Dropbox : Supplier Code of Conduct

Dropbox Supplier Code of Conduct

Dropbox, Inc. and its affiliates (together, "Dropbox," "we," "our," or "us") strongly believe in ethical, environmentally responsible working conditions and business operations, and we expect our suppliers (each a "Supplier") to do the same. We have come up with the following requirements for every Supplier based on international standards and our own company values.

Supplier must at all times follow the laws, rules, and regulations of the countries where it operates, and it must also follow this Supplier Code of Conduct (the "Supplier Code") and require its own suppliers, service providers, contractors, and subcontractors (together, its "Supply Chain") to do the same. We strive to collaborate with each Supplier and to help improve Supplier's operations via training, monitoring, and periodic assessments. Supplier's failure to comply with the standards listed below may result in our termination of our working relationship with that Supplier.

If our contract with Supplier has stricter or more detailed terms than those of this Supplier Code, then Supplier must meet those stricter or more detailed requirements. This Supplier Code is not a comprehensive explanation of all of the laws and regulations that may apply to Supplier.

1. Labor. Dropbox requires its Suppliers to respect its workers' human rights, regardless of whether that worker is a contractor, a direct employee, a student intern, or any other kind of worker.

1. Humane Treatment. Supplier will have a zero-tolerance policy for inhumane or cruel treatment, including but not limited to emotional or physical abuse, corporal punishment, or the threat of any such treatment. Supplier will set disciplinary measures that ensure its Supply Chain's adherence to this policy. Supplier will never allow its Supply Chain to use any kind of debt bondage, indentured servitude, involuntary prison labor, trafficking (including sex trafficking), or slavery. Supplier will not charge its workers excessive fees, nor will it force its workers to surrender their government-issuedidentification or work permits as a condition of their employment. Workers at every stage of the Supply Chain will be free to stop working for Supplier at any time withoutpenalty.
2. Hours. Supplier workweeks, as well as days off, will comply with applicable law (unless Supplier is in an emergency or unusual situation). Supplier's workers must receive at least one day off in every seven-dayperiod.
3. Wages and Benefits. When compensating its workers, Supplier must comply with all applicable wage laws, including but not limited to those regarding minimum wages, overtime hours, and worker benefits. Under no circumstances will Supplier use wage deductions as a disciplinary measure against its workers. Supplier will provide workers with the detailed description of the components of workers' payment via pay stub or similar documentation.
4. Freedom of Association. Supplier will strive to resolve all workplace disagreements via direct engagement and open communication with its workers. Supplier will uphold its workers' legal rights to associate freely, bargain collectively, join or refrain from joining labor unions, seek representation, and join workers' councils. Workers must be able to share feedback and grievances with Supplier's management without concerns of harassment, intimidation, or reprisal.
5. Child Labor Avoidance. Supplier will not permit child labor in its Supply Chain. "Child" means any person who is either: (a) under the age of 15 (or 14, if applicable law permits); or (b) under the minimum age for employment or under the age for completing compulsory education in his or her country, whichever is greater. Supplier can run voluntary and legitimate apprenticeship programs, e.g. student internships, so long as Supplier complies with all applicable laws and regulations. Supplier will ensure that workers under the age of 18 do not perform tasks that would likely jeopardize their wellbeing or safety.
6. Non-Discrimination. Supplier will not tolerate harassment and unlawful discrimination in its workplace or Supply Chain. When making hiring-, promotions-, rewards-,or access-baseddecisions, Supplier will not discriminate based on gender identity, race, age, sexual orientation, marital status, caste, disability, pregnancy, religion, political affiliation, or union membership. Supplier also may not subject its workers to potentially discriminatory medical tests.
7. Immigration Law Compliance. All of Supplier's workers must be employed in full compliance with applicable immigration and labor laws.

