2026 Independent Security Review
Dropbox offers solid encryption and a mature compliance program including SOC 2, ISO 27001, and HIPAA BAA availability on Business plans. However, the platform has a documented history of security incidents, including a 2012 breach that exposed 68 million user credentials and a 2024 breach of the Dropbox Sign service. The default product does not include end-to-end encryption, which means Dropbox holds the keys to your files. For businesses storing sensitive documents, the Business or Enterprise tier with thoughtfully configured admin controls is the minimum starting point.
75
out of 100
AES-256 at rest, TLS/SSL in transit; no default end-to-end encryption on standard plans
Admin can enforce MFA via SSO on Business/Enterprise; granular permissions, remote wipe
SOC 2 Type II, ISO 27001, ISO 27018, HIPAA (with BAA on paid plans), CSA STAR Level 2
Public Trust Center, SOC 3 available; subprocessor list published; security whitepaper accessible
2012 breach exposed 68 million credentials; 2022 phishing exposed GitHub repos; 2024 Dropbox Sign breach exposed user data for all Sign users
Free plan lacks admin controls; Business plan required for meaningful security management
| Category | Max Points |
|---|---|
| Encryption | 20 |
| Access Controls | 20 |
| Compliance Certifications | 20 |
| Transparency | 15 |
| Breach History | 15 |
| SMB Fit | 10 |
Dropbox manages its own encryption keys on standard accounts. Translation: the company technically has ability to access your stored files. After acquiring Boxcryptor in 2022, Dropbox has been developing end-to-end encryption for Business users, but the feature has not fully rolled out as a default as of 2026. For any business storing client-privileged documents, financial records, or sensitive HR files, this architecture means a compromise of Dropbox infrastructure could expose file contents, not just metadata. The 2024 Dropbox Sign breach demonstrated this risk in practice when a compromised service account gave attackers access to emails, usernames, hashed passwords, API keys, and MFA details for all Sign users.
Dropbox is a capable collaboration tool with real compliance credentials, but its breach history is the longest of any vendor in this review. The 2012, 2022, and 2024 incidents represent three distinct attack vectors across more than a decade, which suggests a pattern rather than isolated events. If your business requires cloud storage, the Business plan with admin-enforced SSO, MFA, and configured sharing restrictions is workable. But if you handle highly sensitive client data, legal privilege, or PHI, you should evaluate whether Dropbox key management architecture meets your risk tolerance.
Law firms frequently use Dropbox to share documents with clients and co-counsel, and the platforms ease of use makes it popular with attorneys who want to avoid more complex document management systems. However, the lack of default end-to-end encryption is a real concern for client-privileged material. If opposing counsel or a regulator asked whether your cloud provider could access privileged documents, the honest answer with standard Dropbox is yes. Firms that use Dropbox should at minimum be on a Business plan with SSO and MFA enforced, external sharing restricted to approved domains, and file recovery configured to prevent permanent deletion. Consider pairing Dropbox with a client-side encryption tool like Cryptomator for matter folders containing privileged communications.
Dropbox Business and Enterprise plans can support HIPAA compliance. Dropbox will sign a BAA through the admin console, covers core file storage and sharing under that agreement, and publishes a SOC 2 report aligned to HIPAA/HITECH controls. However, HIPAA compliance is not configured by default. You must configure sharing permissions to prevent PHI from being accessible to unauthorized users, enforce MFA, disable permanent deletion so only admins can remove content (HIPAA has retention requirements), and ensure no third-party apps connected to your Dropbox account handle PHI without their own BAA. Free and personal Dropbox accounts cannot be used with PHI under any circumstance.
Dropbox Business includes a NIST SP 800-171 mapping validated by Ernst and Young, integrated into its SOC 2 report. This positions it ahead of many SMB tools for government contractors who need to demonstrate compliance with CUI handling requirements. That said, Dropbox does not hold FedRAMP authorization, and its standard infrastructure stores data on US-based servers without the isolation guarantees a CMMC assessor might expect. If your business handles CUI, verify that the Dropbox environment you are using falls within the scope of the NIST 800-171 validated controls, restrict sharing to internal users, and document your configuration decisions for your System Security Plan.
Upgrade to Dropbox Business or Enterprise. Free and Plus plans lack admin controls, MFA enforcement, and audit logging required for any regulated data.
Enable SSO integration and enforce MFA for all users through your identity provider. Dropbox Business supports this through the admin console.
Restrict external sharing to approved domains. By default, any user can share links publicly, which is a data leak waiting to happen.
Disable permanent file deletion for non-admin users. This prevents accidental or malicious destruction of records you may be required to retain.
Review connected third-party apps quarterly. Each app with access to your Dropbox has its own security posture, and a compromised integration can expose your files.
Dropbox Business and Enterprise plans support HIPAA compliance. Dropbox will sign a BAA through the admin console, and its SOC 2 report includes a HIPAA/HITECH controls evaluation. However, free and personal accounts are not eligible for a BAA and cannot be used with PHI. Compliance also depends on your configuration: you must restrict sharing, enforce MFA, and disable permanent deletion.
Yes, multiple times. In 2012, a breach exposed 68 million user email addresses and hashed passwords, though the full scope was not publicly disclosed until 2016. In 2022, attackers phished Dropbox employees to access 130 GitHub repositories containing internal code, API keys, and employee and customer data. In 2024, the Dropbox Sign service was breached through a compromised service account, exposing emails, usernames, phone numbers, hashed passwords, and authentication data for all Sign users.
Not by default. Standard Dropbox accounts use AES-256 encryption at rest and TLS in transit, but Dropbox manages the encryption keys, meaning the company can technically access your file contents. End-to-end encryption is being developed for Business users following Dropbox acquisition of Boxcryptor in 2022, but as of April 2026, it is not a default feature on most accounts.
Yes, on Business and Enterprise plans. Admins can require MFA for all team members through the admin console or enforce it via SSO integration with an identity provider. This is a significant advantage over platforms like QuickBooks, where MFA cannot be enforced at the admin level.
Want to assess your full security posture, not just one vendor?
Take the free assessment