Complying with standards and regulations

ISO Certifications

The International Organization for Standardization (ISO) has developed a series of world-class standards for information and societal security to help organizations develop reliable and innovative products and services. Dropbox has certified its data centers, systems, applications, people, and processes through a series of audits by an independent third-party, Netherlands-based EY CertifyPoint.

ISO 27001 (Information Security Management)

ISO 27001 is recognized as the premier information security management system (ISMS) standard around the world. The standards also leverages the security best practices detailed in ISO 27002. To be worthy of your trust, we’re continually and comprehensively managing and improving our physical, technical, and legal controls at Dropbox. Our auditor, EY CertifyPoint, maintains its ISO 27001 accreditation from the Raad voor Accreditatie (Dutch Accreditation Council). View the Dropbox Standard, Advanced, Enterprise and Education ISO 27001 certificate.

ISO 27017 (Cloud Security)

ISO 27017 is an international standard for cloud security that provides guidelines for security controls applicable to the provision and use of cloud services. Our Shared Responsibility Guide explains several of the security, privacy, and compliance requirements that Dropbox and its customers can solve together. View the Dropbox Standard, Advanced, Enterprise and Education ISO 27017 certificate.

ISO 27018 (Cloud Privacy and Data Protection)

ISO 27018 is an international standard for privacy and data protection that applies to cloud service providers like Dropbox who process personal information on behalf of their customers and provides a basis for which customers can address common regulatory and contractual requirements or questions. View the Dropbox Standard, Advanced, Enterprise and Education ISO 27018 certificate.

ISO 22301 (Business Continuity Management)

ISO 22301 is an international standard for business continuity that guides organizations on how to decrease the impact of disruptive events and respond to them appropriately if they occur by minimizing potential damage. The Dropbox Business Continuity Management System (BCMS) is part of our overall risk management strategy to protect people and operations during times of crises. View the Dropbox Standard, Advanced, Enterprise and Education ISO 22301 certificate.

ISO 27701 (Privacy Information Management)

ISO 27701 is an international standard for privacy information management. The standard provides a framework to enhance and extend the information security management system under ISO 27001 to a privacy information management system (PIMS). Dropbox has received this certification as a PII Processor. View the Dropbox Standard, Advanced, Enterprise and Education ISO 27701 certificate.

SOC Reports

Service Organization Controls (SOC) Reports, known as SOC 1, SOC 2, or SOC 3, are frameworks established by the American Institute of Certified Public Accountants (AICPA) for reporting on internal controls implemented within an organization. Dropbox has validated its systems, applications, people, and processes through a series of audits by an independent third-party, Ernst & Young LLP.

SOC 3 for Security, Confidentiality, Integrity, Availability, and Privacy

The SOC 3 assurance report covers all five Trust Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (TSP Section 100). The Dropbox general-use report is an executive summary of the SOC 2 report and includes the independent third-party auditor’s opinion on the effective design and operation of our controls. View the Dropbox Standard, Advanced, Enterprise and Education SOC 3 examination.

SOC 2 for Security, Confidentiality, Integrity, Availability, and Privacy

The SOC 2 report provides customers with a detailed level of controls-based assurance, covering all five Trust Service Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (TSP Section 100). The SOC 2 report includes a detailed description of Dropbox’s processes and the more than 100 controls in place to protect your stuff. In addition to our independent third-party auditor’s opinion on the effective design and operation of our controls, the report includes the auditor’s test procedures and results for each control. Our SOC 2 report (sometimes referred to as a SOC 2+ report) also includes an audited mapping of our controls to the ISO standards mentioned above, providing additional transparency to our customers. The SOC 2 report covers Dropbox Standard, Advanced, Enterprise and Education. The SOC 2 report is available for download on Dropbox’s Trust Center.

SOC 1 / SSAE 18 / ISAE 3402 (formerly SSAE 16 or SAS 70)

The SOC 1 report provides specific assurances for customers who determine that Dropbox is a key element of their internal controls over financial reporting (ICFR) program. These specific assurances are primarily used for our customers’ Sarbanes-Oxley (SOX) compliance. The independent third-party audit is conducted in accordance with the Statement on Standards for Attestation Engagements No. 18 (SSAE 18) and the International Standard on Assurance Engagements No. 3402 (ISAE 3402). These standards have replaced the deprecated Statement on Standards for Attestation Engagement No.16 (SSAE 16) and Statement on Auditing Standards No. 70 (SAS 70). The SOC 1 report covers Dropbox Standard, Advanced, Enterprise and Education. The SOC 1 report is available for download on Dropbox’s Trust Center.

Cloud Security Alliance: Security, Trust, Assurance, Risk (CSA STAR) Registry

The CSA Security, Trust, Assurance, and Risk (STAR) Registry is a free, publicly-accessible registry that offers a security assurance program for cloud services, thereby helping users assess the security posture of cloud providers they currently use or are considering contracting with.

