The standards and regulations that Dropbox Business and Education comply with

ISO

CSA STAR

SOC

FERPA and COPPA

UK Digital Marketplace G-Cloud

HIPAA / HITECH

PCI DSS

欧盟-美国隐私保护和瑞士-美国隐私保护

欧盟一般数据保护条例

The International Organization for Standardization (ISO) has developed a series of world-class standards for information and societal security to help organizations develop reliable and innovative products and services. Dropbox has certified its data centers, systems, applications, people, and processes through a series of audits by an independent third-party, Netherlands-based EY CertifyPoint.

  • Note: Dropbox Paper is not included in the scope of the ISO certifications.

ISO 27001 (Information Security Management)

ISO 27001 is recognized as the premier information security management system (ISMS) standard around the world. The standard also leverages the security best practices detailed in ISO 27002. To be worthy of your trust, we’re continually and comprehensively managing and improving our physical, technical, and legal controls at Dropbox. Our auditor, EY CertifyPoint, maintains its ISO 27001 accreditation from the Raad voor Accreditatie (Dutch Accreditation Council).

View the Dropbox Business and Education ISO 27001 certificate.

ISO 27017 (Cloud Security)

ISO 27017 is a new international standard for cloud security that provides guidelines for security controls applicable to the provision and use of cloud services. Our Shared Responsibility Guide explains several of the security, privacy, and compliance requirements that Dropbox and its customers can solve together.

View the Dropbox Business and Education ISO 27017 certificate.

ISO 27018 (Cloud Privacy and Data Protection)

ISO 27018 is an emerging international standard for privacy and data protection that applies to cloud service providers like Dropbox who process personal information on behalf of their customers and provides a basis for which customers can address common regulatory and contractual requirements or questions.

View the Dropbox Business and Education ISO 27018 certificate.

ISO 22301 (Business Continuity Management)

ISO 22301 is an international standard for business continuity that guides organizations on how to decrease the impact of disruptive events and respond to them appropriately if they occur by minimizing potential damage. The Dropbox business continuity management system (BCMS) is part of our overall risk management strategy to protect people and operations during times of crises.

View the Dropbox Business and Education ISO 22301 certificate.

Cloud Security Alliance: Security, Trust, and Assurance Registry (CSA STAR)

The CSA Security, Trust & Assurance Registry (STAR) is a free, publicly-accessible registry that offers a security assurance program for cloud services, thereby helping users assess the security posture of cloud providers they currently use or are considering contracting with.

Dropbox Business and Education have received the CSA STAR Level 2 Certification, a third-party independent assessment of our security controls by EY CertifyPoint based on the requirements of ISO 27001 and the CSA Cloud Controls Matrix (CCM) v.3.0.1, a set of criteria that measures the capability levels of cloud services. Dropbox Business has also completed the CSA STAR Level 1 Self-Assessment, a rigorous survey based on CSA’s Consensus Assessments Initiative Questionnaire (CAIQ), which aligns with the CCM, and provides answers to almost 300 questions a cloud customer or a cloud security auditor may wish to ask.

View our CSA STAR Level 1 Self-Assessment and Level 2 Certification on the CSA website.

  • Note: Dropbox Paper is not included in the scope of the CSA STAR registry listing.

SOC Reports

Service Organization Controls (SOC) Reports, known as SOC 1, SOC 2, or SOC 3, are frameworks established by the American Institute of Certified Public Accountants (AICPA) for reporting on internal controls implemented within an organization. Dropbox has certified its operations, processes, and technology by an independent third-party auditor, Ernst & Young LLP.

  • Note: Dropbox Paper is not included in the scope of the SOC reports.

SOC 3 for Security, Confidentiality, Integrity, Availability, and Privacy

The SOC 3 assurance report covers all five Trust Service Principles of Security, Confidentiality, Integrity, Availability, and Privacy (TSP Section 100). The Dropbox general-use report is an executive summary of the SOC 2 report and includes the independent third-party auditor's opinion on the effective design and operation of our controls.

View the Dropbox Business and Education SOC 3 examination.

SOC 2 for Security, Confidentiality, Integrity, Availability, and Privacy

The SOC 2 report provides customers with a detailed level of controls-based assurance, covering all five Trust Service Principles of Security, Confidentiality, Processing Integrity, Availability, and Privacy (TSP Section 100). The SOC 2 report includes a detailed description of Dropbox processes and the more than 100 controls in place to protect your stuff. In addition to our independent third-party auditor's opinion on the effective design and operation of our controls, the report includes the auditor's test procedures and results for each control. The SOC 2 examination for Dropbox Business and Education is available upon request through the sales team or the account management team.

