Executive Summary
AI-generated analysis for Dropbox
Dropbox (dropbox.com) is a publicly traded, established cloud storage and collaboration platform operating as DROPBOX, INC. (LEI: 549300JCDF7UAR6TJR51, incorporated in Delaware), assessed at Risk Tier 3 (Moderate Risk) with a 94% confidence score. Dropbox is a mature, well-known vendor with a 30-year domain history and a comprehensive published compliance posture. Positive signals identified during this investigation include:
Key Findings
- Clean sanctions and watchlist screening with no OFAC, EU, or UN matches
- A minimal infrastructure footprint of only 2 open ports (80, 443) with zero known CVEs — well below the SaaS industry average of 8–12 open ports, representing a tightly controlled attack surface
- Clean IP reputation (0% abuse score), clean Malware detection service status, and a zero threat score on website security scanning
- An HTTP security grade of B- (65/100) from HTTP security scanner, indicating most security controls are in place
- An active, dedicated trust portal at trust.dropbox.com with a broad compliance portfolio claimed, including SOC 1, SOC 2, SOC 3, ISO 27001, ISO 27017, ISO 27018, ISO 27701, PCI DSS, HIPAA, GDPR, CCPA, and CSA STAR Level 2
- No current adverse media signals in the past 12 months; no SEC enforcement filings
- The trust portal is powered by Drata, indicating structured compliance program management Areas requiring attention before approval include the following:
- The current TLS certificate for dropbox.com expires in approximately 24 days, creating an imminent availability and trust risk if not renewed
- All 10 compliance certifications are vendor-attested only — none could be independently verified through a public registry during this investigation; actual audit reports should be requested
- Historical breach media coverage spanning 2011–2024 documents multiple security incidents, with the most recent in May 2024 involving unauthorized access to passwords and phone numbers via the Dropbox Sign product; this pattern warrants scrutiny of current incident response maturity
- Dropbox's AI data usage policy does not clearly state whether customer data is used for model training, which is a material concern for organizations storing sensitive files
- The OTX threat intelligence pulse count of 50 is attributable to Dropbox's status as a large, high-traffic file-sharing platform commonly abused by threat actors in phishing and malware delivery campaigns — this is consistent with infrastructure of this scale and does not reflect a direct risk posture of the vendor itself Overall, Dropbox presents a moderate risk posture appropriate for a conditional engagement. The vendor's compliance breadth is notable but requires verification through direct report procurement, and the imminent certificate expiry and unclear AI training practices must be resolved before the relationship is finalized.
Independence Statement
All evidence cited in this report was independently sourced from external data registries, public threat intelligence databases, certificate transparency logs, DNS infrastructure analysis, and archived media without participation, input, or review by Dropbox or any of its representatives.