WIXLIB

Security withDropbox BusinessAt Dropbox, the security of your data is ourhighest priority. We’ve earned the trust of over500 million users by keeping data safe whileproviding best-in-class performance and usability.For over 200,000 companies, Dropbox pairsthe benefits of widespread adoption with thecontrols and certifications IT needs to protectemployees and their data. The result: a trulyunique security offering for the enterprise.Built on a strong foundationDropbox is built with multiplelayers of protection across adistributed, reliable infrastructure.With 1.2 billion files synced eachday, our infrastructure is optimizedfor performance at a massive scaleand backed by a world-classsecurity organization.Compliance to meet yourbusiness requirementsDropbox combines the mostaccepted standards—like ISO27001 and SOC 2—with compliancemeasures geared to our customers’specific industries. We providereports from third-party auditors tohelp you verify our security practices.Adoption–the ultimatesecurity advantageAt Dropbox, we know that realsecurity starts by bringingusers onto a sanctioned platform.Dropbox Enterprise leveragesease-of-use and adoption tocentralize company data, resultingin greater visibility and control.For more detail on Dropbox security features and policies, please review the Dropbox Business Security Whitepaper or contact sales@dropbox.com

ArchitectureWith over 1.2 billion files savedevery day, Dropbox was builtto secure data at scale. Dropbox isdesigned with multiple layersof protection covering data transfer,encryption, network configuration,and application-level controls,all distributed across a scalable,secure infrastructure.encryption to protect user data.The Encryption and ApplicationServices process files from theDropbox applications by splittingeach into blocks, encryptingeach file block using a strongcipher, and synchronizing onlyblocks that have been modifiedbetween revisions.By design, Dropbox provides aunique security mechanismthat goes beyond traditionalEncryption is an importantcomponent of our security protocol.To protect data in transit betweenDropbox apps and our servers,Dropbox uses Secure Sockets Layer(SSL)/Transport Layer Security(TLS) for data transfer, creating asecure tunnel protected by 128-bitor higher Advanced EncryptionStandard (AES) encryption.Dropbox files at rest are encryptedusing 256-bit Advanced EncryptionStandard (AES).Dropbox stores two kinds of data:file content (file blocks) and metadataabout files and users. All metadata isDropboxtwokinds Mostof datastored andmetadatacontent is also stored on Dropboxaboutfilesusers. Allmetadataservers,inanda systemknownas MagicisstoredonDropboxservers.MostPocket. This system, which consistsfilecontentis also storedon Dropboxof bothproprietarysoftwareandservers,inasystemknownas Magichardware, has been designedfromPocket.This upsystem,consiststhe groundto bewhichreliableandof both proprietary software andsecure. A smaller portion of file conhardware, has been designed from thetent is stored by a managed serviceground up to be reliable and secure.provider, Amazon Web ServicesA smaller portion of file content is(AWS). In both Magic Pocket andstored by a managed service provider,AWS, file blocks are encrypted atAmazon Web Services (AWS). In bothrest, and both systems meet highMagic Pocket and AWS, file blocks arestandards for reliability.encrypted at rest, and both systemsmeet high standards for reliability.ReliabilityReliability andand durabilitydurabilityDropbox’sa datacenter in workan N 2availabilityDropbox’sarchitecture,architecture, applicaapplications, and kmodel.Hourlyincrementalanddailyprotect user data and make it highly available. Redundant copies of areperformedonalldistributed across independent devices within a data center in an N 2 availabilitymakeit highlyRedundantmetadata.Redundantof filemodel.Hourlyavailable.incrementaland daily full backupsare performedoncopiesall oredindependentlyinRedundant copies of file blocks are stored independently in at least two separateacrossindependentwithin reliably withinat leasttworegion.separategeographicgeographicregions devicesand replicatedeachBothMagic Pocketand AWS are designed to provide annual data durability of at least99.999999999%.regions and replicated reliably“Iwithindon’thave to worryeach region. Both Magicaboutdatasecurity,Pocket andAWS aredesignedtoprovideannualdatabecause of thedurabilityenof at least 99.999999999%.cryption and transportlayer protocols Dropbox has in place.”In the rare event of a service availability outage, Dropbox users still have accessRobert Everett, Director of IT,Brandt Companiesto the latest synced copies of their files in the local Dropbox folder on linkedcomputers. Copies of files synced in the Dropbox desktop client/local folder willbe accessible from a user’s hard drive during downtime, outages, or when offline.For more detail on Dropbox security features and policies, please review the Dropbox Business Security Whitepaper or contact sales@dropbox.comChanges to files and folders will be synced to Dropbox once service orconnectivity is restored.

