Dropbox EU Alternative 2026: The CLOUD Act File Storage Risk — What EU Teams Use Instead

Post #911 in the sota.io EU Cyber Compliance Series

Dropbox has been a fixture of European business since its launch in 2008. With over 700 million registered users and more than 17 million paying subscribers, it is the default file synchronisation tool for millions of EU professionals, SMEs, and enterprise teams. Its combination of desktop sync, mobile access, shared workspaces, Dropbox Paper for collaborative documents, and Dropbox Sign for electronic signatures has made it a multi-function platform that processes substantially more personal data than most EU compliance teams have documented.

The jurisdictional problem with Dropbox is straightforward but often misunderstood. Dropbox, Inc. is a Delaware corporation headquartered in San Francisco, California. It is publicly traded on NASDAQ under the ticker DBX. This corporate structure makes Dropbox subject to the US Clarifying Lawful Overseas Use of Data Act (CLOUD Act), which enables US federal law enforcement and intelligence agencies to compel US-based companies to produce data stored anywhere in the world — including data stored on servers physically located in the European Union.

Dropbox offers EU data residency options for some of its Business and Business Plus plans. Many EU procurement teams treat EU data residency as a GDPR compliance solution for Dropbox. It is not. Data residency determines where your data is physically stored. The CLOUD Act operates independently of data location: what matters is who controls the data. Because Dropbox, Inc. is a US company and controls the encryption keys, EU data residency does not prevent US law enforcement from issuing a valid legal demand to Dropbox's US headquarters requiring production of that data without notifying the EU data subject or involving EU courts.

Dropbox's Corporate Structure: Delaware NASDAQ and What It Means

Dropbox, Inc. was incorporated in Delaware in 2007 and completed its initial public offering on NASDAQ in March 2018. Its Delaware incorporation is not a technical detail — it is the legal foundation for US jurisdiction over the company and its data.

The Delaware Court of Chancery and US federal courts have jurisdiction over Dropbox, Inc. as a Delaware corporation. US federal law enforcement can serve Dropbox with legal process — subpoenas, National Security Letters, FISA court orders, and CLOUD Act demands — that require Dropbox to produce data and, in many cases, prohibit Dropbox from disclosing the existence of the demand to the customer whose data was produced. EU customers whose files are stored in Dropbox have no mechanism to challenge such demands before EU courts because the legal process is entirely within the US legal system.

Dropbox's NASDAQ listing adds SEC regulatory exposure. NASDAQ-listed companies are subject to SEC disclosure and reporting requirements. In enforcement contexts, SEC investigations can compel production of documents and data from Dropbox. For EU customers whose business data — financial records, customer contracts, deal pipeline documents — is stored in Dropbox, SEC disclosure requirements represent an additional vector for US regulatory access to that data.

Dropbox, Inc. operates European infrastructure through its subsidiary Dropbox International Unlimited Company, incorporated in Ireland. Irish incorporation is a common structure for US technology companies operating in the EU, and it facilitates EU regulatory engagement and some GDPR compliance activities. However, Dropbox International Unlimited Company is a subsidiary of Dropbox, Inc.: it operates under the direction and control of the US parent, and data controlled by the Irish subsidiary remains within the reach of CLOUD Act demands served on the US parent.

The CLOUD Act: What EU IT Managers Need to Know

The Clarifying Lawful Overseas Use of Data Act was signed into US law in March 2018 — the same month Dropbox completed its NASDAQ IPO. The CLOUD Act amended the Stored Communications Act to clarify that US law enforcement can compel US companies to produce electronic data regardless of where the data is stored.

Before the CLOUD Act, there was litigation over whether the US government could compel Microsoft to produce data stored in its Dublin, Ireland datacentre under a 1986 warrant. The CLOUD Act resolved this question definitively: yes, a US company can be compelled to produce data stored in EU datacentres. The location of the data is legally irrelevant; what matters is the nationality of the company that controls it.

