Dropbox

Half-Quadratic Quantization of large machine learning models

Republished Mobius blog introduces Half-Quadratic Quantization (HQQ), a calibration-free weight-only quantization method that uses half-quadratic splitting and a sparsity-promoting l_p loss to model outliers and produce closed-form updates. HQQ runs in half-precision on GPU without autograd, quantizes very large models (e.g., Llama-2-70B) in minutes, and shows competitive or better perplexity/accuracy vs. GPTQ, AWQ, and bitsandbytes across LLM and ViT benchmarks; code and models are provided.

A practical blueprint for evaluating conversational AI at scale

Dropbox describes an evaluation-first blueprint for LLM-based conversational AI: curate public and internal datasets, define actionable metrics and LLM-based rubrics, build a versioned evaluation platform (Braintrust) with traceable runs, automate PR- and pipeline-level regression checks (GitHub Actions, Kubeflow sweeps), sample and score live traffic, and close the loop with negative-mining, triage playbooks, and A/B playgrounds to continuously improve quality.

Hack Week 2025: How these engineers liquid-cooled a GPU server

A Dropbox engineering team built a custom liquid cooling system for GPU servers by assembling radiators, pumps, tubing, and sensors to address rising thermal demands. Under stress tests, the liquid-cooled setup ran 20–30°C cooler than their air-cooled systems, allowed reduced fan speeds, and showed potential power and space savings. The team plans to expand lab testing across data centers to prepare for next-generation, AI-focused hardware.

Driving AI adoption at Dropbox: a conversation with CTO Ali Dasdan

Dropbox structured its AI adoption by aligning leadership, creating workstreams for tool evaluation, internal tool development, and change management, and by tracking developer productivity metrics. They blend third-party tools like GitHub Copilot with custom AI solutions for tasks such as code reviews, debugging, testing, and migrations, continuously iterating based on feedback.

Making file encryption fast and secure for teams with advanced key management

Dropbox implemented a three-tier encryption key hierarchy—team, namespace, and block keys—using AWS KMS and hardware security modules to deliver secure, team-based file encryption. By encrypting only the namespace key when granting cross-team access, they avoid expensive re-encryption of large files and maintain high performance.

Seventh-generation server hardware at Dropbox: our most efficient and capable architecture yet

Dropbox’s seventh-generation custom servers leverage AMD EPYC 9634 Genoa CPUs, DDR5 memory, 100 Gb networking, and NVMe Gen5 storage to double rack-level power and improve performance per watt. By co-designing with hardware suppliers and software teams, the platform balances compute, database, and storage workloads within the same 1U chassis while tackling thermal, vibration, and acoustic constraints. This design packs more cores, memory capacity, and GPU tiers into the existing footprint, boosting throughput and efficiency for diverse internal services.

How we brought multimedia search to Dropbox Dash

The post describes engineering changes to support multimedia (image, video, audio) search in Dropbox Dash, focusing on indexing, retrieval, and preview generation. The team adopted a metadata-first indexing strategy using existing Riviera infrastructure to extract lightweight features (file paths, titles, EXIF) and backfilled blob content where needed. Previews are generated just-in-time via an internal previews service with caching, and preview URL creation is parallelized with ranking and permission checks to reduce end-to-end latency. The system includes geolocation-aware indexing (reverse geocoding into hierarchical IDs) and tokenization improvements for filenames to improve relevance. Future work plans include adding semantic embeddings and OCR while balancing cost and accuracy.

Building Dash: How RAG and AI agents help us meet the needs of businesses

The post describes Dropbox Dash's technical design combining retrieval-augmented generation (RAG) for information retrieval with multi-step AI agents for complex workflows. For retrieval they chose a lexical IR approach with on-the-fly chunking and embedding-based reranking to balance latency, freshness, and cost, achieving sub-2s responses for the majority of queries. For multi-step tasks they use LLMs to generate plans expressed in a Python-like DSL, then validate and execute that code in a minimal, sandboxed Python interpreter with static analysis and runtime type enforcement. The team also evaluates models and retrieval options on public datasets using LLM-based judges for correctness and completeness, and highlights trade-offs among model size, latency, and data freshness.

Evolving our infrastructure through the messaging system model in Dropbox

Dropbox describes evolving its asynchronous platform by introducing a Messaging System Model (MSM) that decomposes the stack into five layers (frontend, scheduler, flow control, delivery, execution). The post explains goals (developer velocity, reliability, extensibility, cost/operational efficiency), discusses challenges with prior heterogeneous systems (Kafka/Redis/SQS, lambda divergence), and calls out cloud and autoscaling integrations (AWS/Azure, VPC, Atlas) and CDC support.

