What SOC reports are and why they’re important
Service Organization Controls (SOC) reports, known as SOC 1, SOC 2, or SOC 3, are frameworks established by the American Institute of Certified Public Accountants (AICPA) for reporting on the internal controls within an organization.
These reports are essential for controlling and monitoring the protections built within the control base of the data to ensure that those protections are working.
SOC reports ensure the best security practices
SOC reports are more important than ever due to cloud computing and the trust that must be maintained between a service provider and a customer.
Dropbox constantly communicates to customers that the best security practices are in place and that they are rigorously and routinely verified by an independent third party.
Explore our security practices
How SOC 1, SOC 2, and SOC 3 reports are validated
Assessed by an independent third party
To meet critical security, privacy, and compliance needs, Dropbox is validated by an independent third-party auditor. Dropbox has validated its systems, applications, people, and processes through a series of audits by independent third-party, Ernst & Young LLP.
Follows best practices and objective standards
This certification process confirms that Dropbox follows best practices and meets objective standards on financial reporting, security, privacy, confidentiality, availability, and processing integrity.
SOC reports 1 and 2 are available to existing Dropbox Standard, Advanced, Enterprise and Education customers by request, and anyone with interest can view the SOC 3 examination.
SOC 3 for Security, Confidentiality, Integrity, Availability, and Privacy
SOC 3 for Security, Confidentiality, Integrity, Availability, and Privacy
The SOC 3 assurance report covers all five Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (TSP Section 100). The Dropbox general-use report is an executive summary of the SOC 2 report and includes the independent third-party auditor’s opinion on the effective design and operation of our controls.
View the Dropbox Standard, Advanced, Enterprise and Education SOC 3 examination.
SOC 2 Compliance for Security, Confidentiality, Integrity, Availability, and Privacy
The SOC 2 report is a detailed level of controls-based assurance, covering all five Trust Service Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (TSP Section 100).
It also includes a thorough description of Dropbox’s processes and the 100+ controls in place to protect your data. In addition to our independent third-party auditor’s opinion on the effective design and operation of our controls, the report includes the auditor’s test procedures and results for each control.
Our SOC 2 report includes an audited mapping of our controls to the ISO standards, providing additional transparency to our customers.
SOC 1 report / SSAE 18 / ISAE 3402 (formerly SSAE 16 or SAS 70)
The SOC 1 report provides specific assurances for customers who determine that Dropbox Standard, Advanced, Enterprise and Education is a key element of their internal controls over financial reporting (ICFR) program. These specific assurances are primarily used for our customers’ Sarbanes-Oxley (SOX) compliance.
The independent third-party audit is conducted in accordance with the Statement on Standards for Attestation Engagements No. 18 (SSAE 18) and the International Standard on Assurance Engagements No. 3402 (ISAE 3402). These standards have replaced the deprecated Statement on Standards for Attestation Engagement No.16 (SSAE 16) and Statement on Auditing Standards No. 70 (SAS 70).
The SOC 1 examination for Dropbox Standard, Advanced, Enterprise and Education is available upon request through our sales team or (for existing Dropbox Team customers) support.