Better Health for All
0
Dropbox demonstrates strong healthcare data responsibility, being GDPR-compliant and adhering to the EU Cloud Code of Conduct for Dropbox Business.
1
The company is certified with ISO 27001, ISO 27701, ISO 27017, ISO 27018, and ISO 22301, and complies with the EU-U.S. Data Privacy Framework, UK Extension, and Swiss-U.S. Data Privacy Framework.
2
Dropbox also offers HIPAA/HITECH compliance support for its Business and Business Plus Plans, including Business Associate Agreements (BAAs) for US-based customers with team accounts, and provides a SOC 2 examination evaluating controls for HIPAA/HITECH rules.
3
However, third-party apps are not covered by the BAA.
4
For risk transparency, Dropbox has an AI Transparency Resource Center for its Dash features and publishes biannual transparency reports on government data requests.
5
The Dropbox Trust Center was updated in 2024, serving as a central hub for security insights and compliance certifications.
6
Regarding mental health, Dropbox offers coaching and therapy options through Modern Health, which achieved 49% global registration and 40% utilization among Dropbox's workforce over two years.
7
The company also provides a $7,000 annual stipend for wellness and other priorities, complementing mental health support.
8
Fair Money & Economic Opportunity
0
Dropbox, Inc. operates as a global collaboration platform, providing file storage, sharing, and productivity tools through subscription fees.
1
The company does not offer lending, deposit, or other traditional financial services to consumers.
2
Therefore, all KPIs related to financial products, such as underserved client share, pricing fairness, exploitative fee exposure, inclusion initiatives (loan/insurance book), customer finance data accessibility, fair lending compliance, wealth building outcomes, profit reinvestment in community finance, financial literacy initiatives, debt burden ratio, geographic inclusion (banking deserts), and product simplicity (financial products), are not applicable to its core business model. The rubric's '0' tier for these KPIs explicitly states that they are not applicable if the firm does not offer lending or deposit services, or if its core business lies outside finance, or if no customer finance data is generated. As Dropbox does not engage in these activities, these KPIs cannot be scored based on the provided rubric and evidence.
Fair Pay & Worker Respect
30
In 2024, Dropbox's CEO to median employee pay ratio was 7:1.
1
However, there is no evidence provided regarding employee equity participation or broad employee equity programs, which are qualitative requirements for positive scores in this KPI. Therefore, it defaults to 0. Employee engagement scores increased by 12% from 2020-2022, reaching record-high positive scores.
2
In 2022, 91% of employees responded to the Soapbox survey, and in 2024, 89% of employees responded to engagement surveys.
3
After implementing a virtual-first strategy, the company's attrition rate fell to the lowest in company history, though specific numbers are not provided.
4
Dropbox provides comprehensive benefits for its US employees, including medical, dental, and vision plans, retirement planning, 401k programs, life and disability coverage, and coaching and therapy options through Modern Health.
5
Fair Trade & Ethical Sourcing
-20
Dropbox, as a software and platform company, does not procure or trade physical commodities, making fair trade certifications and materials risk indices not applicable to its core business model.
1
The company includes a Supplier Code of Conduct in agreements with suppliers, and specific clauses on modern slavery are part of template supplier agreements.
2
However, there is no evidence of the percentage of suppliers whose contracts actually include these enforceable ethical-sourcing clauses.
3
Honest & Fair Business
0
Dropbox has a Whistleblower Policy with an anonymous third-party hotline (EQS IntegrityLine) overseen by the Audit Committee.
1
Annual training on the Code of Conduct, Information Security, and Privacy was completed by 98% of full-time employees in 2024.
2
The company's ESG controversy score from Sustainalytics is 0.7, which is in the top 10% of scores, being significantly lower than the category average of 2.0.
3
As of the 2025 Annual Stockholder Meeting, seven out of eight directors qualify as independent, representing 87.5% of the board.
4
Dropbox has an Anti-Corruption and Anti-Bribery Policy, including compliance with the Foreign Corrupt Practices Act (FCPA) and the U.K. Bribery Act, and became a signatory to the United Nations Global Compact (UNGC) on anti-corruption in 2021.
5
The company is certified for SOC 1, SOC 2, SOC 3, ISO 27001, ISO 27701, ISO 27017, ISO 27018, ISO 22301, NIST SP 800-171 R2, EU-US Data Privacy Framework, UK Extension, Swiss-US Data Privacy Framework, and GDPR compliance.
6
Ernst & Young LLP performed an independent review of select corporate responsibility metrics, including Scope 1, Scope 2, and Scope 3 Category 6 greenhouse gas (GHG) emissions.
7
Kind to Animals
0
Dropbox, Inc. operates as a service-oriented company, providing a global collaboration platform. Its business model does not involve the production of physical goods, animal-derived ingredients, animal testing, animal husbandry, or direct impact on wildlife habitats. Therefore, all KPIs related to animal welfare, such as cruelty-free certification, alternative testing methods, humane certifications for operations, ethical input substitution, animal-related supplier audits, cage-free sourcing, animal testing policies and volume, innovation investment in animal-free technologies, animal agriculture ethics, and animal welfare policy engagement, are not applicable to its operations.
No War, No Weapons
-40
Dropbox, a software company, has no defense or arms-related activities in its core business. The Dropbox Foundation, established in 2018, has donated $7.8 million to human rights organizations since its inception.
1
In 2024, the company and its employees donated over $1.2 million to charities and volunteered over 3,600 hours.
2
The Nominating and Governance Committee of the board of directors oversees corporate responsibility activities, including compliance and associated risks.
3
Dropbox publishes biannual transparency reports detailing government data requests.
