2/24/2018 S-1 Table of Contents administrators with control and visibility features that allow them to customize our platform to their organizations’ needs. Our information security policies and management framework are designed to build a culture of security, and we continually assess risks and improve the security, confidentiality, integrity, and availability of our systems. We voluntarily engage third­party security auditors to test our systems and controls at least annually against the most widely recognized security standards and regulations. Our Dropbox Trust Program consists of key infrastructure processes such as change management, access control, security management, and human resource management. Our program also serves as an Information Security Management System, or ISMS, as prescribed by the International Organization for Standardization, or ISO, and the International Electrotechnical Commission 27001:2013 international information security standard. It also qualifies as a Business Continuity Management System, or BCMS, as prescribed by the ISO 22301:2012 international business continuity standard. The ISO has developed a series of standards for information security and related areas. We’ve received the following ISO certifications: • ISO 27001 (Information Security Management) • ISO 27017 (Cloud Security) • ISO 27018 (Cloud Privacy and Data Protection) • ISO 22301 (Business Continuity Management) We’ve also completed a SOC 1, SOC 2, and SOC 3 examination. Service Organization Controls, or SOC, are standards established by the American Institute of Certified Public Accountants for reporting on internal control environments implemented within an organization. Our datacenter facilities and services providers also regularly undergo ISO 27001, SOC 1, and/or SOC 2 audits to verify their security practices. The ISO 27001 security standard specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving a documented Information Security Management System within the context of the organization’s overall business risks. This standard addresses confidentiality, access control, vulnerability, and risk assessment. In addition, we have CSA STAR Level 1 and Level 2 certifications from the Cloud Security Alliance, or CSA, a security assurance program for cloud services. CSA Security, Trust & Assurance Registry, or STAR, is a free, publicly­accessible registry that offers a security assurance program for cloud services, helping users assess the security posture of cloud providers they currently use or are considering contracting with. CSA STAR Level 2 Certification requires a third­party independent assessment of our security controls based on the requirements of ISO 27001 and the CSA Cloud Controls Matrix, or CCM, v.3.0.1, a set of criteria that measures the capability levels of cloud services. The CSA STAR Level 1 Self­Assessment is a rigorous survey based on CSA’s Consensus Assessments Initiative Questionnaire, which aligns with the CCM, and provides answers to almost 300 questions a cloud customer or a cloud security auditor may ask. We’re also listed in the UK Digital Marketplace for government cloud services procurement under the current framework, known as G­Cloud 9. Dropbox supports HIPAA and HITECH compliance. We sign business associate agreements with our customers who require them in order to comply with the Health Insurance Portability and Accountability Act, or HIPAA, and the Health Information Technology for Economic and Clinical Health Act, or HITECH. We also offer a HIPAA assessment report performed by an independent third party. Privacy We’re committed to keeping user data private. Our privacy policy details how users’ information is protected and the steps we take to protect it. Dropbox also has terms and guidelines for third­party developers to create applications that connect to Dropbox while respecting user privacy. Dropbox is certified under the EU­U.S. and Swiss­U.S. Privacy Shield and is working towards compliance with the EU General Data Protection Regulation, or GDPR, framework. 122 https://www.sec.gov/Archives/edgar/data/1467623/000119312518055809/d451946ds1.htm 130/235