{"en":"This page is not currently available in your language.","id":"Halaman ini sekarang belum tersedia dalam bahasa Anda.","ms":"Laman ini kini belum boleh didapati dalam bahasa anda.","es_ES":"Esta página no está disponible en tu idioma en este momento.","da_DK":"Denne side er i øjeblikket ikke tilgængelig på dit sprog.","fr":"Cette page n'est actuellement pas disponible dans votre langue.","de":"Diese Seite ist zurzeit nicht in Ihrer Sprache verfügbar.","en_GB":"This page is not currently available in your language.","pl":"Ta strona aktualnie nie jest dostępna w Twoim języku.","it":"Al momento questa pagina non è disponibile nella tua lingua.","nl_NL":"Deze pagina is momenteel niet beschikbaar in je taal.","nb_NO":"Denne siden er for øyeblikket ikke tilgjengelig på språket ditt.","ru":"На данный момент эта страница недоступна на вашем языке.","zh_TW":"此頁面目前沒有您語言的版本。","sv_SE":"Denna sida är för närvarande inte tillgänglig på ditt språk.","th_TH":"หน้านี้ยังไม่มีให้บริการในภาษาของคุณในขณะนี้","zh_CN":"本页面暂无您所需的语言版本。","ja":"申し訳ありませんが、このページは選択した言語ではご利用になれません。","pt_BR":"Esta página não está disponível no momento em seu idioma.","ko":"현재 이 페이지는 한국어 번역이 제공되지 않습니다.","es":"Esta página aún no está disponible en tu idioma.","uk_UA":"На даний момент ця сторінка недоступна на вашій мові.","en_AU":"This page is not currently available in your language."}

Information security

Dropbox has established an information security management framework describing the purpose, direction, principles and basic rules for how we maintain trust. This is accomplished by assessing risks and continually improving the security, confidentiality, integrity and availability of the Dropbox Business systems. We regularly review and update security policies, provide security training, perform application and network security testing (including penetration testing), monitor compliance with security policies and conduct internal and external risk assessments.

Security policies

  • Information security. Policies pertaining to user and Dropbox information, with key areas including device security; authentication requirements; data and systems security; user data privacy; restrictions on and guidelines for employee use of resources; and handling of potential issues
  • User data privacy. Our requirements for protecting and handling user information and user data at Dropbox in order to adhere to our Privacy Policy
  • Physical security. How we maintain a safe and secure environment for people and property at Dropbox
  • Incident response. Our requirements for responding to potential security incidents, including assessment, communication and investigation procedures
  • Logical access. Policies for securing Dropbox systems, user information and Dropbox information, covering access control to corporate and production environments
  • Physical production access. Our procedures for restricting access to the physical production network, including management review of personnel and de-authorisation of terminated personnel
  • Change management. Policies for code review and managing changes that impact security by authorised developers to application source code, system configuration, and production releases
  • Sales and customer experience. User metadata access policies for our support team regarding viewing, providing support for, or taking action on accounts
  • Business continuity. Policies and procedures for maintaining or restoring critical business functions in the event of a disruption, from planning and documentation to execution
  • Crisis management. Policies and procedures on how Dropbox would handle an extraordinary widespread event that could disrupt our most important operations or threaten our strategic objectives
Access control

Employee access to the Dropbox environment is maintained by a central directory and authenticated using a combination of strong passwords, passphrase protected SSH keys, two-factor authentication and OTP tokens. Our internal policies require employees accessing production and corporate environments to adhere to best practices for the creation and storage of SSH private keys. Remote access requires the use of VPN protected with two-factor authentication, and any special access is reviewed and vetted by the security team.

Dropbox employs technical access controls and internal policies to prohibit employees from arbitrarily accessing user files and to restrict access to metadata and other information about users’ accounts. As Dropbox becomes an extension of our customers’ infrastructure, they can rest assured that we are responsible custodians of their data.

Network security

At Dropbox, we diligently maintain the security of our back-end network. We identify and mitigate risks via regular application, network and other security testing and auditing by both dedicated internal security teams and third-party security specialists.

Our network security and monitoring techniques are designed to provide multiple layers of protection and defence. We employ industry-standard protection techniques, including firewalls, network security monitoring and intrusion detection systems to ensure that only eligible traffic is able to reach our infrastructure. Access to the production environment is restricted to only authorised IP addresses, which are reviewed on a quarterly basis to ensure a secure production environment.

Change management

A formal Change Management Policy has been defined by the Dropbox Engineering team to ensure that all application changes have been authorised prior to implementation into the production environments. All changes are stored in a version control system and are required to go through automated Quality Assurance (QA) testing procedures to verify that security requirements are met. Our software development lifecycle (SDLC) requires adherence to secure coding guidelines, as well as screening of code changes for potential security issues via our QA and manual review processes. The Dropbox Security team is responsible for maintaining infrastructure security and ensuring that server, firewall and other security-related configurations are kept up to date with industry standards.

 

Find more details about our control and visibility features in our Dropbox Business security whitepaper.