SOC 1 / SSAE 16 / ISAE 3402 (formerly SAS 70)

如果客户认为 Dropbox Business 或 Education 是其财务报告内部监控 (ICFR) 系统的关键要素,SOC 1 报告可提供具体鉴证。这些具体鉴证主要用于证明客户的 Sarbanes-Oxley (SOX) 合规状态。独立第三方审计依据的是“第 16 号鉴证业务准则公告”(SSAE 16) 和“第 3402 号鉴证业务国际准则”(ISAE 3402)。这些标准取代了已弃用的“第 70 号审计准则公告”(SAS 70)。您可以通过销售团队客户管理团队索取 Dropbox Business 和 Education 的 SOC 1 审计报告。

Students and Children (FERPA and COPPA)

Dropbox Business and Education allows customers to use the services in compliance with the vendor obligations imposed by the US Family Education Rights and Privacy Act (FERPA). Educational institutions with students under the age of 13 can also use Dropbox Business or Education consistent with the Children's Online Privacy Protection Act (COPPA), provided that they agree to specific contractual provisions requiring the institution to obtain parental consent regarding the use of our services.

UK Digital Marketplace G-Cloud

Dropbox Business is now listed in the United Kingdom (UK) Digital Marketplace for government cloud services procurement.

View our listing on the UK Digital Marketplace website.

  • Note: Dropbox Paper is not included in the scope of the UK Digital Marketplace G-Cloud listing.

HIPAA / HITECH

Dropbox will sign business associate agreements (BAAs) with Dropbox Business and Education customers who require them in order to comply with the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH).

Learn more by visiting our Getting Started with HIPAA guide and our Help Center article.

Dropbox makes available a third-party assurance report evaluating our controls for the HIPAA/HITECH Security, Privacy, and Breach Notification rules, as well as a mapping of our internal practices and recommendations for customers who are looking to meet the HIPAA/HITECH Security and Privacy rule requirements with Dropbox Business and Education.

有意索取这些文档的客户可以联系销售团队客户管理团队。如果您当前是 Dropbox Business 或 Education 团队管理员,可以到管理员控制台中的帐户页面上以电子方式签署 BAA。

Notes:

针对受 HIPAA/HITECH 约束的客户,请务必在将 PHI 传输到 Dropbox 帐户之前签署业务合作协议。如需详细了解如何购买 Dropbox Business,请联系我们的销售团队。如果您当前是 Dropbox Business 或 Education 团队管理员,可以到管理员控制台中的帐户页面上以电子方式签署 BAA。

Notes:

PCI DSS

Dropbox 是支付卡行业数据安全标准 (PCI DSS) 合规商家。不过,Dropbox Business、Education 和 Dropbox Paper 并无意处理或存储信用卡交易信息。如果需要,您可以请销售团队客户管理团队提供商家状态 PCI 合规证明 (AoC)。

欧盟-美国隐私保护和瑞士-美国隐私保护

针对从欧盟、欧洲经济区和瑞士向美国传输的个人数据的收集、使用和保留,Dropbox 遵从由美国商务部制定的欧盟-美国和瑞士-美国隐私政策框架。遵守隐私保护原则确保组织在欧盟数据保护指令下提供充足的隐私保护。

浏览 Dropbox 隐私保护认证,或者访问隐私保护网站了解详情。

欧盟一般数据保护条例 (GDPR)

一般数据保护条例 2016/679(简称 GDPR)是欧盟颁布的法规,标志着欧盟地区现有的个人数据处理框架将迎来重大变革。GDPR 推出了一系列全新的或加强版本的要求,适用于 Dropbox 之类处理个人数据的公司。该条例将于 2018 年 5 月 25 日生效,取代现有的欧盟指令 95/46 EC(更常被称为“数据保护指令”)。与所有负责任的公司一样,Dropbox 正持续制订和执行详细的 GDPR 合规方案,并将在 2018 年 5 月 25 日之前达成完全合规状态。详细了解 Dropbox 与欧盟一般数据保护条例。

这篇文章是否回答了您的问题?

很抱歉听到这个消息。请告诉我们应该如何改进:

谢谢您的意见!

社区答案
    社区答案

      获取帮助的其他方式

      社区

      Twitter 支持

      指导帮助