For Dropbox specifically, the implications are:

Federal law enforcement access. The US Department of Justice, FBI, and other federal agencies can issue legal demands to Dropbox requiring production of customer files, folder structures, file metadata, sharing activity, and account information. These demands can be issued without involvement of EU courts, EU data protection authorities, or EU member state governments.

National Security Letters. The FBI can issue National Security Letters to Dropbox requiring production of certain categories of account information with a non-disclosure requirement that prevents Dropbox from notifying the affected customer. NSLs do not require judicial approval.

FISA court orders. The Foreign Intelligence Surveillance Court can issue orders requiring Dropbox to produce communications and stored data, with non-disclosure requirements and no notification to affected parties.

Intelligence sharing. Data produced to US intelligence agencies under FISA or other intelligence authorities may be shared with Five Eyes intelligence partners (UK, Canada, Australia, New Zealand) under UKUSA Agreement intelligence sharing arrangements.

Dropbox publishes a transparency report listing the number of legal demands it receives annually. The existence of a transparency report does not provide EU customers with notification when their specific data is the subject of a demand, because many demands include non-disclosure requirements.

EU Data Residency: What It Does — and Does Not — Fix

Dropbox offers EU data residency for subscribers to its Business, Business Plus, and Enterprise plans. Under EU data residency, Dropbox stores customer file content in EU-located datacentres — currently operated through Amazon Web Services EU regions.

EU data residency addresses one GDPR concern: it ensures that file content is not routinely transmitted to US servers for storage. This reduces the volume of data flowing across the Atlantic in standard operations. For Chapter V transfer assessments under GDPR, EU data residency is one element of a compliance strategy, not a complete solution.

EU data residency does not fix the CLOUD Act problem for three reasons:

First, Dropbox controls the encryption keys. Dropbox encrypts data at rest using AES-256 encryption, but Dropbox holds the encryption keys. This means that Dropbox — and therefore US authorities with valid legal demands — can access the plaintext content of files stored in EU datacentres. If Dropbox used zero-knowledge encryption where the customer holds the keys, US law enforcement could still compel production of the encrypted data, but could not compel Dropbox to decrypt it. Dropbox does not offer zero-knowledge encryption for standard Business subscribers.

Second, metadata is processed in US systems. Even with EU data residency enabled, file metadata — filenames, folder structures, sharing relationships, access logs, collaboration activity — is processed by Dropbox's global infrastructure, which includes US-based systems. Metadata can be as sensitive as content: folder names reveal project identities, sharing logs reveal business relationships, and access timestamps reveal working patterns.

Third, the CLOUD Act applies to the company, not the server. A CLOUD Act demand is served on Dropbox, Inc. and requires it to produce data that is in its custody, possession, or control. Data physically stored in EU AWS regions remains in Dropbox's custody and control. EU data residency does not transfer legal custody of the data to an EU entity outside US jurisdiction.

What Dropbox Actually Processes: A Personal Data Inventory

EU compliance teams frequently underestimate the personal data that Dropbox processes because they treat file storage as a document management function rather than a personal data processing activity. The following categories apply to typical EU business Dropbox usage.

File content. Dropbox stores the content of all files uploaded by users. Business files routinely contain personal data: HR documents with employee names, salaries, and performance assessments; customer contracts with individual contact details; invoices naming specific individuals; recruitment files with CVs and interview notes; healthcare records in healthcare-adjacent professional services contexts; and financial documents with personal identifiers. Every file category that a business stores in Dropbox may contain personal data subject to GDPR.

User account data. Each Dropbox user account contains the user's name, email address, profile photograph, job title, and account creation date. Dropbox logs device registrations, sign-in events, and connected application authorisations for each user. Multi-year Dropbox accounts accumulate device fingerprints, IP addresses linked to access events, and session records that document users' locations and working patterns.

File access and sharing logs. Dropbox logs every file and folder access event, including who accessed what, when, from which device, and from which IP address. For Business and Business Plus accounts, these logs are available to administrators as audit trails. The logs constitute a detailed personal data record of each team member's work patterns — when they work, from where, how frequently they access specific documents, and with whom they share files.

