Protect files in transit and at rest
To protect file data in transit, Dropbox uses SSL/TLS for file transfer, creating a secure tunnel protected by 128-bit or higher AES encryption. Dropbox file data is stored in discrete file blocks that are fragmented and encrypted using 256-bit AES. Not all mobile media players support encrypted streaming, so media files streamed from our servers aren't always encrypted. Additionally, we support perfect forward secrecy, flag all authentication cookies as secure, and enable HSTS.
Deletion recovery and version history
By default, Dropbox saves a history of all deleted and previous versions of files, and allows you to restore them for up to 30 days. Extended (one-year) version history is available to Dropbox Pro and Dropbox Education users as a subscription add-on. 120 day file recovery is included with Dropbox Business. Learn more
Application security testing
Our security team performs automated and manual application security testing on a regular basis to identify and patch potential security vulnerabilities and bugs on our desktop, web, and mobile applications. We also work with third-party security specialists, as well as other industry security teams and the security research community, to keep our applications safe and secure. Potential security bugs and vulnerabilities can be reported to us on the third party service HackerOne.
A number of guidelines and practices have been established to help third-party developers create apps that connect to Dropbox while respecting and protecting user privacy and account security. We require unique keys for each distinct app a developer writes, and can revoke an app key if API terms and conditions or developer branding guidelines are not followed. In addition, we use OAuth, an industry-standard protocol for authorization, to allow users to grant apps different levels of account access without exposing their account credentials. For more information on Dropbox APIs and for developers, see www.dropbox.com/developers.