Dropbox Supplier Code of Conduct v. 072820

1

1. 1. Labor and Employment Laws. Supplier will comply with all applicable labor, employment, and occupational health and safety laws and regulations, including those related to employment practices, performance management and worker discipline, wages, and worker classification.
2. Health & Safety. Dropbox believes that a clean, secure workplace environment improves worker morale, minimizes work-relatedinjuries and illnesses, and increases the overall efficiency and quality of the Supply Chain's products.
3. 1. Management System. Supplier will maintain a Health & Safety Management System that is implemented, functioning, and complies with either: (a) ISO 45001; or (b) internal company policies that substantively track the ISO 45001 requirements. Upon Dropbox's request, Supplier will acquire third-partycertification for its Management System.
   2. Hygiene, Food, and Housing. Supplier will monitor and control its workers' exposure to chemical, biological, and other physical agents, and it will adopt measures to prevent overexposures to such agents. When prevention of overexposure is beyond Supplier's reasonable control, Supplier must supply its affected workers with the proper protective equipment. Additionally, Supplier will ensure that its workers have access to hygienic toilet facilities and clean drinking water. If Supplier's workers reside in Supplier-providedhousing, Supplier must ensure that such dormitories are clean, safe, and equipped with functional emergency exit systems, adequate heat, ventilation, hot water for showering, and personal space for each worker. Workers must also have reasonable entry and exit privileges while residing in Supplier housing.
   3. Occupational Wellbeing and Safety. Supplier will monitor and minimize its workers' exposure to safety hazards such as fire, moving vehicles, extreme temperatures, and fall hazards, and will implement safety trainings to ensure that its workers are informed on safe work procedures. When workers' overexposure to these hazards is beyond Supplier's reasonable control, Supplier must provide its affected workers with the proper protective equipment. Supplier may not punish its workers for expressing safety-relatedconcerns.
   4. Physically Demanding Labor. Supplier will monitor and control its workers' exposure to ergonomic and physical stressors, including but not limited to manual material handling and highly repetitive or forceful tasks.
   5. Machine Safety. Supplier will examine its machinery for potential safety hazards and will minimize such hazards by maintaining physical guards and barriers where necessary.
   6. Emergency Preparation. Supplier will identify potential emergency situations and design emergency plans and procedures, e.g. employee evacuation methods, emergency reporting processes, and worker drills, to minimize the effect of these emergencies.
4. Environmental. Dropbox values environmentally sound operations as key to creating world-class products. As a result, we expect each of our Suppliers to be environmentally responsible.
5. 1. Management System and Permits. Supplier will maintain a Health & Safety Management System that is implemented, functioning, and complies with either: (a) ISO 14001; or (b) internal company policies that substantively track the ISO 14001 requirements. Upon Dropbox's request, Supplier will acquire third-party certification for its Management System. Supplier will procure, keep current, and adhere to the standards of all required environmental approvals, registrations, and permits.
   2. Waste Disposal. Supplier will define and maintain a clear procedure for disposing of all its operations' and facilities' waste. Supplier's waste disposal process will be environmentally responsible and will comply with all applicable laws and regulations. Upon Dropbox's request, Supplier will provide written evidence of its compliance with this Section 3.2.
   3. Environmental Hazards. Supplier will characterize and control the chemicals and other materials posing a hazard to its workers' wellbeing or to the environment. Supplier will ensure these hazardous substances' safe handling and proper disposal.
   4. Product Content Restrictions. Supplier will comply with applicable laws, regulations, and customer requirements related to the prohibition or restriction of certain substances.
6. Ethics. Dropbox expects its Suppliers to act with the highest integrity in all of its business dealings.
7. 1. Business Integrity. Supplier will uphold the highest standards of ethics in all of its business interactions and will not tolerate any form of corruption, bribery, extortion, or embezzlement. Supplier will comply with all applicable anti-corruption,fair business, advertising, competition (including antitrust), international trade

Dropbox Supplier Code of Conduct v. 072820

2

(including regulations prohibiting U.S. companies' cooperation with an unsanctioned boycott of another country) laws, and will institute a process for monitoring its compliance with these laws. Supplier will not make illegal payments through any means. Supplier will record all of its business dealings accurately and will disclose these records in accordance with applicable regulations and prevailing industry practices.

