Terms of Service for Dropbox Business, Plus, Essentials, Standard, Advanced, and Enterprise Plans
Overall Score
Risk by Category
The Dropbox Business Agreement is a comprehensive legal document governing the use of Dropbox's business-oriented services, including file storage, sharing, collaboration tools, and related features. It details customer obligations, Dropbox's rights and responsibilities as a service provider and data processor, payment terms, intellectual property rights, data protection commitments under a linked Data Processing Addendum (DPA), limitations of liability, termination procedures, and dispute resolution via arbitration. Key emphases include customer ownership of uploaded content, restrictions on Dropbox's access to content except for service delivery and legal compliance, robust security measures, and compliance with applicable laws like GDPR and CCPA. The agreement references additional policies such as the Acceptable Use Policy and Privacy Policy.
Disputes must be resolved through binding arbitration, limiting class actions and court access (Section 15).
Dropbox may modify features or discontinue services with notice, potentially affecting workflows (Section 7).
Relies on third-party subprocessors for data processing, listed in DPA but subject to change.
Customers retain full ownership and IP rights to their content; Dropbox claims no ownership (Section 4).
Includes a DPA ensuring GDPR/CCPA compliance, with security obligations and subprocessors transparency.
Explicitly states no scanning of user content for advertising purposes.
Spotify collects the following categories of personal data. High Risk categories are used for advertising profiling or involve sensitive personal information.
Email, payment info, usage logs, device info for account management.
File names, sizes, access logs, sharing details (not content).
IP-derived approximate location for security and compliance.
Your data serves the following purposes. Mandatory purposes cannot be disabled without canceling the service. Opt-out available purposes allow some user control.
Data used to provide storage, sync, sharing, and collaboration features.
Analyzed for malware scanning, spam detection, and service integrity.
Aggregated anonymized data used for service analytics and enhancements.
Spotify shares data with several categories of third parties. Sharing with advertising partners is extensive and represents the primary commercial use of your behavioral data.
Subprocessors for hosting, analytics (e.g., AWS, Google Cloud), listed in DPA.
Data shared within Dropbox group for service provision.
Disclosed to law enforcement or as required by law.
No sharing with ad networks; no selling of personal data.
The following rights may be available to you depending on your region. EU/EEA users have the broadest protections under GDPR. Non-EU users have more limited guarantees.
Right to access, download, and export data at any time via account controls.
Ability to delete files/folders or terminate account, triggering data deletion per retention policy.
Processes GDPR/CCPA requests via privacy portal, but business admins control team data.
Data is retained for different periods depending on category, and security disclosures vary in depth. The policy highlights the following retention and transparency points.
Retention Periods
Retained as long as account is active or needed for service.
Deleted user data removed within 30 days, except backups up to 90 days.
Billing, audit logs retained for 7 years for legal/compliance.
Security & Transparency
Files encrypted at rest (AES-256) and in transit (TLS 1.2+).
Notifies customers without undue delay per DPA.
SOC 2 Type II, ISO 27001, HIPAA BAA available, regular audits.
Admin controls, MFA, SSO, device management.
Source Text
Customers own their content; grant Dropbox limited license for service operation.
Interpretation
Strong protection of user IP; Dropbox cannot use content for other purposes.
Source Text
Dropbox acts as processor; bound by DPA with security measures.
Interpretation
Ensures compliance with privacy laws; customer remains controller.
Source Text
Binding arbitration in San Francisco; no class actions.
Interpretation
Limits litigation options, favoring Dropbox in disputes.
Source Text
Data available for 30 days post-termination for export.
Interpretation
Generous export window protects user access.
Source Text
User-integrated apps may access content per user permissions.
Interpretation
Risk from user actions, but controlled by admin settings.
You (the customer) retain full ownership and intellectual property rights to your content. Dropbox does not claim ownership.