// Trust & Security Report
Dropbox, Inc. (operating as DocSend from Dropbox)
Secure document sharing, tracking, analytics, and virtual data rooms for fundraising, M&A, and deal management
Certifications held
3
Maturity
Enterprise
Trains on your data
Unknown
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on trust.dropbox.com“Dropbox DocSend SOC 2 [report for] the period of October 1, 2024 through September 30, 2025 are now available for download in the Trust Center.”
Verify on docsend.com“This Addendum is intended to satisfy the requirements of the CCPA and Article 28(3) of the GDPR and is incorporated into the Agreement and is applicable to the provision of the Services if DocSend processes Customer Personal Data that is subject to the CCPA or the GDPR.”
Verify on docsend.com“This Addendum is intended to satisfy the requirements of the CCPA and Article 28(3) of the GDPR and is incorporated into the Agreement and is applicable to the provision of the Services if DocSend processes Customer Personal Data that is subject to the CCPA or the GDPR.”
> Show 11 unconfirmed / not-held certifications
source: assets.dropbox.comDropbox Audited Features matrix (posted April 30, 2026) lists DocSend SOC 3 = No. A Dropbox DocSend SOC 3 report was published for the Oct 2024-Sep 2025 period but the current scope matrix does not include DocSend under SOC 3.
source: assets.dropbox.comAudited Features matrix (posted April 30, 2026): DocSend row shows ISO 27001 = No. ISO 27001 certificates are held by Dropbox for Teams, Dropbox Sign, and Dropbox Dash; DocSend is explicitly excluded.
source: assets.dropbox.comAudited Features matrix (posted April 30, 2026): DocSend row shows ISO 27017 = No.
source: assets.dropbox.comAudited Features matrix (posted April 30, 2026): DocSend row shows ISO 27018 = No.
source: assets.dropbox.comAudited Features matrix (posted April 30, 2026): DocSend row shows ISO 27701 = No.
source: assets.dropbox.comAudited Features matrix (posted April 30, 2026): DocSend row shows ISO 22301 = No.
source: assets.dropbox.comAudited Features matrix (posted April 30, 2026): DocSend row shows HIPAA Support = No. Note: Dropbox for Teams supports HIPAA BAAs, but DocSend is explicitly excluded from HIPAA coverage.
source: assets.dropbox.comNo public evidence of PCI DSS certification scoped to DocSend. PCI DSS appears on the Dropbox for Teams Trust Center but the Audited Features matrix does not list DocSend under any PCI DSS column.
source: assets.dropbox.comAudited Features matrix (posted April 30, 2026): DocSend row shows CSA STAR C/A = No.
source: trust.dropbox.comNo public evidence of FedRAMP authorization for DocSend. FedRAMP is not listed on the Dropbox Trust Center or Audited Features matrix for any Dropbox product.
source: trust.dropbox.comNo public evidence of ISO 42001 certification for DocSend or Dropbox. Not listed on the Dropbox Trust Center compliance page.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
US-primary; no contractual data residency options. Audited Features matrix (April 2026) lists Data Residency = No for DocSend. The DPA states DocSend may transfer Customer Data to locations other than the customer's country. Sub-processors listed at https://www.dropbox.com/privacy/subprocessor/docsend.
DocSend is a document sharing and analytics platform. No public evidence indicates DocSend trains AI models on customer data. The Dropbox parent company's AI Transparency documentation on the trust center relates to Dropbox Dash (a separate product with AI-powered search and summarization). DocSend itself has no disclosed AI features. The DPA and privacy policy contain no language about AI model training on customer content.
// Security controls
Encryption in transit
TLS encryption for all web-based document sharing; DPA references encryption as a mandatory technical and organizational measure
docsend.comEncryption at rest
DPA references encryption measures to protect Customer Personal Data; specific algorithm/key length not publicly disclosed for DocSend
docsend.comMulti-Factor Authentication
MFA listed as a Product Security feature in the Dropbox Trust Center filtered for DocSend
trust.dropbox.comAudit trail
Audit Trail listed as a Product Security feature; DocSend provides per-document and per-viewer access logs, page-level analytics, and notification on every view
trust.dropbox.comDynamic Watermarking
Dynamic watermarking is a native security feature of DocSend, applying viewer-identifying watermarks to documents to deter unauthorized sharing
docsend.comBug Bounty
Dropbox Bug Bounty Program migrated to Intigriti; Vulnerability Disclosure Program (VDP) also active. Covers Dropbox products including DocSend.
trust.dropbox.comData residency
No contractual data residency options for DocSend. Data Residency = No per Audited Features matrix (April 30, 2026).
assets.dropbox.comIntegrations security
Integrations listed as a Product Security feature in the Dropbox Trust Center for DocSend
trust.dropbox.com// Products & data scope
data: Uploaded documents, viewer email addresses, page-level engagement metrics, link visit timestamps
Individual plan for founders and professionals. Basic link-based document sharing with open/view tracking. No VDR or eSignature at this tier.
data: Documents, viewer PII, NDA agreement data, eSignature data, group permission configurations
Team and business plans. Adds group permissions, dynamic watermarking, virtual data rooms (VDRs), built-in NDAs, and eSignature. SOC 2 coverage applies. Primary enterprise compliance tier.
data: Sensitive deal documents, permission-controlled access, NDA agreements, due diligence files, audit trail data
Enterprise feature for M&A, fundraising, and compliance workflows. Includes built-in NDAs, advanced permissioning, granular access control, and detailed audit trails. HIPAA is NOT covered (per audited features matrix).
// What to watch
- DocSend's ONLY current independent audit certification is SOC 2 Type II. All other certs visible on the Dropbox Trust Center (ISO 27001, HIPAA, CSA STAR Level 2, PCI DSS, etc.) are explicitly scoped to Dropbox for Teams and do NOT cover DocSend, per the Dropbox Audited Features matrix posted April 30, 2026.
- Parent Dropbox, Inc. holds extensive certifications but these are NOT inherited by DocSend unless explicitly listed in the Audited Features matrix.
- A Dropbox DocSend SOC 3 report was published for Oct 2024-Sep 2025, but the April 2026 Audited Features matrix lists DocSend SOC 3 = No, indicating a scope reduction in the current audit cycle.
- HIPAA: No BAA available for DocSend. Organizations with HIPAA obligations must NOT use DocSend for PHI without separate legal review.
- No data residency options: customer data may reside in or be transferred to non-EU jurisdictions. No contractual guarantee of EU data storage.
- DocSend is not an AI product. No evidence of customer content being used for AI model training. AI Transparency section on the trust center applies to Dropbox Dash only.
- GDPR compliance is contractual (via DPA) only; DocSend does not hold a GDPR certification such as ISO 27701 or EU Cloud COC.
- Sub-processor list is published at https://www.dropbox.com/privacy/subprocessor/docsend
// At a glance
Pricing model
Subscription SaaS with tiered monthly/annual plans (Personal, Standard, Advanced); Enterprise pricing via sales contact; no public per-seat pricing for Enterprise
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Dropbox, Inc. (operating as DocSend from Dropbox)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.dropbox.com