Dropbox, Inc.

Dropbox Business - Standard Plan

Dropbox Business brings that same simplicity of Dropbox to the workplace, with advanced features that help teams share instantly across their organizations and give admins the visibility and control they need. But more than just an easy-to-use tool, Dropbox Business is designed to let employees collaborate while keeping work secure.


  • Collaborate faster and smarter with shared folders and shared links
  • Access all company data from your computer with Smart Sync
  • Simultaneous editing, creation, and organisation of content with Dropbox Paper
  • Protect data with 120 days of restoration and version history
  • Administrator console allows for centralized management of the entire team
  • Remotely wipe business data when employees leave or lose devices
  • Integrate Active Directory or LDAP deployments for account provisioning
  • Set policies for sharing data inside and outside the team
  • Seamlessly integrate existing IT processes and systems
  • 2TB of pooled storage plus 10TB per additional 100 users


  • Obtain corporate ownership of user accounts and data
  • Collaborate with an existing network of 500M+ Dropbox users
  • Best-in-class, global brand means little user training required during implementation
  • Seamlessly upgrade existing free Dropbox accounts to Dropbox Business
  • Mitigate corporate data loss through granular sharing permissions and provisioning
  • Maximize employee productivity via reliable, real-time sync and share
  • Minimize wasted time when searching for and recovering files
  • Reduce IT costs by decreasing reliance for on-premise infrastructure
  • Streamline cross-product workflows by integrating preexisting enterprise software
  • Customer support


£84 per licence per year

Service documents

G-Cloud 10


Dropbox, Inc.

Eoin O'Liathain



Service scope

Service scope
Software add-on or extension Yes, but can also be used as a standalone service
What software services is the service an extension to Office 365
... and over 100,000 additional applications and partners
Cloud deployment model Public cloud
Service constraints N/A
System requirements
  • Windows Vista or higher
  • Max OS X Snow Leopard (10.6.8) or higher
  • Ubuntu 10.04 or higher
  • Fedora 19 or higher
  • IOS 9 or later
  • Android OS 4.1 and later
  • Windows Phone 8.0 or higher

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Users should expect a response within 12 hours
User can manage status and priority of support tickets No
Phone support No
Web chat support Web chat
Web chat support availability 24 hours, 7 days a week
Web chat support accessibility standard None or don’t know
How the web chat support is accessible Dropbox has contracted its web chat functionality to Snapengage, a reputable third-party vendor. We intended to execute a future audit on their web chat product to monitor accessibility status.
Web chat accessibility testing Dropbox has contracted its web chat functionality to Snapengage, a reputable third-party vendor. We intended to execute a future audit on their web chat product to monitor accessibility status.
Onsite support Yes, at extra cost
Support levels Dropbox Business admins receive priority email and live support for account or technical questions. If immediate assistance is needed, the help center is also available.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started - Dropbox provides documentation to assist in the installation, configuration, and use of the Dropbox Enterprise service and specific features. The simplest place for readers to begin is at https://www.dropbox.com/guidehttps://www.dropbox.com/guide. This guide won the 2015 Webby Award for Best User Interface

- Short 'how-to' videos can be found on our YouTube channel: https://www.youtube.com/user/dropbox

- For more in-depth answers to FAQ, admins and end-users can search the Dropbox Help Center: https://www.dropbox.com/help

- We also have an expansive community of power users who discuss various topics in the Dropbox Forums: https://www.dropboxforum.com/

- Finally, bespoke guidance materials and trainings can be created by the Dropbox Customer Success team
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction Data can be migrated from Dropbox either directly from the Dropbox desktop client or using our APIs. Via third parties, customers are able to migrate data from our cloud to either local storage or another cloud storage provider.
End-of-contract process Towards the end of the contract a renewal notice is sent to the administrator. Users will have full functionality until the contract ends, at that point Dropbox will no longer synchronise changes, new files or allow file sharing and collaboration.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install Yes
Compatible operating systems
  • Android
  • IOS
  • Linux or Unix
  • MacOS
  • Windows
  • Windows Phone
Designed for use on mobile devices Yes
Differences between the mobile and desktop service While there is overlap between the desktop and mobile experience, the intention for each application is different. The desktop app is designed for both collaboration and performance, while the mobile application is optimised for previewing and lightweight content creation.