Collaboration data. Dropbox Paper collects personal data through collaborative document editing: each comment, annotation, and mention is attributed to the individual user who created it. Dropbox's file request feature collects data from external parties — customers, suppliers, and applicants who upload files in response to requests — often without those individuals being informed that their data is being transferred to a US company's infrastructure.

Dropbox Sign (formerly HelloSign) data. Dropbox Sign is an electronic signature service integrated into the Dropbox platform. It processes the personal data of all signatories to documents executed through the platform: names, email addresses, IP addresses, digital signature representations, and identity verification data. For EU businesses using Dropbox Sign to execute employment contracts, customer agreements, or NDAs, the signatory personal data — including the signature itself — is processed by a US company subject to CLOUD Act demands.

Transfer impact assessment implications. Under EDPB Recommendations 01/2020 on supplementary measures, EU data controllers must assess the effectiveness of safeguards before relying on them for international transfers. For Dropbox, a TIA must document the CLOUD Act exposure, the absence of zero-knowledge encryption, and the scope of metadata processing in US systems. DPOs who have not documented a completed TIA for Dropbox are operating without the required transfer impact assessment for a high-volume data transfer to a US company.

GDPR Compliance Requirements for Dropbox Usage

EU organisations using Dropbox have several active GDPR compliance obligations that are frequently not met in practice.

Data Processing Agreement. Under GDPR Article 28, a written DPA is required before Dropbox processes personal data on behalf of an EU controller. Dropbox's Business and Business Plus plans include a DPA that must be executed. Many EU SMEs and individual users are operating without a valid DPA in place, either because they are on personal plans without DPA coverage or because procurement did not include DPA execution.

Records of Processing Activities. GDPR Article 30 requires that Dropbox appear in the organisation's Article 30 records as a processor. The records must document what personal data categories are processed through Dropbox, the purpose of processing, and the applicable transfer mechanism. Many ROPA entries for Dropbox are incomplete because they do not document the CLOUD Act exposure or the applicable supplementary measures.

Standard Contractual Clauses. For transfers of personal data to Dropbox's US infrastructure — including metadata processing in US systems even with EU data residency — SCCs or an equivalent transfer mechanism is required under GDPR Chapter V. Dropbox provides SCCs as part of its DPA for Business subscribers. However, SCCs for transfers to US companies must be accompanied by a TIA demonstrating that the SCCs provide effective protection. The CLOUD Act, NSL authority, and FISA collection capabilities documented above are directly relevant to the TIA analysis.

Transparency obligations. GDPR Articles 13 and 14 require that data subjects be informed of transfers to third countries and the identity of processors receiving their data. EU organisations that use Dropbox to collect external party data — via file requests, shared folders, or Dropbox forms — must disclose to those individuals that their data is being transferred to Dropbox, Inc., a US company. Many EU organisations' privacy notices do not identify Dropbox as a processor receiving external party data.

Employee monitoring considerations. In Germany, France, the Netherlands, and other EU member states with co-determination or works council requirements, the use of Dropbox admin audit logs to monitor employee file access patterns may constitute employee monitoring that requires works council consultation or collective agreement. The detailed access logs Dropbox provides to Business administrators are personal data records that implicate employment law data protection requirements in addition to GDPR.

EU-Native Alternatives to Dropbox

EU-native file storage and synchronisation alternatives address the CLOUD Act problem by locating both the physical infrastructure and the legal entity in the EU or in an equivalent European jurisdiction. The following alternatives are incorporated in EU member states or in Switzerland, which maintains GDPR-equivalent data protection under its own Federal Act on Data Protection (revFADP) and has an EU adequacy decision reviewed under GDPR requirements.

Nextcloud (Stuttgart, Germany)

Nextcloud GmbH is incorporated and headquartered in Stuttgart, Germany. Nextcloud Hub is open-source file synchronisation and collaboration software distributed under the GNU AGPLv3 licence. It is available as self-hosted software deployable on EU infrastructure you control, or as managed hosting through certified Nextcloud providers operating in EU datacentres.

