The failure to adhere to information security standards is a risk no company wants to take. At Dropbox Sign we understand the serious ramifications of non-compliance and have diligently built processes to make our service compliant with many of the standards which may govern your business.
Please contact us (via email: compliance-reports@hellosign.com) for access to our audits and assessments. Or check out our information security whitepaper.
Dropbox Sign adheres to the following frameworks, standards and regulations:
SOC 2 Type II
Service Organization Controls (SOC) Reports are frameworks established by the American Institute of Certified Public Accountants (AICPA) for reporting on internal controls implemented within an organisation. Dropbox Sign has validated its systems, applications, people and processes through an audit by an independent third-party, Schellman Compliance LLC.
The SOC 2 report provides customers with a detailed level of controls-based assurance, covering the Trust Service Criteria for Security, Availability and Confidentiality (TSP Section 100). The SOC 2 report includes a detailed description of Dropbox Sign’s processes and the more than 100 controls in place to protect your stuff. In addition to our independent third-party auditor’s opinion on the effective design and operation of our controls, the report includes the auditor’s test procedures and results for each control. The SOC 2 examination for is available upon request through our sales team by emailing compliance-reports@hellosign.com.
ISO 27001 (Information Security Management)
ISO 27001 is recognised as the premier information security management system (ISMS) standard around the world. The standards also leverages the security best practices detailed in ISO 27002. To be worthy of your trust, we’re continually and comprehensively managing and improving our physical, technical and legal controls at Dropbox Sign. Our auditor, Schellman Compliance LLC, maintains its ISO 27001 accreditation from the ANSI-ASQ National Accreditation Board (ANAB).
View the Dropbox Sign, Dropbox Fax and Dropbox Forms ISO 27001 Certificate.
ISO 27018 (Cloud Privacy and Data Protection).
ISO 27018 is an international standard for privacy and data protection that applies to cloud service providers like Dropbox Sign who process personal information on behalf of their customers and provides a basis for which customers can address common regulatory and contractual requirements or questions. Our adherence to ISO 27018 is validated as part of our ISO 27001 certification.
View the Dropbox Sign, Dropbox Fax and Dropbox Forms ISO 27018 Certificate.
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Dropbox Sign supports Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) compliance.
These laws aim to encourage the proliferation of technology in the health care industry, while building protections for the security and privacy of health information. Organisations like hospitals, doctors' offices and dental practices, as well as individuals who interact with protected health information (PHI) may be subject to HIPAA/HITECH. This may also extend to companies that work with these businesses and come into contact with PHI on their behalf.
Dropbox Sign makes available a report related to HIPAA Security Rule and HITECH Breach Notification Requirements. Customers interested in requesting this documents can reach out to our sales team by by emailing compliance-reports@hellosign.com.
The US ESIGN Act of 2000
The Electronic Signatures in Global and National Commerce Act is a federal law that provides a general rule of validity for electronic records and signatures for transactions. Among other things, The US ESIGN Act among other things requires requires demonstration of an intent to sign, certain consumer disclosures and record retention.
The Uniform Electronic Transactions Act (UETA) of 1999
Passed in 1999 by the National Conference of Commissions on Uniform State Laws, the Uniform Electronic Transaction Act allows the use of electronic communication transactions by giving electronic signatures the same legal weight as handwritten pen to paper signatures. The UETA has been adopted by every state except New York.
EU-US Data Privacy framework, the UK Extension to the EU-US Data Privacy Framework and the Swiss-US Data Privacy Framework
Dropbox Sign complies with the EU-US Data Privacy framework, the UK Extension to the EU-US Data Privacy Framework, and the Swiss-US Data Privacy Framework as set forth by the US Department of Commerce regarding the collection, use and retention of personal data transferred from the European Union, the European Economic Area and Switzerland to the United States.
Read more about the data privacy frameworks here.
eIDAS and Dropbox Sign
Dropbox Sign is an eIDAS compliant electronic signature solution and a viable option for companies to sign documents online with signatories across all EU member states.
The eIDAS Regulation (910/2014) is a regulation that allows the use of electronic identification means and trust services by citizens, businesses and public administrations to safely access online services and execute electronic transactions across the European Union (EU). It replaced the Electronic Signatures Directive 1999/93/EC, a European Union directive on the use of eSignatures in electronic contracts within the EU, and became effective on 1 July 2016.
The eIDAS Regulation sets out the legal framework for electronic signatures in the EU. It establishes a legal framework for people, companies (in particular small to mid-size enterprises) and public administrations to safely access services and execute transactions digitally across all the EU member states. In particular, it defines three levels of electronic signature: simple electronic signature (SES), advanced electronic signature (AES) and qualified electronic signature (QES). Dropbox Sign supports SES and QES electronic signatures.
Simple Electronic Signature
A simple electronic signature (SES) is defined as ‘data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign’. As a result, many electronic tools, including passwords, PIN codes and scanned signatures can constitute a SES.
Advanced Electronic Signature
An advanced electronic signature (AES) is an electronic signature that is:
- uniquely connected to and capable of identifying the signatory;
- created using electronic signature creation data that the signatory can, with a high level of confidence, use under their sole control.
- connected to the document in a way that any subsequent change of the data is detectable.
