Protecting your data isn’t a feature on a checklist, something to be tacked on as an afterthought. Security is at the heart of Dropbox for Business, informing not only how we approach new features and enhancements, but also how we’ve designed the product itself. Here’s how we’ve built Dropbox for Business to keep data safe for all our users:
1. Encryption in transit and at rest. Regardless of how you’re accessing data you store in your Dropbox — through our desktop app, mobile app, or website, or a third-party app you’ve authorized — it’s encrypted. We use Secure Sockets Layer (SSL)/Transport Layer Security (TLS) for data transfer between you and us to create a secure tunnel protected by 128-bit or higher Advanced Encryption Standard (AES) encryption. Once your file data reaches us, we lock it down using 256-bit AES encryption at rest.
2. We keep data broken up. Every time you add a file to your Dropbox it's split into blocks, each encrypted using a strong cipher. Only blocks that have been modified between revisions are synchronized, which is part of what makes Dropbox sync so fast and reliable. On top of this, metadata (including file names and types) is stored separately from the files’ raw data, further obscuring your data from unauthorized access.
3. We’ve enabled perfect forward secrecy. By implementing perfect forward secrecy, we’ve made it so our private SSL key can’t be used to decrypt past Internet traffic. This adds extra protection to encrypted communications with Dropbox, essentially disconnecting each session from all previous sessions.
4. We’re audited regularly by independent firms. Dropbox, our data centers, and our managed service provider undergo regular third-party audits (e.g., SSAE 16 SOC 1, SOC 2, and ISO 27001). We successfully completed a Service Organization Control (SOC) 2 Type 2 examination, conducted by an independent auditor. The audit report details the design and effectiveness of our security controls, and can serve as a valuable resource for Dropbox for Business customers as they create their own compliance strategies.
5. We give you visibility and control. Dropbox for Business was built with IT admins’ needs in mind, and we’ve designed it to make it easy to monitor and protect your data. Our audit log lets you keep tabs on what and how your team members are sharing data. Two-step verification adds an extra layer of protection, requiring a six-digit security code in addition to a password upon sign-in or when linking a new device. And with remote wipe, admins can delete Dropbox data and local copies of files from both computers and mobile devices when employees leave the team or devices are lost.
To learn more about how we make the security of your data our top priority, see the Dropbox for Business security whitepaper.