Security

At Dropbox Sign, we believe that you own your data, and we’re committed to keeping it private. Our privacy policy clearly describes how we handle and protect your information. On an annual basis, our independent third-party auditors test our privacy related controls and provide their reports and opinions which we can provide to you upon request.

Please submit any privacy related questions to privacy@dropbox.com.

Dropbox uses certain sub-processors to assist in providing the Dropbox Sign Services. We use service providers that may store and process personal data about you and your end users. This page provides important information about the identity, location and role of these material sub-processors. Terms used on this page but not defined have the meaning set forth in the Dropbox Sign Terms of Service.

At least annually, Dropbox Sign performs a review of our sub-processors. In the event these reviews have material findings that we determine present risks to Dropbox Sign or our customers, we’ll work with the service provider to understand any potential impact to customer data and track their remediation efforts until the issue is resolved.

Customers that wish to receive email notifications if this list is updated may subscribe to receive such notifications on behalf of their team by completing this form.

Documents are stored behind a firewall and authenticated against the sender’s session every time a request for that document is made. We enforce the use of industry best practices for the transmission of data to our platform (Transport Layer Security TLS) and data is stored in a SOC 1 Type II, SOC 2 Type I and ISO 27001 certified data centres. Your documents are stored and encrypted at rest using AES 256-bit encryption.

In addition, each document is encrypted with a unique key. As an additional safeguard, each key is encrypted with a regularly-rotated master key. This means that even if someone were able to bypass physical security and remove a hard drive, they wouldn’t be able to decrypt your data.

All documents are encrypted at rest using AES-256.

Each document is encrypted using a unique key, which is itself encrypted with a master key.

The master key is rotated regularly.

Backups of documents are encrypted.

Documents in transit are encrypted using TLS 1.2 or later.

The web application has HSTS configured to ensure a secure connection.

Each signature on a contract is imposed and affixed to the document. When you request a signature, Dropbox Sign affixes an audit trail page to the document itself. The audit trail contains a globally unique identifier (GUID) that can be used to look up a record in our database, showing who signed a document and when. These records include a hash of the PDF document which we can compare to the hash of a questionable PDF document to determine whether or not it has been modified or tampered with. Read our statement of legality for more details.

The non-editable audit trail ensures that every action on your documents is thoroughly tracked and time-stamped, to provide defensible proof of access, review and signature.

There are a number of different audit-tracked events in Dropbox Sign, including:

• Document sent
• Document viewed
• Document signed
• Decline to sign
• Signer name/email address updated
• Attachment Uploaded
• In-person signing activated
• Signer access code authenticated
• Electronic record and signature disclosure accepted
• Signature request delegated
• Signature request completed
• Completed request continued
• Edit expiry date
• Edit and resend document

Dropbox Sign application security is fully integrated with the Dropbox Application Security program. We perform design and architecture reviews of new features through our intake process. All Dropbox Sign code is scanned for security related issues using static code analysis tools like Semgrep & CodeScan. Dropbox Sign is also covered under our Security and Abuse Bug Bounty program, which is offered through Bugcrowd.

It’s imperative that you can control who can do what within the system. Different roles carry different access rights, both in the Dropbox Sign API and in the Dropbox Sign end user product. Learn more about role-based security permissions in the Dropbox Sign security whitepaper.

Dropbox Sign uses Amazon Web Services (AWS) as its Infrastructure as a Service (IaaS) provider with Amazon Data Centres hosting our data within United States. We also make use of AWS regions in EU, UK, JP, AU and CA.

Dropbox Sign uses Amazon security features like Virtual Private Cloud (VPC), Security Groups, disk level encryption and others to ensure the confidentiality of our customer data in the cloud.

Security Team

Dropbox Sign has a formal information security programme in place under the Head of Security that leads an Information and Risk Management Committee. The Information and Risk Management Committee meets periodically to review security-related initiatives at the product, the infrastructure and the company level.

At Dropbox Sign, employees undergo comprehensive background checks and annual security awareness training.

We also have an acceptable use policy and terms of service for our end users to ensure our customers completely understand how we intend our products to be used and under what terms.