The desktop app gives users access to Dropbox directly through a folder on their hard drive. Using the desktop app means users won't have to manually upload/download files as the app watches the Dropbox folder and syncs all edits (including offline changes). The mobile app allows users to preview, edit, and share files and only downloads files when users need access.
Accessibility standards None or don’t know
Description of accessibility Dropbox uses both automated and manual tools for user interface testing. We recently completed a study with low-vision users which uncovered a number of improvements, and we draw on our relationships with external accessibility advocacy agencies for feedback. Our onsite Assistive Technology Lab enables Dropboxers to experience the products they are building through a variety of input and output technologies.
Accessibility testing Dropbox uses both automated and manual tools for user interface testing. We recently completed a study with low-vision users which uncovered a number of improvements, and we draw on our relationships with external accessibility advocacy agencies for feedback. Our onsite Assistive Technology Lab enables Dropboxers to experience the products they are building through a variety of input and output technologies.
What users can and can't do using the API Dropbox currently provides two separate API capabilities for our customers:

(1) The Dropbox Business API allows apps to manage entire Dropbox Business accounts and perform Core API actions on all members of a team. It gives apps programmatic access to Dropbox Business admin functionality, specifically the Dropbox Business audit log and team usage statistics, as well as group and shared folder management. In addition to Core API calls, the Dropbox Business API features additional endpoints designed specifically for businesses. These include endpoints for user and group information and management, auditing, and webhook notifications. Using the Dropbox Business API, customers can connect to existing enterprise tools including SIEM, DLP, eDiscovery and legal hold, DRM, Data migration and on-premises backup, Identity management and single sign-on (SSO), and other custom workflows.

(2) The Dropbox API allows developers to offer users in-app access to Dropbox files and works as a flexible way to read and write to
Dropbox. Auth, file, and metadata interaction; shared file, folder, and link interaction; and file operations are all handled through
the Dropbox API.

For additional information please see: https://www.dropbox.com/developers
API documentation Yes
API documentation formats
  • HTML
  • PDF
API sandbox or test environment Yes
Customisation available Yes
Description of customisation Dropbox Business and Enterprise allow for the customisation of security, collaboration and user experience settings. Further customisation is achieved by using the Dropbox APIs to build and integrate services and systems on top of the Dropbox platform.

Furthermore, Dropbox branding can be customised in a few locations:

1) Administrators can customise externally shared links with their company logo. Specifically, your logo will replace the Dropbox logo on any shared link that a member of your team sends to anyone outside of your team.

2) On the desktop application, the Dropbox folder will be renamed "Dropbox (Organisation name)" as set by administrators

3) On the Dropbox.com homepage, the organisation name will appear at the top of the screen and sidebar

4) On the mobile application, users will need to tap on their corporate account (signified by the organisation name and a briefcase) once they open the application to access their documents


Independence of resources Dropbox has 500M+ users. We also have 100,000 businesses using Dropbox Business and Dropbox Enterprise. The solution is built to scale and provide service to a rapidly growing number of users, customers, and data.

Dropbox has been built to handle large in/out volumes of data. Some examples include:
• 1.2B files synced daily
• 2.1B shared folders and links
• 300,000 apps built on the Dropbox API
• 1,000 apps built on the Dropbox Business API
• 5 million calls to Dropbox Business API every day
• 1.1MM files / 40 TB of data shared daily


Service usage metrics Yes
Metrics types The Dropbox Business admin dashboard provides key insights into team activities as well as shortcuts to common admin actions including the number of current members, pending invites, remaining licenses, and members who have joined over the past 30 days.

Admins also have access to activity logs to audit the actions taken by their team. The activity logs help admins to see how often Dropbox Business is being used regarding files, sharing, passwords, groups, membership, sign-ins, admin actions, apps, devices and Paper usage and allows admins to investigate and fix issues (like accidental file deletions).
Reporting types
  • API access
  • Regular reports
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance None

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
User control over data storage and processing locations Yes
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
Data sanitisation process Yes
Data sanitisation type Deleted data can’t be directly accessed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach Users can export their data from Dropbox at any point in the format is was uploaded in, either by using the Dropbox desktop client, Dropbox APIs, or a third-party data migration solution.
Data export formats Other
Other data export formats Any file format
Data import formats Other
Other data import formats Any file format

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Availability and resilience
Guaranteed availability By default, we do not provide service level agreements for Dropbox Business (Standard and Advanced plan) customers. In certain cases, SLAs may be provided if requested.
Approach to resilience A storage system is only as good as it is reliable, and to that end, we’ve developed Dropbox with multiple layers of redundancy to guard against data loss and ensure availability.

Redundant copies of metadata are distributed across independent devices within a data center in an N+2 availability model. Incremental backups are performed hourly, and full backups are performed daily. Metadata is stored on servers hosted and managed by Dropbox.

File content
Redundant copies of file blocks are stored independently in at least two separate geographic regions and replicated reliably within each region. (Note: For customers who choose to have their files stored in our European infrastructure, file blocks are replicated within Europe only). All Dropbox data centers are designed to provide durability of at least 99.999999999%.

