cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Want to learn some quick and useful tips to make your day easier? Check out how Calvin uses Replay to get feedback from other teams at Dropbox here.

Discuss Dropbox Developer & API

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Proposed design for uploading and sharing to Dropbox for Healthcare customers

Proposed design for uploading and sharing to Dropbox for Healthcare customers

PagingMrHerman
Explorer | Level 3
Go to solution

I'd like to get feedback about whether my plan for using the APIs is a good fit for our use-case.

 

Use case:

Our company produces files, and some of our customers who have "Dropbox for Healthcare" accounts want us to deliver files to their accounts.

 

Planned use of APIs:

1) Create a "basic" Dropbox account. Would uploads to this be covered by Dropbox's HIPAA BAA? How would we get a BAA from Dropbox?

 

2) Create one top-level folder per customer, and use a sharing API to invite a list of customer email addresses to the folder.

 

3) Every time we create a new file for a customer, auto-upload it to a path under their top-level folder.

 

4) If a recipient edits, renames, or deletes a file we delivered, we can safely ignore any API notifications because we don't need their edits.

 

Our expectation is that, once each customer recipient accepted their sharing invitation, they would place the shared folder whereever they want in their own folder structure, and whenever we upload a file to a shared folder, the invited users would silently receive a copy of the upload.

 

Is this plan the best use of the APIs for our use-case?

1 Accepted Solution

Accepted Solutions

Greg-DB
Dropbox Staff
Go to solution

Yes, using a full Dropbox API app to upload to a shared folder like that would work.

View solution in original post

3 Replies 3

Greg-DB
Dropbox Staff
Go to solution

I'm happy to help with any technical questions or issues you have regarding the Dropbox API, but I can't offer HIPAA policy or legal guidance. For information on HIPAA/BAA on Dropbox, please refer to this help article: https://help.dropbox.com/accounts-billing/security/hipaa-hitech-overview

 

As for the technical aspects of using the Dropbox API described here, if I understand correctly, it sounds like you would have just a single Dropbox account connected to your API app, containing all of the files for all of your end-users, is that correct?

 

Note that the Dropbox API was designed with the intention that each end-user would directly connect their own Dropbox account to the API app, in order to interact with their own files. It is technically possible to connect to just one account, by always using a specific access token. Please be aware that we don't recommend doing so, for various technical and security reasons. (Most of the security concerns are allayed if you're building a server-side app where you can keep the access token secret on the server though.)

PagingMrHerman
Explorer | Level 3
Go to solution

Yes, our use of the API would be exclusively via a server-based process (that keeps its credentials in env vars instead of its code).

 

My main technical question is: Would creating one top-level folder per customer, and inviting the customer's users via their Dropbox-registered email addresses, allow us to deliver files to those users by having our server upload to that folder whenever we have a new file to deliver to them?

Greg-DB
Dropbox Staff
Go to solution

Yes, using a full Dropbox API app to upload to a shared folder like that would work.

Need more support?
Who's talking

Top contributors to this post

  • User avatar
    Greg-DB Dropbox Staff
  • User avatar
    PagingMrHerman Explorer | Level 3
What do Dropbox user levels mean?