The standards and regulations that Dropbox Business and Education comply with

ISO

CSA STAR

SOC

FERPA and COPPA

UK Digital Marketplace G-Cloud

HIPAA / HITECH

PCI DSS

歐美隱私屏盾和瑞士與美國的隱私屏盾

歐盟通用資料保護規範

The International Organization for Standardization (ISO) has developed a series of world-class standards for information and societal security to help organizations develop reliable and innovative products and services. Dropbox has certified its data centers, systems, applications, people, and processes through a series of audits by an independent third-party, Netherlands-based EY CertifyPoint.

  • Note: Dropbox Paper is not included in the scope of the ISO certifications.

ISO 27001 (Information Security Management)

ISO 27001 is recognized as the premier information security management system (ISMS) standard around the world. The standard also leverages the security best practices detailed in ISO 27002. To be worthy of your trust, we’re continually and comprehensively managing and improving our physical, technical, and legal controls at Dropbox. Our auditor, EY CertifyPoint, maintains its ISO 27001 accreditation from the Raad voor Accreditatie (Dutch Accreditation Council).

View the Dropbox Business and Education ISO 27001 certificate.

ISO 27017 (Cloud Security)

ISO 27017 is a new international standard for cloud security that provides guidelines for security controls applicable to the provision and use of cloud services. Our Shared Responsibility Guide explains several of the security, privacy, and compliance requirements that Dropbox and its customers can solve together.

View the Dropbox Business and Education ISO 27017 certificate.

ISO 27018 (Cloud Privacy and Data Protection)

ISO 27018 is an emerging international standard for privacy and data protection that applies to cloud service providers like Dropbox who process personal information on behalf of their customers and provides a basis for which customers can address common regulatory and contractual requirements or questions.

View the Dropbox Business and Education ISO 27018 certificate.

ISO 22301 (Business Continuity Management)

ISO 22301 is an international standard for business continuity that guides organizations on how to decrease the impact of disruptive events and respond to them appropriately if they occur by minimizing potential damage. The Dropbox business continuity management system (BCMS) is part of our overall risk management strategy to protect people and operations during times of crises.

View the Dropbox Business and Education ISO 22301 certificate.

Cloud Security Alliance: Security, Trust, and Assurance Registry (CSA STAR)

The CSA Security, Trust & Assurance Registry (STAR) is a free, publicly-accessible registry that offers a security assurance program for cloud services, thereby helping users assess the security posture of cloud providers they currently use or are considering contracting with.

Dropbox Business and Education have received the CSA STAR Level 2 Certification, a third-party independent assessment of our security controls by EY CertifyPoint based on the requirements of ISO 27001 and the CSA Cloud Controls Matrix (CCM) v.3.0.1, a set of criteria that measures the capability levels of cloud services. Dropbox Business has also completed the CSA STAR Level 1 Self-Assessment, a rigorous survey based on CSA’s Consensus Assessments Initiative Questionnaire (CAIQ), which aligns with the CCM, and provides answers to almost 300 questions a cloud customer or a cloud security auditor may wish to ask.

View our CSA STAR Level 1 Self-Assessment and Level 2 Certification on the CSA website.

  • Note: Dropbox Paper is not included in the scope of the CSA STAR registry listing.

SOC Reports

Service Organization Controls (SOC) Reports, known as SOC 1, SOC 2, or SOC 3, are frameworks established by the American Institute of Certified Public Accountants (AICPA) for reporting on internal controls implemented within an organization. Dropbox has certified its operations, processes, and technology by an independent third-party auditor, Ernst & Young LLP.

  • Note: Dropbox Paper is not included in the scope of the SOC reports.

SOC 3 for Security, Confidentiality, Integrity, Availability, and Privacy

The SOC 3 assurance report covers all five Trust Service Principles of Security, Confidentiality, Integrity, Availability, and Privacy (TSP Section 100). The Dropbox general-use report is an executive summary of the SOC 2 report and includes the independent third-party auditor's opinion on the effective design and operation of our controls.

View the Dropbox Business and Education SOC 3 examination.

SOC 2 for Security, Confidentiality, Integrity, Availability, and Privacy

The SOC 2 report provides customers with a detailed level of controls-based assurance, covering all five Trust Service Principles of Security, Confidentiality, Processing Integrity, Availability, and Privacy (TSP Section 100). The SOC 2 report includes a detailed description of Dropbox processes and the more than 100 controls in place to protect your stuff. In addition to our independent third-party auditor's opinion on the effective design and operation of our controls, the report includes the auditor's test procedures and results for each control. The SOC 2 examination for Dropbox Business and Education is available upon request through the sales team or the account management team.

