Dropbox

0

Dropbox is an online file sharing service that allows users to sync files to the cloud, access them from any internet connected device, and share them with collaborators. Dropbox is based in San Francisco, California USA and has been providing its cloud service since 2008. You can contact real, live, people through their online support portal. They use encryption to protect your data while in transit between your computer and their servers, and they encrypt all data stored on their servers (although they have the ability to decrypt it without your consent). Dropbox uses Amazon Web Services to store client data in data centres located in the USA, Brazil, Ireland, Japan, Singapore, and Australia. All Amazon data centres adhere to military grade security and are independently audited to ensure that your data is stored securely while still being easily available to you. These measures help Dropbox maintain its expected availability of 100% (the Dropbox service is expected to be inaccessible 0% of the time). Data can easily be uploaded to/downloaded from Dropbox through their website or their desktop/mobile applications. Dropbox recognizes you as the owner of all data uploaded to your account and makes no claims to it. Once your Dropbox account is terminated they can delete you data upon request, but they may retain information for legal reasons.

This disclosure was provided and researched by Arrowrock. Sources are cited where possible.

Please report any inaccuracies in this report by leaving a reply below or sending us a private message. Thank you!

Company Identity

Trading Name Dropbox
Company Website http://www.dropbox.com/
Company Phone Number Not available
Company Email Address press@dropbox.com
privacy@dropbox.com
security@dropbox.com
Physical Address 185 Berry St 4th Floor
San Francisco, CA, 94107
USA

What services does this disclosure apply to?
Dropbox
http://www.dropbox.com/

What country holds legal jurisdiction over the service(s)?
USA (State of California)

How long has your company been operating?
Since 2007.

How long has your company been providing the service(s) covered in this disclosure?
Since 2008.

Is your company currently profitable?
Not available

return to the top

Customer Support and Service Level Agreement

What are your standard customer support hours?
Not available

What channels are available for communication with clients?
Dropbox Website Support Section
https://www.dropbox.com/support

Which is your preferred channel for client communications?
Not available

Do you collect any information from client communications?
When you register an account, we collect some personal information, such as your name, phone number, credit card or other billing information, email address and home and business postal addresses. You may also ask us to import your contacts by giving us access to your third party services (for example, your email account) or to use your social networking information if you give us access to your account on social network connection services. When you invite others to join Dropbox by using our referral page, we send them a one-time email for that referral. You may also provide us with your contacts’ email addresses when sharing folders or files with them. We may also receive Personal Information (for example, your email address) through other users, for example if they have tried to share something with you or tried to refer Dropbox to you.

Refer to Privacy Policy Section 1 “The Information We Collect And Store” for a comprehensive list
https://www.dropbox.com/privacy

What is your standard response time for customer support inquires?
Not available

Do you proactively communicate information about future planned outages and maintenance to clients?
Not available

Do you proactively communicate information about current unscheduled outages and incidents to clients?
Not available

Do you make incident reports available to clients after major incidents?
Not available

What is the expected uptime of the service?
Dropbox strives for 100% uptime and availability
https://www.dropbox.com/help/30/en

Has the service experienced any outages in the last 12 months?
Not available

Does the SLA guarantee service uptime?
Dropbox strives for 100% uptime and availability, but it is unrealistic to guarantee that.
https://www.dropbox.com/help/30/en

return to the top

Security

Are logs kept of client logins and locations?
Not available

Does your service support password/account recovery?
Yes. Customers can reset a forgotten password via https://www.dropbox.com/forgot
This sends a reset link to the associated email address.

Does the service monitor for any suspicious account activity?
Not available

Does your service offer two-step or multi-factor authentication?
Yes. You can elect to receive security codes by:
SMS
Google Authenticator (Android/iPhone/Blackberry)
Amazon AWS MFA (Android)
Authenticator (Windows Phone 7)
https://www.dropbox.com/help/363/en

Does your service offer login via other services?
No.

Does your service secure all client data in transit?
Dropbox utilizes 256-bit SSL to secure all client data in transit.
https://www.dropbox.com/security

Does your service secure client data at rest?
We encrypt the files that you store on Dropbox using the AES-256 standard, which is the same encryption standard used by banks to secure customer data. Encryption for storage is applied after files are uploaded, and we manage the encryption keys.
https://www.dropbox.com/security

Does your service allow clients to collaborate with 3rd parties?
Not available

Does your primary system reside in a data center with a security certification?
Dropbox uses Amazon S3 for data storage. Amazon stores data over several large-scale data centers. According to Amazon, they use military grade perimeter control berms, video surveillance, and professional security staff to keep their data centers physically secure.
Amazon and Dropbox also employ significant protection against network security issues such as Distributed Denial of Service (DDoS) attacks, Man in the Middle (MITM) attacks, and packet sniffing.
https://www.dropbox.com/security

AWS is certified to:
SOC1/SSAE 16/ISAE 3402
SOC 2
FISMA, DIACAP, and FedRAMP
PCI DSS Level 1
ISO 27001
FIPS 140-2
http://aws.amazon.com/security/

Does your backup/disaster recovery system reside in a data center with a security certification?
Dropbox uses Amazon S3 for data storage. Amazon stores data over several large-scale data centers. According to Amazon, they use military grade perimeter control berms, video surveillance, and professional security staff to keep their data centers physically secure.
Amazon and Dropbox also employ significant protection against network security issues such as Distributed Denial of Service (DDoS) attacks, Man in the Middle (MITM) attacks, and packet sniffing.
https://www.dropbox.com/security

