. Transmission of image data between the Paper Application and Paper Image Servers occurs over an encrypted session.

Paper databases

The actual contents of users' Paper docs, as well as certain metadata about these Paper docs, are encrypted in persistent storage on the Paper Databases. This includes information about a Paper doc (such as the title, shared membership and permissions, project and folder associations and other information), as well as content within the Paper doc itself, including comments and tasks. The Paper Databases are sharded and replicated as needed to meet performance and high availability requirements.

Paper image proxy service

The Paper image proxy service delivers image previews for images uploaded to Paper docs and hyperlinks embedded within Paper docs. For uploaded images, the service fetches data stored in the Paper image servers via an encrypted channel. For embedded hyperlinks, the service fetches the data and renders a preview using either HTTP or HTTPS as specified by the source link.

 

Both dedicated internal security teams and third-party security specialists protect these services through the identification and mitigation of risks and vulnerabilities. These groups conduct regular application, network and other security testing and auditing to ensure the security of our back-end network. In addition, our responsible disclosure policy promotes the discovery and reporting of security vulnerabilities.

Data centres

Dropbox corporate and production systems are housed at third-party subservice organisation data centres and managed service providers located in the United States. These third-party service providers are responsible for the physical, environmental and operational security controls at the boundaries of Dropbox infrastructure. Dropbox is responsible for the logical, network and application security of our infrastructure housed in third-party data centres.

Encryption

Dropbox files and Dropbox Paper docs at rest are encrypted using 256-bit Advanced Encryption Standard (AES). To protect data in transit between Dropbox apps (currently desktop, mobile, API or web) and our servers, Dropbox uses Secure Sockets Layer (SSL)/Transport Layer Security (TLS) for data transfer, creating a secure tunnel protected by 128-bit or higher Advanced Encryption Standard (AES) encryption. Similarly, data in transit between a Paper client (mobile, API or web) and the hosted services is encrypted via SSL/TLS.

Certificate pinning

At Dropbox, we use certificate pinning on our desktop and mobile clients. Certificate pinning is an extra check to make sure that the service you’re connecting to is really what it claims to be, and not an imposter. We use it to guard against other ways that skilled hackers may try to spy on your activity.

Perfect forward secrecy

For end points we control (desktop and mobile) and modern browsers, we use strong ciphers and support perfect forward secrecy. By implementing perfect forward secrecy, we’ve made it so that our private SSL key can't be used to decrypt past Internet traffic. This adds extra protection to encrypted communications with Dropbox, essentially disconnecting each session from all previous sessions. Additionally, on the web, we flag all authentication cookies as secure and enable HTTP Strict Transport Security (HSTS).

Key management

Dropbox’s key management infrastructure is designed with operational, technical and procedural security controls with very limited direct access to keys. Encryption key generation, exchange and storage is distributed for decentralised processing.

 

Dropbox manages file encryption on users’ behalf to remove complexity, support advanced product features and enable strong cryptographic control. File encryption is protected by production system infrastructure security controls and security policies. Access to production systems is restricted with unique SSH key pairs, and security policies and procedures require protection of SSH keys. An internal system manages the secure public key exchange process, and private keys are stored securely.

Find more details about our control and visibility features in our Dropbox Business security whitepaper.