SOC 1 / SSAE 16 / ISAE 3402 (formerly SAS 70)

SOC 1 報告包括特定擔保,提供給決定以 Dropbox Business 或 Education 作為財務報告 (ICFR) 方案內部控制關鍵元素的客戶。這些特定的擔保主要提供給客戶,用以遵循沙賓法案 ( Sarbanes-Oxley,SOX) 之規範。獨立第三方稽核是按照《鑑證業務準則公告第 16 號》(Statement on Standards for Attestation Engagements No. 16,SSAE 16) 以及《鑑證業務國際準則第 3402 號》(International Standard on Assurance Engagements No. 3402,ISAE 3402) 而執行。這些標準已取代飽受批評的《審計準則公告第 70 號》(Statement on Auditing Standards No. 70,SAS 70)。如欲索取 Dropbox Business 和 Education 的 SOC 1 驗證報告,請洽銷售團隊帳戶管理團隊

Students and Children (FERPA and COPPA)

Dropbox Business and Education allows customers to use the services in compliance with the vendor obligations imposed by the US Family Education Rights and Privacy Act (FERPA). Educational institutions with students under the age of 13 can also use Dropbox Business or Education consistent with the Children's Online Privacy Protection Act (COPPA), provided that they agree to specific contractual provisions requiring the institution to obtain parental consent regarding the use of our services.

UK Digital Marketplace G-Cloud

Dropbox Business is now listed in the United Kingdom (UK) Digital Marketplace for government cloud services procurement.

View our listing on the UK Digital Marketplace website.

  • Note: Dropbox Paper is not included in the scope of the UK Digital Marketplace G-Cloud listing.

HIPAA / HITECH

Dropbox will sign business associate agreements (BAAs) with Dropbox Business and Education customers who require them in order to comply with the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH).

Learn more by visiting our Getting Started with HIPAA guide and our Help Center article.

Dropbox makes available a third-party assurance report evaluating our controls for the HIPAA/HITECH Security, Privacy, and Breach Notification rules, as well as a mapping of our internal practices and recommendations for customers who are looking to meet the HIPAA/HITECH Security and Privacy rule requirements with Dropbox Business and Education.

客戶若想索取這些說明文件,請聯絡我們的銷售團隊帳戶管理團隊。如果您是 Dropbox Business 或 Education 的工作團隊管理員,可以前往 [管理員主控台] 中的 [帳戶] 頁面,電子簽署業務合作協議。

Notes:

提醒必須遵守 HIPAA/HITECH 的客戶:在您將 PHI 移轉到您的 Dropbox 帳戶前,請務必簽署業務合作協議。如要進一步瞭解購買 Dropbox Business 的相關資訊,請聯絡我們的銷售團隊。或者,若您目前是 Dropbox Business 或 Education 的工作團隊管理員,可以前往 [管理員主控台] 中的 [帳戶] 頁面,電子簽署業務合作協議。

Notes:

PCI DSS

Dropbox 是符合支付卡產業資料安全標準 (PCI DSS) 的商業單位。然而,Dropbox Business、Education 和 Dropbox Paper 並不經手或儲存信用卡交易內容。如欲索取我們的商家狀態 PCI 合規聲明書 (PCI Attestation of Compliance,AoC),請洽銷售團隊帳戶管理團隊

歐美隱私屏盾和瑞士與美國的隱私屏盾

Dropbox 遵循美國商務部就使用者蒐集、利用和保留由歐盟、歐洲經濟區、及瑞士移轉至美國的個人資訊而列明的歐美和瑞士與美國的隱私屏盾架構。遵守隱私屏盾準則確保公司對隱私權提供的防護,符合歐盟資料保護指令。

查看 Dropbox 的隱私屏盾認證,或前往隱私屏盾網站瞭解詳情。

歐盟通用資料保護規範 (GDPR)

通用資料保護規範 2016/679 (簡稱 GDPR) 是歐盟制定的法規,為歐盟境內個人資料處理的現行架構帶來重大變革。GDPR 訂立一系列新版或加強版規定,用以規範 Dropbox 這類處理個人資料的公司。規範將於 2018 年 5 月 25 日生效,取代現行的歐盟指令 95/46 EC (一般稱為「資料保護指令」)。就像所有負責的企業一樣,Dropbox 正持續制定、執行內部詳細的 GDPR 遵循方案,並將於 2018 年 5 月 25 日前達成完全符合規範的狀態。進一步瞭解 Dropbox 和歐盟通用資料保護規範。

這篇文章有回答您的問題嗎?

我們覺得很遺憾。若有什麼可以改善的地方,請告訴我們:

感謝您的意見。

社群答案
    社群答案

      其他取得協助的方式

      社群

      Twitter 支援服務

      指引協助