The sovereignty argument for Nextcloud is strong: with self-hosted deployment on EU infrastructure operated by an EU-incorporated cloud provider, there is no US entity in the data chain. A Nextcloud instance operated on, for example, a Hetzner dedicated server in Nuremberg or a Scaleway bare-metal instance in Paris, processes data entirely within German or French jurisdiction.

Nextcloud Hub includes file storage and synchronisation, Nextcloud Office (collaborative document editing via Collabora Online or OnlyOffice), Talk (video calls and messaging), Mail, Calendar, Contacts, and Forms — covering most Dropbox use cases and extending into Microsoft 365 territory. For EU organisations willing to operate their own infrastructure or contract with an EU managed service provider, Nextcloud is the most functionally complete EU-native Dropbox alternative.

Key details: Nextcloud GmbH, Hauptstätter Str. 8, 70178 Stuttgart, Germany. German GmbH. No US parent.

Tresorit (Budapest, Hungary / Zurich, Switzerland)

Tresorit Zrt. is incorporated in Hungary and operates under Hungarian and EU law. Its technical operations are headquartered in Zurich, Switzerland. Tresorit is a managed cloud file storage service with end-to-end encryption as its defining feature: unlike Dropbox, Tresorit uses a zero-knowledge architecture in which encryption keys are generated and held by the customer, not by Tresorit. Tresorit cannot access the plaintext content of customer files.

The zero-knowledge architecture changes the CLOUD Act analysis. If US authorities were to serve Tresorit's US operations (Tresorit does have a US presence for sales) with a CLOUD Act demand, Tresorit could produce only the encrypted ciphertext of customer files — it cannot produce plaintext content because it does not hold the decryption keys. This provides a materially stronger privacy guarantee than Dropbox's encryption model, where Dropbox holds the keys and can produce plaintext on demand.

Tresorit is GDPR-compliant, certified under ISO 27001, and provides DPAs for business customers. It targets EU compliance-sensitive industries including legal, healthcare, and financial services. Business and Enterprise plans include admin controls, audit logs, and DLP features. The user experience is similar to Dropbox, which eases migration.

Key details: Tresorit Zrt., Lónyay utca 16/A, 1093 Budapest, Hungary. Swiss technical operations. EU and Swiss law. E2EE zero-knowledge.

Proton Drive (Geneva, Switzerland)

Proton AG is incorporated in Geneva, Switzerland. Proton is best known for ProtonMail but has expanded its privacy-focused platform to include Proton Drive (file storage), Proton Calendar, and Proton VPN. Proton Drive uses end-to-end encryption with zero-knowledge architecture: like Tresorit, Proton holds no decryption keys and cannot access file content.

Switzerland has an EU adequacy decision reviewed under GDPR requirements, following Switzerland's adoption of its revised Federal Act on Data Protection. Swiss law provides strong statutory data protection and requires mutual legal assistance treaties for any data sharing with foreign authorities — Proton cannot be compelled to produce data under the US CLOUD Act in the same way a US company can.

Proton Drive is less mature as an enterprise platform than Dropbox or Tresorit. It offers personal and business plans, desktop sync clients, and mobile apps, but lacks the enterprise DLP, compliance, and admin features of Dropbox Business or Tresorit. For teams that prioritise maximum privacy and are willing to accept a simpler feature set, Proton Drive is a strong option, particularly for storing highly sensitive documents.

Key details: Proton AG, Route de la Galaise 32, 1228 Plan-les-Ouates, Geneva, Switzerland. Swiss corporation. EU-adequate jurisdiction. E2EE zero-knowledge.

ownCloud (Nuremberg, Germany)

ownCloud GmbH is incorporated in Nuremberg, Germany and was the original open-source project from which Nextcloud forked in 2016. ownCloud Infinite Scale (ownCloud 10 successor) is available as self-hosted software under the AGPL licence for smaller deployments, with enterprise licensing for large-scale deployment and additional features including advanced admin controls, ransomware protection, and compliance reporting.

ownCloud maintains a separate commercial managed service called ownCloud Spaces, operated on EU infrastructure. ownCloud's enterprise product targets regulated industries with requirements for EU data residency, GDPR compliance documentation, and ISO 27001 certification. It competes with Nextcloud in the self-hosted and EU-managed enterprise segment.