AWS is certified to:
SOC1/SSAE 16/ISAE 3402
SOC 2
FISMA, DIACAP, and FedRAMP
PCI DSS Level 1
ISO 27001
FIPS 140-2
http://aws.amazon.com/security/

return to the top

Data Ownership

Do you claim ownership of any client data or information uploaded to your service?
You retain full ownership to your stuff. We don’t claim any ownership to any of it.
For more information, please refer to the “Your Stuff & Your Privacy” section of the Terms of Service.
https://www.dropbox.com/privacy#terms

Does the client retain full ownership of any data of information transmitted or stored via upstream providers?
You retain full ownership to your stuff. We don’t claim any ownership to any of it.
For more information, please refer to the “Your Stuff & Your Privacy” section of the Terms of Service.
https://www.dropbox.com/privacy#terms

Does client use of your service generate any metadata or other statistical information?
We also collect some information (ourselves or using third party services) using logging and cookies, such as IP address, which can sometimes be correlated with Personal Information. We use this information for the above purposes and to monitor and analyze use of the Service, for the Service’s technical administration, to increase our Service’s functionality and user-friendliness, and to verify users have the authorization needed for the Service to process their requests. As of the date this policy went into effect, we use Google Analytics.
https://www.dropbox.com/privacy#privacy

return to the top

Data Location

Where are the primary systems that host client data located?
Once a file is added to your Dropbox, the file is then synced to Dropbox’s secure online servers. All files stored online by Dropbox are encrypted and kept securely on Amazon’s Simple Storage Service (S3) in multiple data centers located across the United States.
https://www.dropbox.com/help/7/en

Where are the backup/disaster recovery systems that host client data located?
All backup/disaster recovery systems are handled by Amazon Web Services through the normal provisioning of Amazon S3.

Are there any other systems that host client data on behalf of your service?
All data is stored in Amazon S3 storage, provided by Amazon Web Services. This is distributed in a number of location.
http://aws.amazon.com/s3/

return to the top

Data Access and Use

Does the client have full access to their data during the service contract period?
Yes, via the Dropbox website, desktop programs, mobile apps, and authorized third-party applications.

Can the client freely download their data from the service during the contract period?
Yes, all data a client stores in Dropbox can be easily downloaded via the Dropbox website, desktop program, mobile apps, and authorized third-party applications. The files will be in the same format as they were added by the client.

Can the client easily import/upload their data from a competing service provider into your service?
Yes, any files/formats can be uploaded to Dropbox. All formats are supported.

Does your services include an API to access client data?
Not available

Following termination of the service, will the client be able to access their data?
Not available

Following termination of the service, is all client data deleted?
We will retain your information for as long as your account is active or as needed to provide you services. If you wish to cancel your account or request that we no longer use your information to provide you services, you may delete your account here. We may retain and use your information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements. Consistent with these requirements, we will try to delete your information quickly upon request. Please note, however, that there might be latency in deleting information from our servers and backed-up versions might exist after deletion. In addition, we do not delete from our servers files that you have in common with other users.
https://www.dropbox.com/privacy

Does anyone in your organization (including contractors and upstream providers) have the ability to directly access client data?
Dropbox employees are prohibited from viewing the content of files you store in your Dropbox account, and are only permitted to view file metadata (e.g., file names and locations). Like most online services, we have a small number of employees who must be able to access user data for the reasons stated in our privacy policy (e.g., when legally required to do so). But that’s the rare exception, not the rule. We have strict policy and technical access controls that prohibit employee access except in these rare circumstances. In addition, we employ a number of physical and electronic security measures to protect user information from unauthorized access.
https://www.dropbox.com/security

Does your company use client data or information for any business function (other than the provision of the service)?
We utilize/plan to utilize aspects of Personal Information, Geo-Location Information, and Analytics. Please refer to Section 2 “How We Use Personal Information” of the privacy policy for further details.
https://www.dropbox.com/privacy

Does your company use client data or information to generate revenue (other than the provision of the service)?
No.

Do you access client data in any additional circumstance not yet specified in this disclosure?
Please refer to Section 3 “Information Sharing and Disclosure” of the privacy policy for further details.
https://www.dropbox.com/privacy

return to the top

Data Breach Notification

Do you have a policy in place for dealing with data loss or breach?
Not available

Do you notify clients if their data has been lost or compromised?
Not available

return to the top

Backup and Maintenance

Does your service support data versioning?
Yes. Personal & Pro users have access to their file versions for the last 30 days. Pro users with the “Packrat” and Teams users addon have unlimited data versioning (all versions are saved forever).
https://www.dropbox.com/help/11/en

How often are service/client data backups performed?
Not available

What method is used to perform service/client data backups?
Dropbox and Amazon keep redundant backups of all data over multiple locations to prevent the remote possibility of data loss. In the unlikely event that this redundancy were to fail, Dropbox folders linked to a desktop computer client will still contain copies of your files (except files you’ve chosen not to sync using Selective Sync).
https://www.dropbox.com/privacy#security

How long is backup data retained for?
Not available

return to the top

Disclaimer

The information in this report is provided “AS IS” without warranty of any kind, express or implied. Please use good judgement and verify the information you consider important before basing any decisions on it.