Selecting a model for semantic search at Dropbox scale

Dropbox describes adding semantic search to Nautilus by selecting and productionizing a document embedding model. They adapted the MTEB benchmark, built Kubeflow pipelines to generate MTEB-compatible (including multilingual) datasets from anonymized search logs, evaluated 11 models, and selected multilingual-e5-large. For production they settled on two embeddings per document (filename/path and content up to 512 tokens), used an 8-bit-like quantization scheme with a float32 scale to reduce storage, and balanced quality, latency, and storage to support search at Dropbox scale. Results showed reduced zero-results rate and improved qCTR. The article covers benchmarking, model selection, and engineering tradeoffs for deploying vector search at scale.

What’s new with Robinhood, our in-house load balancing service

Technical case study of Robinhood, Dropbox’s internal load balancing service: architecture (LBS, proxy, routing DB), use of PID controllers to compute endpoint weights, integration with Envoy (EDS) and gRPC xDS, ZooKeeper/etcd routing DB, config aggregation for safe rollouts, and measured performance and reliability improvements.

How we use Lakera Guard to secure our LLMs

Dropbox evaluated LLM security tools and selected Lakera Guard; they integrated it as an internally-hosted Docker service called from LLM pipelines (LangChain-based prompt/security chains), tested coverage with the Garak scanner against models like GPT-4 and LLaMA 3, and prioritized in-house deployment, low latency, long-context support, and confidence scoring.

Customizing scopes in the OAuth app authorization flow

Explains how Dropbox apps can customize requested OAuth scopes by setting the scope parameter on /oauth2/authorize (requesting subsets, progressively adding scopes via include_granted_scopes), how /oauth2/token returns the granted scopes, and best practices for requesting minimal permissions (including offline access for long-lived tokens).

Meet Chrono, our scalable, consistent, metadata caching solution

Dropbox describes Chrono, a timestamp-based consistency coordinator built on top of Panda (an MVCC key-value store) to enable scalable, linearizable caching. Chrono exposes Attempt and LatestAttemptTimestamp APIs to let clients validate cache freshness (Memcache/Redis) and safely use cached snapshot reads; the design was validated with TLA+ and operationalized with sharding and scaling considerations.

Bringing AI-powered answers and summaries to file previews on the web

The post describes Riviera, Dropbox’s file-conversion framework that routes files through isolated plugin containers to extract text, transcripts, and embeddings. Text is chunked into paragraph-sized pieces and embeddings are computed per chunk and cached so summaries and Q&A can reuse them. Summarization uses k-means clustering over chunk embeddings to pick semantically dissimilar representative chunks as context for an LLM, while Q&A ranks chunks by similarity to a question embedding and returns source locations. For multi-file queries they compute relevance scores across top chunks and apply a power-law based percentile cutoff to determine how many chunks and files to include, and they report large improvements in cost and p75 latency from caching and algorithmic optimizations.

Dropbox API server root certificate changes coming in 2026

Implementing end-to-end encryption for Dropbox teams

The post describes Dropbox's implementation of end-to-end encryption for team folders, where files are encrypted client-side and only the team holds decryption keys. It uses a hybrid scheme: file content is encrypted in 4 MB blocks with AES-256-GCM (unique 96-bit nonces) and per-block 128-bit tags hashed with HMAC-SHA-256; secret keys are wrapped with HPKE using P-256, SHA-256, and AES-256-GCM. Key management is team-centric with a single team key shared among members, support for key rotation, and two device registration modes (automatic and manual); manual registration uses HPKE auth mode and out-of-band fingerprint verification. The design omits post-quantum cryptography for now, documents threat-model limits (device security, metadata visibility, insider permissions), and states they will monitor PQC developments such as Kyber for future changes.

Bye Bye Bye...: Evolution of repeated token attacks on ChatGPT models

Dropbox LLM security research describes a repeated-token/divergence attack on OpenAI ChatGPT-family models (GPT-3.5 and GPT-4) that can cause models to ignore instructions and output memorized training data. The team demonstrates single- and multi-token repetition PoCs (including extraction of jq documentation and Bible passages), documents long-running request behavior and proxy timeouts, reported findings to OpenAI (which implemented filtering and timeouts), and published a Python script/GitHub repo to help detect effective repeated-token sequences. The post emphasizes operational mitigations (input sanitization, max_tokens) and warns the attack is transferable to other third-party and open-source models.

Listing the contents of all team-accessible namespaces

Explains a strategy to list all files and folders a Dropbox team can access by first fetching the team-accessible namespaces and then listing each namespace’s contents (to avoid duplicates); includes a linked code sample using the Dropbox API.

From AI to sustainability, why our latest data centers use 400G networking

Dropbox describes designing and launching its first 400G data center (US-WEST) to support AI-driven workloads and sustainability goals. The design updates a proven quad-plane fabric to 32x400G switches, uses 400G-DAC for energy-efficient spine-leaf links, selected 400G-DR4 optics for long top-of-rack runs and backward compatibility, consolidated multiple DI roles into a single 400G-capable DI using MPLS RSVP-TE (replacing ECMP), and upgraded the optical transport with DWDM and 800Gb/s waves. The post covers testing, backward-compatibility fixes, supply-chain contingencies, lessons learned, and plans to expand 400G across other regions and the backbone.