1. 1. Privacy. Supplier will protect all personal information received during the course of its business operations. When personal information is stored, collected, processed, transmitted, or shared, Supplier will comply with all reasonable customer requirements and applicable privacy, data protection, or information security regulations.
   2. Non-Retaliation. Supplier will communicate a process for its workers to raise grievances without concerns of harassment, intimidation, or reprisal. Additionally, Supplier will characterize and maintain procedures that ensure its whistleblowers' confidentiality and protection. A whistleblower is any person who makes a disclosure about illicit conduct by an employee or officer of a company, or by a public official or official body.
2. Management System. Supplier will implement and maintain a functioning management system to ensure its adherence to this Supplier Code.
3. 1. Commitment. Supplier will institute a company-wide,management-endorsed social and environmental policy.
   2. Executive Management Accountability. Supplier's senior management must: (a) identify specific representatives responsible for overseeing the system; and (b) regularly review the status of the system themselves.
   3. Legal/Security and Customer Requirements. Supplier will have a defined procedure for monitoring its compliance with all applicable laws, regulations, and customer requirements (including this Supplier Code).
   4. Risk Management. Supplier will implement a process to minimize the labor, environmental, health, safety, and security risks of its operations.
   5. Defined Objectives. Supplier will have written performance objectives and plans regarding its social and environmental performance, and will conduct regular assessments of its progress with such objectives.
   6. Communication. Supplier will clearly communicate its policies and expectations to its workers, vendors, and customers.
   7. Training. Supplier will run training programs that instruct its workers on how to effectively implement its social, environmental, and security policies.
   8. Worker Participation. Supplier will have ongoing, well-maintained processes for obtaining feedback from its employees on the conditions of this Supplier Code.
   9. Audits. Supplier will conduct regular self-evaluations to assess its compliance with this Supplier Code and its other social, environmental, and security policies.
   10. Corrective Action. Supplier will articulate a procedure for the prompt correction of any deficiencies in its operations.
   11. Documentation. Supplier will create and maintain proper records to ensure its conformity with laws, regulations, and contractual requirements (including this Supplier Code).
   12. Supplier Code Implementation. Supplier will communicate these Supplier Code requirements to its Supply Chain and will monitor its Supply Chain's conformity to this Supplier Code.
4. Assessment and Improvement. Regular audits and assessments are integral to ensuring social and environmental responsibility. As a result, Supplier will cooperate with any Dropbox requests for information confirming Supplier's compliance with this Supplier Code or contractual terms.
5. Side Agreements. Supplier will not enter into any Side Agreements with, or on behalf of, Dropbox. A "Side Agreement" is any agreement, written or verbal, that is not included in the applicable signed agreement between Supplier and Dropbox. Examples of Side Agreements include; (a) promises of future discounts; (b) giving away products or services; (c) commitments for future upgrades, features, or functionality; (d) refunds or agreements to forgive receivables; or (e) granting an extension of payment terms.
6. Conflicts of Interest. Supplier will avoid any potential or actual conflicts of interest when working with Dropbox or any of its employees. Conflicts of interest include: (a) entering into a work engagement of any kind with a Dropbox

Dropbox Supplier Code of Conduct v. 072820

3

employee with whom Supplier has a personal relationship; (b) offering gifts or entertainment to Dropbox employees in violation of the Dropbox Code of Conduct; or (c) paying for, or reimbursing, travel or travel related expenses for Dropbox employees. When in doubt, please refer the matter to the Dropbox employee for internal escalation.

9. Insider Trading. Supplier will comply with applicable insider trading laws. Without limiting the foregoing, Supplier will not, and will maintain adequate controls to ensure its workers will not, (a) buy or sell Dropbox securities or the securities of any other company based on Dropbox MNPI or (b) make recommendations or express opinions about securities trading based on Dropbox MNPI. "Dropbox MNPI" means material nonpublic information about Dropbox, or information about another company (including Dropbox's customers, suppliers, vendors, or other business partners) to which Supplier is exposed by virtue of its interaction with Dropbox, in each case that is not available to the investing public and that could influence an investor's decision to buy or sell securities.

Dropbox appreciates its Suppliers' ongoing willingness to follow these standards. We hope that our Supplier Code makes our dedication to our values clear - we prioritize ethical practices in all aspects of our business. This Supplier Code supplements, but does not supersede, any of our rights or obligations in our agreements with Suppliers.

Dropbox Supplier Code of Conduct v. 072820

4