Qualified Electronic Signature
A qualified electronic signature (QES) is a stricter form of AES and the only type of electronic signature that is legally equivalent to handwritten signatures. A QES has a qualified digital certificate that has been created by a qualified signature creation device (QSCD). The QSCD has to be issued by a qualified EU Trust Service Provider (TSP) on the European Union Trust List (EUTL).
Disclaimer: This information is intended for general informational purposes only. It is meant to help companies understand the legal framework used for eSignature legality. This is not intended to be legal advice and should not be a substitute for professional legal advice. Consult a licensed lawyer for legal advice or representation.
EU General Data Protection Regulation (GDPR) and Dropbox Sign
The General Data Protection Regulation 2016/679, or GDPR, is a European Union regulation that marked a significant change to the existing framework for processing personal data of EU data subjects. The GDPR introduced a series of new or enhanced requirements that applies to companies like Dropbox Sign, which handle personal data. Dropbox Sign is adheres to GDPR so that customers can use Dropbox Sign to facilitate their GDPR compliance. For more information, please see this article on GDPR and Dropbox Sign compliance.
Our commitment to you and the protection of your data
We’re committed to protecting your personal data. As a Dropbox Sign customer, your organisation acts as the data controller for any personal data provided to Dropbox in connection with your use of Dropbox Sign services. Dropbox acts as the data processor, processing data on your organisation’s behalf when you use Dropbox Sign services. Our Privacy Policy describes our privacy commitments to users and explains how we collect, use and handle your personal data when you use our services, and our Terms of Service includes commitments related to data processing and international data transfer.
Training and privacy awareness
All Dropbox employees are required to complete security and privacy training when hired and annually thereafter. In addition, employees receive security and privacy awareness information via emails, talks and presentations, and resources available on our intranet.
Data mapping and privacy impact assessment
To verify that our privacy practices are appropriate, Dropbox maintains a record of processing activities for the Sign services. We also completed a Data Protection Impact Assessment (DPIA) to assess how we collect, process and store personal data and determine potential privacy impacts.
Information security policies
Dropbox has information security and data protection policies governing how and when employees and contractors can access your data. These policies are based on international standards and best practices, and are reviewed on an annual basis to keep them up to date with current business practices and account for changes in laws/regulations. Ad hoc changes may also be made to these policies as necessary. These policies are provided to new hires, and changes are communicated to employees via the company intranet.
Data transfer
When transferring data from the European Union, the European Economic Area, the United Kingdom and Switzerland, Dropbox relies upon a variety of legal mechanisms, such as contracts with our customers and affiliates, Standard Contractual Clauses and the European Commission’s adequacy decisions about certain countries, as applicable.
Dropbox complies with the EU-US and Swiss-US Privacy Shield Frameworks as set forth by the US Department of Commerce regarding the collection, use and retention of personal data transferred from the European Union, the European Economic Area, the United Kingdom and Switzerland to the United States, although Dropbox does not rely on the EU-US Privacy Shield or Swiss-US Privacy Shield Frameworks as a legal basis for transfers of personal data. Dropbox has certified to the Department of Commerce that it adheres to the Privacy Shield Principles with respect to such data. You can also learn more about Privacy Shield at www.privacyshield.gov.
Incident response
Our Incident Response procedures have been designed and tested to ensure potential security events are identified and reported to appropriate personnel for resolution, personnel follow defined protocols for resolving security events and steps for resolution are documented and reviewed by the Security Team on a regular basis. Additionally our policies and procedures include breach notification for if and when a security incident involves the loss or unauthorised use of personal data.
Product reviews
Our Software Development Lifecycle (‘SDLC’) ensures that system changes are performed in accordance with GDPR requirements, including considerations for privacy in the following areas:
- Planning;
- Change documentation;
- Development of test plans;
- Change testing and documentation of results;
- Quality assurance (‘QA’) review and approval;
- Third-party review and attestation; and
- Periodic review and update.
Vendor reviews
Vendors that process or store personal data are reviewed as part of Dropbox’s third party risk assessment process to ensure that they have appropriate security and privacy controls in place to protect data. All our current sub-processors are reviewed on an annual basis to ensure they meet security and privacy requirements.
Contractual protections
Dropbox has implemented new processor to processor SCCs between Dropbox International Unlimited Company and Dropbox, Inc. to cover transfers of our customers’ personal data to the US. We have updated our Data Processing Agreement to reflect this https://assets.dropbox.com/documents/en/legal/hs-data-processing-agreement.pdf
The Data Processing Agreement is already part of the Dropbox Sign Terms of Service.
Certifications
At Dropbox Sign, we understand the serious ramifications of compliance and have diligently built processes to make our service compliant with the standards which govern your business.
For more information on the standards and certifications Dropbox Sign is compliant with and adheres to, please refer to our Compliance Page.
Product security
Ecryption
By default, communication with our services uses Transport Layer Security (TLS), which is regularly updated to use the latest ciphersuites and TLS configurations. Additionally we encrypt all customer data at rest using AES 256-T.
Data deletion and access
If you would like to submit a data access request or request that your personal data be deleted, please email us at privacy@dropbox.com. For more information, please refer to the Dropbox Sign privacy policy.
Cookie compliance
When you use the Dropbox Sign Services, you can select which cookies you consent for Dropbox to use in by clicking Cookies & CCPA Preferences in the footer of this page under Support.