In the rare event of a service availability outage, Dropbox users still have accessto the latest synced copies of their files in the local Dropbox folder on linkedcomputers. Copies of files synced in the Dropbox desktop client/local folderwill be accessible from a user’s hard drive during downtime, outages, or whenoffline. Changes to files and folders will be synced to Dropbox once service orconnectivity is restored.ComplianceThere are many different compliance standards and regulations that may applyto your organization. Our approach is to combine the most accepted standards—ISO 27001, SOC 2, and more—with compliance measures geared to thespecific needs of our customers’ businesses or industries. Dropbox, our datacenters, and our managed service provider undergo regular third-party audits.“I don’t have toworry about datasecurity, becauseof the encryptionand transport layerprotocols Dropboxhas in place.”Robert EverettDirector of IT, Brandt CompaniesISO certificationsThe International Organization forStandardization (ISO) hasdeveloped a series of world-classstandards for information andsocietal security to helporganizations develop reliable andinnovative products and services.Dropbox has certified its datacenters, systems, applications,people, and processes through aseries of audits by an independentthird-party, Netherlands-basedEY CertifyPoint.ISO 27001 (Informationsecurity management)ISO 27001 is recognized as thepremier information securitymanagement system (ISMS)standard around the world. Thestandard also leverages thesecurity best practices detailed inISO 27002. To be worthy of yourtrust, we’re continually andcomprehensively managing andimproving our physical, technical,and legal controls at Dropbox. Ourauditor, EY CertifyPoint, maintainsits ISO 27001 accreditation fromthe Raad voor Accreditatie (DutchAccreditation Council). View theDropbox Business, Enterprise, andEducation ISO 27001 certificate.View the Dropbox Business,Enterprise, and Education ISO27001 certificate.ISO 27017 (Cloud security)ISO 27017 is a new internationalstandard for cloud security thatprovides guidelines for securitycontrols applicable to theprovision and use of cloud services.Our Shared Responsibility Guideexplains several of the security,privacy, and compliancerequirements that Dropbox andits customers can solve together.View the Dropbox Business,Enterprise, and Education ISO27017 certificate.ISO 27018 (Cloud privacy anddata protection)ISO 27018 is an emerginginternational standard for privacyand data protection that applies tocloud service providers like Dropboxwho process personal informationon behalf of their customers andprovides a basis for which customers can address common regulatoryand contractual requirements orquestions. View the DropboxBusiness, Enterprise, and EducationISO 27018 certificate.ISO 22301 (Businesscontinuity management)ISO 22301 is an internationalstandard for business continuitythat guides organizations onhow to decrease the impact ofdisruptive events and respond tothem appropriately if they occurby minimizing potential damage.The Dropbox business continuitymanagement system (BCMS) ispart of our overall risk managementstrategy to protect people andoperations during times of crises.View the Dropbox Business,Enterprise, and Education ISO22301 certificate.For more detail on Dropbox security features and policies, please review the Dropbox Business Security Whitepaper or contact sales@dropbox.com

SOC reportsThe Service OrganizationControls (SOC) reports, known aseither the SOC 1, SOC 2, or SOC 3,are frameworks established bythe American Institute of CertifiedPublic Accountants (AICPA)for reporting on internal controlsimplemented within an organization.Dropbox has certified its operations,processes, and technology by anindependent third-party auditor,Ernst & Young LLP.SOC 3 for Security,Confidentiality, Integrity,Availability, and PrivacyThe SOC 3 assurance reportcovers all five Trust Service Principlesof Security, Confidentiality,Integrity,Availability, and Privacy(TSP Section 100). The Dropboxgeneral-use report is an executivesummary of the SOC 2 report andincludes the independent thirdparty auditor’s opinion on theeffective design and operation ofour controls. View the DropboxBusiness, Enterprise, and EducationSOC 3 examination.SOC 2 for Security,SOC 1 / SSAE 16 / ISAE 3402Confidentiality, Integrity,(formerly SAS 70)Availability, and PrivacyThe SOC 1 report provides specificassurances for customers whodetermine that Dropbox Business,Enterprise, or Education is a keyelement of their internal controlsover financial reporting (ICFR)program. These specific assurancesare primarily used for ourcustomers’ Sarbanes-Oxley (SOX)compliance. The independentthird-party audit is conducted inaccordance with the Statementon Standards for AttestationEngagements No. 16 (SSAE 16)and the International Standard onAssurance Engagements No. 3402(ISAE 3402). These standards havereplaced the deprecated Statementon Auditing Standards No. 70 (SAS70). The SOC 1 examination ofDropbox Business, Enterprise, andEducation is available upon requestthrough the sales team or theaccount management team.(HITECH). Learn more by visitingour Getting Started with HIPAAguide and Help Center article.mapping of our internal practicesand recommendations forcustomers who are looking to meetthe HIPAA/HITECH Securityand Privacy rule requirements withDropbox Business, Enterprise,and Education.The SOC 2 report providescustomers with a detailed level ofcontrols-based assurance, coveringall five Trust Service Principles ofSecurity, Confidentiality, ProcessingIntegrity, Availability, and Privacy(TSP Section 100). The SOC 2report includes a detailed descriptionof Dropbox’s processes and themore than 100 controls in place toprotect your stuff. In addition to ourindependent third-party auditor’sopinion on the effective design andoperation of our controls, the reportincludes the auditor’s test proceduresand results for each control. TheSOC 2 examination of DropboxBusiness, Enterprise, and Educationis available upon request throughthe sales team or the accountmanagement team.HIPPA/HTECHDropbox will sign businessassociate agreements (BAAs) withDropbox Business, Enterprise,and Education customers who requirethem in order to comply with theHealth Insurance Portability andAccountability Act (HIPAA) and theHealth Information Technology forEconomic and Clinical Health ActDropbox makes available a thirdparty assurance report evaluatingour controls for the HIPAA/HITECHSecurity, Privacy, and BreachNotification rules, as well as aFor more detail on Dropbox security features and policies, please review the Dropbox Business Security Whitepaper or contact sales@dropbox.com