Compliance: Standards and Regulations

Try it free

+1 855-237-6726

Chat

Complying with standards and regulations

ISO 27001

Dropbox for Business is ISO 27001 certified. Click here to view our certificate.

We're committed to maintaining a program of continual information security improvement under the ISO/IEC 27001:2013 standard. As the most widely accepted information security standard around the world, this certification validates that we have a systematic approach to maintaining the security, confidentiality, integrity, and availability of customer data. It also provides a framework upon which our information security management program is designed.

Because ISO 27001 is truly an international standard, our audits are performed by Ernst & Young CertifyPoint in the Netherlands, which maintains ISO accreditation from the Rood voor Accreditatie (Dutch Accreditation Council), a member of the International Accreditation Forum (IAF).

SOC 3 for Security, Confidentiality, and Integrity

Dropbox for Business provides customers with a SOC 3 assurance report. Click here to view our SOC 3 report.

Our Service Organization Controls 3 (SOC 3) report provides customers with the American Institute of Certified Public Accountants (AICPA) SysTrust Seal of assurance and covers the Security, Confidentiality, and Processing Integrity Trust Service Principles. This general-use report is an executive summary of our SOC 2 report and includes our independent third-party auditor's opinion on the effective design and operation of our controls.

Our SOC 3 examinations are performed by Ernst & Young LLP.

SOC 2 for Security, Confidentiality, Integrity, and Availability

Dropbox for Business provides customers with a SOC 2 assurance report upon request through sales@dropbox.com or the Dropbox for Business account management team.

Our Service Organization Controls 2 (SOC 2) report provides customers with a detailed level of controls-based assurance and covers the Security, Confidentiality, Processing Integrity, and Availability Trust Service Principles. The 140-page audit report includes a detailed description of our processes and almost 100 controls we have in place to protect your data. In addition to including our independent third-party auditor's opinion on the effective design and operation of our controls, the report also describes the auditor's test procedures and results for each control.

Our SOC 2 examinations are performed by Ernst & Young LLP.

SOC 1 / SSAE 16 / ISAE 3402 (formerly SAS 70)

Dropbox for Business provides customers with a SOC 1 / SSAE 16 / ISAE 3402 report upon request through sales@dropbox.com or the Dropbox for Business account management team.

Our Service Organization Controls 1 (SOC 1) report provides specific assurances to customers who determine that Dropbox for Business is a key element of their internal controls over financial reporting (ICFR) program. These specific assurances are primarily used for customers' Sarbanes-Oxley (SOX) compliance. The independent third-party audit for this report is conducted in accordance with the Statement on Standards for Attestation Engagements No. 16 (SSAE 16) and the International Standards for Assurance Engagements No. 3402 (ISAE 3402). These standards have replaced the deprecated Statement on Auditing Standards No. 70 (SAS 70).

Our SOC 1 examinations are performed by Ernst & Young LLP.

Cloud Security Alliance - Security, Trust, and Assurance Registry (CSA STAR)

A CSA STAR Level 1 Questionnaire for Dropbox for Business is available for download on the Cloud Security Alliance's web site.

Dropbox is a proud member of the Cloud Security Alliance. The CSA has published the Cloud Controls Matrix (CCM) in an effort to promote security best practices across the globe and map multiple compliance requirements to one another. Dropbox for Business is listed on CSA's Security, Trust, and Assurance Registry. There you can find our answers to almost 200 questions about our security practices.

U.S.-E.U. and U.S.-Swiss Safe Harbor

Dropbox is certified and complies with the U.S.-EU Safe Harbor framework as set forth by the US Department of Commerce and the European Commission regarding the collection, use, and retention of personal data from EU member states. Dropbox is also certified and complies with the U.S.-Swiss Safe Harbor framework as set forth by the US Department of Commerce and the Federal Data Protection and Information Commissioner of Switzerland. More information on the Safe Harbor framework can be found at export.gov/safeharbor, including a searchable list with our current certification status.

PCI DSS

Dropbox is a Payment Card Industry Data Security Standard (PCI DSS) compliant merchant. However, Dropbox for Business is not meant to process or store card holder data or transactions. Dropbox provides customers with a PCI Attestation of Compliance (AoC) regarding our merchant status, available upon request through sales@dropbox.com or the Dropbox for Business account management team.

Our subservice providers

Our data center co-location and managed service providers also undergo regular SOC 1, SOC 2, and/or ISO 27001 audits to verify their security practices. Dropbox reviews the results of these audits at least annually as part of our information security management program. In the event these audits have material findings which we determine present risks to Dropbox or our customers, we'll work with the subservice provider to understand any potential impact to customer data and track their remediation efforts until the issue has been resolved.

More information about Dropbox for Business compliance

Compliance and certification documents can be requested through a Dropbox for Business representative (sales@dropbox.com) or the Dropbox for Business account management team.