What are best practices for securing other's Dropbox

As our company's CISO, it's my responsibility to validate the security posture of our company and our third parties.  I have unresolved questions about how we can verify Dropbox security controls, specifically for third parties.

We are not a direct Dropbox customer, although we've encountered many third parties who use Dropbox, as their preferred File Sharing & Collaboration platform.  What are the Dropbox best practices to ensure a third party's Dropbox setup is secure?  I have attempted to do a Q&A with various third parties to ensure they securely setup their Dropbox, although many third parties don't know much about how their company's Dropbox security is configured.  Many third parties simply have a lack of knowledge about Dropbox security controls.  I notice there are 4 tiers of Dropbox, each with various security controls.   I understand how these controls can better secure data residing in a Shared Dropbox.

Examples of questions which our best practice Dropbox procedure should answer:

- How do we, the receiving party, know which Dropbox tier the parent company is subscribed to?   (i.e. Must have Business "HIPAA configured" if they want to share medical records)

- How can we, the receiving party, validate that all parties have MFA enabled, among other security controls?

Definitions: 

(Parent Company) = the company who provides their shared Dropbox.

(Receiving Company) = the company who is using the parent company's Dropbox.

(Third Party) = any customer or vendor we do business with.