4
The company requires annual modern slavery training for relevant employees and procurement teams.
5
Dropbox is a signatory of the United Nations Global Compact, and its Code of Business Conduct & Ethics states a commitment to human rights and ethical working conditions.
6
The Supplier Code of Conduct requires suppliers to uphold the highest ethical standards and prohibits modern slavery, but does not codify specific red lines against weapons or conflict engagement.
7
In 2024, 98% of full-time employees completed Code of Conduct, information security, and privacy trainings.
8
The company does not have mineral inputs in its products or services.
Planet-Friendly Business
-20
Dropbox has committed to achieving carbon neutrality across all Scope 1, 2, and 3 emissions by 2030.
1
The company's climate commitments have been validated by the Science Based Targets initiative (SBTi), with a 42% Scope 1 and 2 emissions reduction target by 2030 from a 2020 baseline.
2
Dropbox achieved 100% renewable electricity for data center storage server power in 2021.
3
The company aims to source 100% renewable energy for all operations, including data centers, by 2030.
4
In 2020, Dropbox's Power Usage Effectiveness (PUE) was 17% below the industry average.
5
Respect for Cultures & Communities
0
No specific, quantifiable evidence was found in the provided articles to assess Dropbox (DBX.US) against any of the KPIs for 'Respect for Cultures & Communities'. The articles discuss internal diversity and inclusion initiatives, general employee volunteerism, and the work of the Dropbox Foundation's partners, but do not provide data on formal partnerships with indigenous or local community groups, revenue reinvested in local development, cultural appropriation incidents, cultural impact assessment protocols, local employment ratios, community grievance mechanisms, FPIC participation, community governance inclusion, cultural preservation investment, local procurement, indigenous supplier engagement, cultural site protection, social license operations, charitable giving to cultural heritage, community fund allocation, language inclusivity scores, cultural incident response, or cultural sensitivity training completion rates.
1
Safe & Smart Tech
-10
Dropbox experienced a cybersecurity breach impacting Dropbox Sign in April 2024, where unauthorized access to its production environment exposed emails, usernames, phone numbers, hashed passwords, API keys, OAuth tokens, and multi-factor authentication data for all Dropbox Sign users and individuals who interacted with the service.
1
The company detected the breach on April 24, 2024, and publicly disclosed it on May 1, 2024, subsequently resetting user passwords, logging users out of connected devices, and rotating API keys and OAuth tokens.
2
This incident was isolated to Dropbox Sign infrastructure.
3
The company also reported an error in a third-party anti-malware service that resulted in URLs being made available to other subscribers.
4
Dropbox has established AI Principles, committing to fairness, transparency, and not using AI to sell customer data or build generative AI models without consent.
5
They launched Dash for Business, an AI-powered search tool, in 2024 and provide an AI Transparency Resource Center.
6
The company states it will strive to limit bias in AI technologies and continuously seeks feedback.
7
Dropbox holds numerous certifications, including ISO 27001, 27017, 27018, 22301, 27701, SOC 1, SOC 2, SOC 3, CSA STAR Level 2, and NIST SP 800-171 R2.
8
They comply with GDPR, CCPA, EU-U.S. Data Privacy Framework, and the EU Cloud Code of Conduct (Level 2 Compliance Mark).
9
Dropbox also supports HIPAA/HITECH, FERPA, COPPA, and PCI DSS compliance.
10
All full-time employees are required to complete annual digital training on the Code of Conduct, information security, and privacy, with 98% completion in 2024.
11
Information security and privacy policies are reviewed annually.
12
Files at rest are encrypted using 256-bit AES, and data in transit uses SSL/TLS with 128-bit or higher AES encryption.
13
Advanced key management and end-to-end encryption are available as extra layers of security, with end-to-end encryption launched for team folders in 2024.
14
Dropbox offers two-factor authentication, but MFA details, API keys, and OAuth tokens were compromised in the Dropbox Sign breach.
15
The company has a vulnerability management program and encourages independent research through its bug bounty program, which has paid out over $1,000,000.
16
The program offers bounties up to $15,000, with average first response times of less than 3 days and triage within 4 days.
17
Dropbox regularly tests its applications and infrastructure for security vulnerabilities, engaging third-party security auditors annually for penetration testing and red team exercises.
18
A Privacy settings tab was added to every account in 2024, and team administrators have controls over sharing and content deletion.
19
Dropbox resists blanket and overly broad government data requests and advocates for the right to provide more information about such requests.
20
Zero Waste & Sustainable Products
-40
In 2024, Dropbox achieved a waste diversion rate of 51.49%, diverting 208 short tons of waste from landfill through composting and recycling out of a total of 404 short tons.
1
The company implements several waste reduction initiatives, including using a leading refurbishment and recycling partner for decommissioned IT equipment, prioritizing hardware repair to extend lifespan, reselling equipment, and repurposing or recycling parts.
2
Dropbox also focuses on data center efficiency by transitioning to purpose-built platforms, minimizing over-provisioning, improving hardware utilization, and deploying Deep Sleep technology.
3
For hazardous waste, Dropbox uses a third-party vendor for responsible disposal of IT equipment and has reported no waste disposal violations in the past three years (2022-2024).
4
The company conducts annual waste audits for all facilities, as evidenced by yearly data reporting for total waste, IT waste, general facility waste, composted, recycled, and landfilled waste.
5
Dropbox demonstrates material efficiency by operating its data centers at 17% below the industry average for Power Usage Effectiveness (PUE) by 2020, and has reduced its data center carbon footprint by 15% in the last 1.5 years.
6
The company has a company-wide waste reduction target to achieve 100% carbon neutrality for the direct power consumption of its storage platform.
7