Dropbox’s architecture, applications, and sync mechanisms work together to protect user data and make it highly available. In the rare event of an outage, Dropbox users still have access to the latest synced copies of their files in the local Dropbox folder. Changes to files and folders will be synced to Dropbox once service or connectivity is restored.
Outage reporting We have incident response policies and procedures to address service availability, integrity, security, privacy, and confidentiality

• Promptly respond to alerts of potential incidents
• Determine the severity of the incident
• If necessary, execute mitigation and containment measures
• Communicate with relevant internal and external stakeholders, including notification to affected customers to meet breach
or incident notification contractual obligations and to comply with relevant laws and regulations.
• Gather and preserve evidence for investigative efforts
• Document a postmortem and develop a permanent triage plan

The incident response policies and processes are audited as part of our SOC 2, ISO 27001, and other compliance audits.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
Access restrictions in management interfaces and support channels Administrative access privileges to production Dropbox Business systems (including hypervisors) and administrative consoles provided by our managed services provider are reviewed regularly to restrict access to authorized personnel. The Dropbox production environment can only be accessed by authorized IP addresses and appropriate authentication. Authorized IP addresses are reviewed for appropriateness regularly. Production network access is SSH key-based and restricted to engineering teams requiring access as part of their duties. Connections to the administrative consoles provided by our managed services provider are encrypted.
Access restriction testing frequency At least once a year
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users have access to real-time audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 EY CertifyPoint
ISO/IEC 27001 accreditation date 14/11/2016
What the ISO/IEC 27001 doesn’t cover Dropbox Paper, EU data storage
ISO 28000:2007 certification No
CSA STAR certification Yes
CSA STAR accreditation date 30/11/2016
CSA STAR certification level Level 2: CSA STAR Attestation
What the CSA STAR doesn’t cover Dropbox Paper, EU data storage
PCI certification Yes
Who accredited the PCI DSS certification NCC Group
PCI DSS accreditation date 15/03/2017
What the PCI DSS doesn’t cover Certification is for merchant status. Certification does not cover Dropbox acting as a PCI service provider.
Other security certifications Yes
Any other security certifications
  • ISO 27017
  • ISO 27018
  • ISO 22301
  • SOC 3
  • SOC 2
  • SOC 1

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards
  • CSA CCM version 3.0
  • ISO/IEC 27001
Information security policies and processes Dropbox information security policies are based on industry best practices and incorporate elements of various industry standards including the AICPA SOC Trust Services Principles and Criteria, ISO 27001, and PCI DSS. Our ISMS conforms to ISO 27001:2013.

The Dropbox privacy policy is based on industry best practices and aligns with the U.S.–E.U. Privacy Shield data protection framework. We also use a Data Processing Amendment which incorporates the Model Contractual Clauses, which enable the continued transfers of data from the EU in compliance with EU law.

Dropbox contractually requires our managed services and data center co-location subservice providers to meet our security and confidentiality requirements, where applicable.

At least annually, Dropbox reviews the security controls of its managed services and data center co-location subservice providers. This includes reviewing their information security assurance reports (e.g. SOC 1/2/3, ISO 27001, etc.). Any considerations raised during the review are addressed in a timely manner.

Dropbox provides a Service Organization Controls 2 (SOC 2) Type II third party attestation report to potential and existing Dropbox Business customers under NDA. This report includes a mapping our controls and processes to the AICPA Trust Services Principle of security.

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach A formal Change Management Policy has been defined by the Dropbox Engineering team to ensure that all application changes have been authorized prior to implementation into the production environments. Source code changes are initiated by developers that would like to make an enhancement to the Dropbox application or service. All changes are required to go through automated Quality Assurance testing procedures.

Dropbox has established a change management policy which requires management authorization for development of new applications, systems, databases, infrastructure, services, and operations. New facilities are reviewed by relevant teams according to our physical security and compliance standards.
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach Dropbox conducts periodic vulnerability scans, internal and external security testing at the network, application, and operating system levels.

Dropbox has the capability to rapidly patch any vulnerabilities identified in its devices, applications, and systems. Vulnerabilities are patched, as deemed appropriate by the Dropbox Security team, in a timely manner.

Dropbox also encourages the security community and users to report security vulnerabilities to us by following our responsible disclosure policy. We participate in security bug bounty programs and platforms to engage the hacker community to find work with us to bash security bugs before they are exploited.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach Dropbox uses a security information and event management (SIEM) system, which merges data sources such as firewall logs, IDS logs, physical access logs, and other data for analysis and alerting.

The logging and monitoring in place allows for determining the impact of a potential incident on a specific Dropbox Business Account or customer and part of the response process is to contain or isolate the incident. The incident response plan includes procedures for maintaining the integrity of evidence through the collection and retention process.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach Dropbox has established a documented incident response plan that aligns with the terms of the Dropbox Business Agreement. Due to the shared infrastructure nature of service, we do not integrate customized tenant requirements into our security incident response plan. The incident response plan includes specific procedures to notify affected customers of confirmed data breaches. Customers may notify Dropbox of potential vulnerabilities or breaches by following the procedures described here: https://www.dropbox.com/help/4399/en

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks No


Price £84 per licence per year
Discount for educational organisations Yes
Free trial available Yes
Description of free trial What’s included in the free trial?
- Full access to Dropbox Business for 30 days
- Space for your team to share and collaborate
- 120 days of file recovery and versioning
- Admin controls for additional security
Link to free trial https://www.dropbox.com/business/try


Pricing document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