Key details: ownCloud GmbH, Rathsbergstr. 17, 90411 Nuremberg, Germany. German GmbH. No US parent.

IONOS HiDrive and Strato HiDrive (Germany)

For EU organisations that want a consumer-accessible managed file storage service without self-hosting complexity, German providers offer Dropbox-comparable services with German legal entity and infrastructure.

IONOS Drive is operated by IONOS SE, incorporated in Montabaur, Germany (a subsidiary of United Internet AG). IONOS stores data exclusively in German and EU datacentres. Strato HiDrive is operated by STRATO AG, headquartered in Berlin and a subsidiary of United Internet AG. HiDrive offers WebDAV access, desktop sync, and mobile apps with data storage in German datacentres. Both products are more basic than Dropbox in terms of collaboration features but are straightforward Dropbox replacements for file storage and synchronisation without CLOUD Act exposure.

Migration Considerations for EU Teams Moving from Dropbox

Data export. Dropbox provides a full account export via its website. Admins can export all team files, folder structures, and permissions in a single archive. Nextcloud, Tresorit, and ownCloud all provide migration tooling that preserves folder hierarchy during import.

Dropbox Paper documents. Paper documents can be exported as Markdown or Word format. They can be imported into Nextcloud Office, OnlyOffice, or other collaborative editing tools. Paper-specific formatting (embed blocks, tables) may require manual reformatting.

Dropbox Sign contracts. Active signature requests in Dropbox Sign cannot be migrated mid-flow. Completed signed documents can be downloaded as PDFs. EU organisations switching from Dropbox Sign should evaluate EU-native eSignature alternatives such as DocuSign EU-hosted, Skribble (Switzerland), or Yousign (France, certified eIDAS QES).

Dropbox integrations. EU organisations using Dropbox integrations with Slack, Zoom, Microsoft Teams, Salesforce, or other US platforms should audit those integrations as part of any migration project. Moving files to a EU-native provider while retaining Dropbox integrations with US platforms may recreate the CLOUD Act exposure through a different pathway.

Rollout strategy for Nextcloud self-hosted deployments. Nextcloud self-hosted deployment requires EU-based infrastructure, server administration capability, and an ongoing maintenance commitment. For EU organisations without internal IT resources, contracting with a Nextcloud certified partner (listed at nextcloud.com/partners) provides managed hosting with an EU entity. Managed Nextcloud hosting from EU providers typically starts at €5–15 per user per month depending on storage and support level.

Dropbox vs. EU Alternatives: Summary Comparison

The Practical Recommendation for EU DPOs

Dropbox is processable under GDPR with the correct documentation: an executed DPA with SCCs for US transfers, a completed transfer impact assessment documenting the CLOUD Act exposure and applicable supplementary measures, correct ROPA entries for all personal data categories processed, and updated privacy notices disclosing Dropbox as a processor for external-facing data collection use cases. For most EU organisations currently using Dropbox without this documentation, bringing the existing Dropbox usage into compliance requires significant documentation effort — effort that could instead be invested in migrating to an EU-native alternative that does not require CLOUD Act supplementary measures.

For EU organisations processing high-risk data categories — employee personal data in jurisdictions with works council requirements, customer personal data in DPIA-triggering processing scenarios, or health-adjacent data — the investment in Tresorit, self-hosted Nextcloud, or Proton Drive is increasingly the path that a diligent DPO recommends, rather than attempting to construct a CLOUD Act supplementary measure argument that EDPB guidance makes difficult to sustain for standard Dropbox business usage.

The CLOUD Act is not going away. It was designed to resolve ambiguity about the reach of US legal process, and it succeeded. EU organisations that want file storage sovereignty need a provider incorporated in the EU or an equivalent jurisdiction, with encryption key custody that does not rest with a US entity. Several mature, enterprise-ready options now meet that requirement.

sota.io helps EU-based software teams deploy on European infrastructure with full GDPR data residency. All customer data stays in EU datacentres, processed by an EU legal entity with no US parent company.