EU Data Act Information

Updated Aug 19, 2025

In this article

Terms of Service Clauses

 

If the EU Data Act applies to your use of our Service, the following language will be incorporated into the Dropbox Terms of Service

 

  • You can export your exportable data and stop using our Services at any time to switch to a data processing service offered by a different provider or to an on-premises ICT infrastructure by using the HTTP endpoints and in-product tools described below, and cancelling your subscription and/or deleting your account. Please ensure you have successfully ported your data before deleting your account. Refunds for subscriptions are only issued if required by law
  • Dropbox will provide reasonable assistance to you and third parties authorised by you in the switching process, and support your exit strategy, by making available the HTTP endpoints and in-product tools described below. We’ll act with due care to maintain business continuity, and continue to provide the Services until termination of our agreement under the Terms. Our standard security measures will continue to apply. 
  • An exhaustive list of data and digital assets that can be exported can be found here. However, we have listed the ones most relevant for switching in the section below.
  • While Dropbox will act with due care to ensure continuity of the Services during a switch to a different provider, your data may be subject to deletion if you exceed your quota on our free Dropbox Basic plan. You will be notified before any data is deleted and provided options to avoid deletion so that you may complete the switching process.
  • When you delete your Dropbox account, we will initiate deletion of the files you store on our Services after 30 days. If you’re a user on a team, only your admin can disable your account and delete your files.

 

Find more information on how long we keep deleted files.

Find more information on how long we keep e-signed documents.

 

Mechanisms for porting data and digital assets during the switching process 

Dropbox makes the following HTTP endpoints available to support the switching process. A full list of endpoints can be found here.

 

User endpoints

file_properties

/templates/get_for_user

/templates/list_for_user
file_requests

/get

/list

/list/continue
files

/download

/download_zip

/export

/get_file_lock_batch

/get_metadata

/get_preview

/get_temporary_link

/get_thumbnail

/get_thumbnail_batch

/list_folder

/list_folder/continue

/list_revisions

/search

/search/continue

/tags/get
sharing

/get_file_metadata

/get_file_metadata/batch

/get_folder_metadata

/get_shared_link_file

/get_shared_link_metadata

/list_file_members

/list_file_members/batch

/list_file_members/continue

/list_folder_members

/list_folder_members/continue

/list_folders

/list_folders/continue

/list_mountable_folders

/list_mountable_folders/continue

/list_received_files

/list_received_files/continue

/list_shared_links
users

/get_account

/get_account_batch

/get_current_account

/get_space_usage

Team endpoints 

file_properties

/templates/get_for_team

/templates/list_for_team
team

/devices/list_member_devices

/devices/list_members_devices

/get_info

/groups/get_info

/groups/list

/groups/list/continue

/groups/members/list

/groups/members/list/continue

/legal_holds/list_held_revisions

/legal_holds/list_held_revisions_continue

/legal_holds/list_policies

/linked_apps/list_member_linked_apps

/linked_apps/list_members_linked_apps

/member_space_limits/excluded_users/list

/member_space_limits/excluded_users/list/continue

/member_space_limits/get_custom_quota

You can also download your content by following the steps outlined here

Applicable Jurisdictions and Measures taken by Dropbox to prevent non-EU governmental access to or transfer of data held in the Union

 

If you reside outside of the United States of America, Canada and Mexico (“North America”), the Services are provided by Dropbox International Unlimited Company, whose infrastructure is subject to the jurisdiction of the Republic of Ireland. If you reside in North America, the Services are provided by Dropbox, Inc., whose infrastructure is subject to the jurisdiction of the United States of America.

 

When transferring data from the European Union, the European Economic Area, the United Kingdom, and Switzerland, Dropbox has a number of technical, organizational, and contractual measures measures in place to prevent international government access to Dropbox user data, where such access would create a conflict with Union law or the national law of the relevant Member State.

 

 


Technical Measures

 

Dropbox diligently maintains the security of our back-end network. Our network security and monitoring techniques are designed to provide multiple layers of protection and defense. We employ industry-standard protection techniques, including firewalls, network vulnerability scanning, network security monitoring, and intrusion detection systems to ensure only eligible and non-malicious traffic is able to reach our infrastructure. 

 

Our internal private network is segmented according to use and risk level. The primary networks are: 

  • Internet-facing DMZ 
  • Priority infrastructure DMZ 
  • Production network 
  • Corporate network 
  • Dropbox services and applications are isolated via containers when possible

 

Access to the production environment is restricted to authorized IP addresses and requires multi-factor authentication on all endpoints. IP addresses with access are associated with the corporate network or approved Dropbox personnel. Authorized IP addresses are reviewed on a quarterly basis to ensure a secure production environment. Access to modify the IP address list is restricted to authorized individuals. 

 

Traffic from the internet destined to our production network is protected using multiple layers of firewalls and proxies. 

 

Strict limitation is maintained between the internal Dropbox network and the public internet. Internet-bound traffic to and from the production network is carefully controlled through a dedicated proxy service and this, in turn, is protected by restrictive firewall rules.

 

 


Organization and Contractual Measures

 

Dropbox complies with the EU-U.S. and Swiss-U.S. Data Privacy Frameworks, as well as the UK Extension to the EU-U.S. Data Privacy Framework, as set forth by the U.S. Department of Commerce regarding the processing of personal data transferred from the European Union, the European Economic Area, the United Kingdom, and Switzerland to the United States. Dropbox has certified to the U.S. Department of Commerce that it adheres to these Data Privacy Frameworks with respect to such data, but this does not include the FormSwift portion of the Services.  If there is any conflict between Dropbox’s Privacy Policy and the Data Privacy

Framework Principles, the Principles shall govern. In accordance with the Principles, Dropbox shall

remain liable for onward transfers if a processor processes personal data in a manner inconsistent

with the Principles.

 

To learn more about the Data Privacy Framework, and to view Dropbox’s certification, visit https://www.dataprivacyframework.gov/.

Was this article helpful?

Let us know how why it didn't help:

Thanks for letting us know!

Thanks for your feedback!

Related Articles

Digital Services Act (DSA) Information

Dropbox and FDA 21 CFR Part 11: an overview

Dropbox and HIPAA/HITECH

How will PSD2 affect my Dropbox account?

Community answers

Other ways to get help

Icon depicting two people
Community
Twitter Icon
X
Icon depicting a speech bubble
Contact support