The documents, contracts, and agreements you sign as a business are some of the most important documents you have. Many of these types of transactions involve a legally-binding signature and are critical in a company’s operations. With Dropbox Sign Services, which includes Dropbox Sign, Dropbox Forms, and Dropbox Fax, protection of your documents and related transactions are the highest priority.

A man with dark skin handing over a secure document via a tablet to a woman with medium skin. They are in separate locations, represented by a divide in the middle of the image


Expand or collapse accordion

At Dropbox Sign, we believe that you own your data, and we’re committed to keeping it private. Our privacy policy clearly describes how we handle and protect your information. On an annual basis, our independent third-party auditors test our privacy related controls and provide their reports and opinions which we can provide to you upon request.

Please submit any privacy related questions to


Expand or collapse accordion

Dropbox uses certain sub-processors to assist in providing the Dropbox Sign Services. We use service providers that may store and process personal data about you and your end users. This page provides important information about the identity, location, and role of these material sub-processors. Terms used on this page but not defined have the meaning set forth in the Dropbox Sign Terms of Service.

At least annually, Dropbox Sign performs a review of our sub-processors. In the event these reviews have material findings that we determine present risks to Dropbox Sign or our customers, we’ll work with the service provider to understand any potential impact to customer data and track their remediation efforts until the issue is resolved.

Dropbox Sign Sub-processors

Sub-Processor Name
Amazon Web Services, Inc.
Infrastructure, Forms Creation
United States
Concord Technologies Corporation
United States
Google LLC
Cloud based application provider
United States
IDnow GmbH
Identity Verification for QES
Mailgun Technologies, Inc.
Electronic Mail
United States
NG Communications bvba
Oracle America, Inc.
Billing and Customer Support
United States, LLC
Customer Support
United States
Teleperformance A.E.
Customer Support
Twilio, Inc.
Mobile Messaging
United States
Voxbone, S.A
ZenDesk, Inc.
Customer Support
United States
eID Easy
Broker for electronic identification (eID), qualified electronic signature (QES), and digital signature and certificate services.

Customers that wish to receive email notifications if this list is updated may subscribe to receive such notifications on behalf of their team by completing this form.


Expand or collapse accordion

Documents are stored behind a firewall and authenticated against the sender’s session every time a request for that document is made. We enforce the use of industry best practices for the transmission of data to our platform (Transport Layer Security TLS) and data is stored in a SOC 1 Type II, SOC 2 Type I, and ISO 27001 certified data centers. Your documents are stored and encrypted at rest using AES 256-bit encryption.

In addition, each document is encrypted with a unique key. As an additional safeguard, each key is encrypted with a regularly rotated master key. This means that even if someone were able to bypass physical security and remove a hard drive, they wouldn’t be able to decrypt your data.

All documents are encrypted at rest using AES-256.

Each document is encrypted using a unique key, which is itself encrypted with a master key.

The master key is rotated regularly.

Backups of documents are encrypted.

Documents in transit are encrypted using TLS 1.2 or later.

The web application has HSTS configured to ensure a secure connection.

Audit trails

Expand or collapse accordion

Each signature on a contract is imposed and affixed to the document. When you request a signature, Dropbox Sign affixes an audit trail page to the document itself. The audit trail contains a globally unique identifier (GUID) that can be used to look up a record in our database, showing who signed a document and when. These records include a hash of the PDF document which we can compare to the hash of a questionable PDF document to determine whether or not it has been modified or tampered with. Read our statement of legality for more details.

The non-editable audit trail ensures that every action on your documents is thoroughly tracked and time-stamped, to provide defensible proof of access, review, and signature.

There are a number of different audit-tracked events in Dropbox Sign, including:

  • Document sent
  • Document viewed
  • Document signed
  • Decline to sign
  • Signer name/email address updated
  • Attachment uploaded
  • In-person signing activated
  • Signer access code authenticated
  • Electronic record and signature disclosure accepted
  • Signature request delegated
  • Signature request completed
  • Completed request continued
  • Edit Expiration Date
  • Edit and Resend Document

Application security

Expand or collapse accordion

Dropbox Sign application security is fully integrated with the Dropbox Application Security program. We perform design and architecture reviews of new features through our intake process. All Dropbox Sign code is scanned for security related issues using static code analysis tools like Semgrep & CodeScan. Dropbox Sign is also covered under our Security and Abuse Bug Bounty program, which is offered through Bugcrowd.


Expand or collapse accordion

It’s imperative that you can control who can do what within the system. Different roles carry different access rights, both in the Dropbox Sign API and in the Dropbox Sign end user product. Learn more about role-based security permissions in the Dropbox Sign security whitepaper.


Expand or collapse accordion

Dropbox Sign uses Amazon Web Services (AWS) as its Infrastructure as a Service (IaaS) provider with Amazon Data Centers hosting our data within United States. We also make use of AWS regions in EU, UK, JP, AU, and CA.

Dropbox Sign uses Amazon security features like Virtual Private Cloud (VPC), Security Groups, disk level encryption, and others to ensure the confidentiality of our customer data in the cloud.

Dedicated & Experienced

Expand or collapse accordion
Security Team

Dropbox Sign has a formal information security program in place under the Head of Security that leads an information and Risk Management Committee. The Information and Risk Management Committee meets periodically to review security-related initiatives at the product, the infrastructure, and the company level.

At Dropbox Sign employees undergo comprehensive background checks and undergo annual security awareness training.

We also have an acceptable use policy and terms of service for our end users to ensure our customers completely understand how we intend our products to be used and under what terms.

Start signing today.