Dropbox Standard, Advanced, Enterprise and Education have received both the CSA STAR Level 2 Certification and Level 2 Attestation. CSA STAR Level 2 requires a third-party independent assessment of our security controls by EY CertifyPoint (for Certification) and Ernst & Young LLP (for Attestation), based on the requirements of ISO 27001, SOC 2 Trust Service Criteria, and the CSA Cloud Controls Matrix (CCM) v3.0.1. View our CSA STAR Level 2 Certification and Attestation on the CSA website.

HIPAA/HITECH

Dropbox will sign business associate agreements (BAAs) with Dropbox Standard, Advanced, Enterprise and Education customers who require them in order to comply with the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH). Please see our “Getting started with HIPAA” guide and help center article for more detailed information.

Dropbox makes available a SOC 2 examination evaluating our controls for the HIPAA/HITECH Security, Privacy, and Breach Notification rules, as well as a mapping of our internal practices and recommendations for customers who are looking to meet the HIPAA/HITECH Security and Privacy rule requirements with Dropbox Standard, Advanced, Enterprise and Education.

Customers interested in requesting these documents can access them in Dropbox’s Trust Center. If you’re currently a Dropbox team admin, you can sign a BAA electronically from the Account page in the Admin Console.

Note: The ability to sign an electronic BAA via the Admin Console is available only to US-based customers.

NIST SP 800-171 R2 Attestation Report

The U.S. National Institute of Standards and Technology (NIST) promotes and maintains standards and guidelines to help protect information systems. The NIST Special Publication (SP) 800-171 Revision 2 (R2), provides guidelines on protecting Controlled Unclassified Information (CUI) in nonfederal information systems and organizations. Any entity that processes or stores U.S. government CUI, such as research institutions and the education sector, should comply with NIST SP 800-171 R2. Dropbox’s CUI systems, processes, and controls were validated by an independent third-party auditor, Ernst & Young LLP.

The NIST SP 800-171 R2 report for Dropbox Standard, Advanced, Enterprise and Education is integrated into the SOC 2 report which is available in Dropbox’s Trust Center.

*Dropbox Paper is not included in the scope of the NIST SP 800-171 R2 report.

EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework

Dropbox complies with the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal data transferred from the European Union, the United Kingdom, and Switzerland to the United States. Adhering to the Data Privacy Framework Principles ensures that an organization provides adequate privacy protection under the GDPR.

View Dropbox’s Data Privacy Framework certification and learn more at the Data Privacy Framework website.

EU General Data Protection Regulation (GDPR)

The General Data Protection Regulation 2016/679, or GDPR, is a European Union regulation that marked a significant change to the existing framework for processing personal data of EU data subjects. The GDPR introduced a series of new or enhanced requirements that applies to companies like Dropbox, which handle personal data. The GDPR took effect on 25 May 2018 and replaced the EU Directive 95/46 EC, better known as the Data Protection Directive. Dropbox is GDPR-compliant so that customers can use Dropbox to facilitate their GDPR compliance. For more information, please see this help center article.

EU Cloud Code of Conduct

The EU Cloud Code of Conduct is a voluntary instrument that enables a cloud service provider, such as Dropbox, to demonstrate our commitment to GDPR compliance. Following the positive opinion issued by the European Data Protection Board (EDPB), the EU Cloud Code of Conduct was officially approved by the Belgian Data Protection Authority in May 2021 (Verification ID: 2022LVL02SCOPE3114). Dropbox’s Standard, Advanced, Enterprise, and Education plans for teams have been declared adherent to the EU Cloud Code of Conduct and received a Compliance Mark of “Level 2,” which means that these services have implemented technical, organizational, and contractual measures in-line with the requirements of the Code. For more information about the EU Cloud Code of Conduct and Dropbox’s compliance with the code, please visit the Code’s official website.

FDA 21 CFR Part 11

Title 21 of the Code of Federal Regulations (CFR) governs food and drugs within the United States for the Food and Drug Administration (FDA), the Drug Enforcement Administration, and the Office of National Drug Control Policy. Part 11 of Title 21 sets forth the criteria under which FDA considers electronic records and signatures to be trustworthy, reliable, and generally equivalent to paper records and handwritten signatures executed on paper.  

Please see our Dropbox and FDA 21 CFR Part 11 Whitepaper and help center article for more information on how Dropbox can help aid in your compliance efforts with 21 CFR Part 11.

PCI DSS

Dropbox is a Payment Card Industry Data Security Standard (PCI DSS) compliant merchant. The PCI Attestation of Compliance (AoC) for our merchant status is available in Dropbox’s Trust Center.

More information about Dropbox compliance

Compliance and certification documents can be accessed by in Dropbox’s Trust Center.