At Smartsheet, privacy is a critical component of building and maintaining trust with our customers. We want you to feel comfortable uploading your organization’s data to Smartsheet. This webpage is designed to assist you in addressing commonly asked questions about privacy and your use of Smartsheet. 

This is not intended to provide legal advice or replace consulting with your organization’s legal representative. We urge you to seek appropriate legal counsel in regards to your specific use of Smartsheet and your organization’s data protection obligations.

If you or your organization have any additional questions, please do not hesitate to reach out to the Smartsheet Privacy team at privacy@smartsheet.com.

 

Sections

General Questions

Data Processing Addendum (DPA)

The General Data Protection Regulation (GDPR)

The California Consumer Privacy Act (CCPA)

Integrations and Forms

Audit and Certifications

 

 

---

 

 

General Questions

What is Customer Content?

As covered in Section 12 of the Smartsheet User Agreement, “Customer Content” means any data, file attachments, text, images, reports, personal information, or other content that is uploaded or submitted to the application by Customer or Users and is processed by Smartsheet on behalf of Customer. 

 

Who is the controller of Customer Content?

Smartsheet customers are controllers of Customer Content uploaded to the Smartsheet application. Where Smartsheet is a data processor, Customers control the data submitted and contained in Customer Content. The data processed will vary according to the Customer’s use-case.  Customers remain responsible for ensuring that submission of any special categories of Personal Data complies with applicable laws.

 

What subprocessors does Smartsheet utilize to process Customer Content?

Subprocessors for Smartsheet applications are documented on this webpage.

 

How can I be notified when Smartsheet adds a new subprocessor?

Customers wishing to be notified of changes to the Smartsheet subprocessor list can fill out this webform.

 

How does Smartsheet process Customer Content?

As covered in the Smartsheet User Agreement, Smartsheet may process Customer Content only: as required by applicable law; as requested by Customer in writing or as allowed by Customer via a Service’s access controls; or as necessary to provide, support, or optimize the application or prevent or address technical problems with the application or violations of this Agreement. 

 

Where is Customer Content hosted?

Currently, the Smartsheet platform is hosted from the United States (US) or from the European Union (EU). When customers choose the EU region as the hosting location, customer content will be processed in the EU region (Germany as primary, with backup in Ireland). For more information on data access and data transfers to the US, please refer to the Smartsheet Trust Center.

 

Where is Customer Support located?

Smartsheet's platform is web hosted and available across the globe. In order to provide support in a timely manner, Smartsheet may utilize support staff outside of the customer’s selected hosting region, and support may be provided from the US, UK, Philippines, Costa Rica, or Australia. Users may choose to access the Smartsheet application from many locations so data may be processed outside of the selected region at the direction of your users. For more information, please refer to the Smartsheet Trust Center.

 

How does Smartsheet protect Customer Content?

Smartsheet has implemented technical, organizational, and administrative measures to protect data that Smartsheet processes. Many of these measures have been reviewed by independent third-party auditors and found to meet the standards of SOC2, ISO 27001:2013, ISO 27018:2019, and ISO 27701:2019. For more information, please refer to the Smartsheet Trust Center.

 

What happens if there is a security incident involving Customer Content?

Smartsheet handles and communicates security incidents in accordance with the documented security practices set forth in the Smartsheet User Agreement or the signed agreement between the customer and Smartsheet.

 

If I end my relationship with Smartsheet, what happens to my Customer Content?

As covered in the Smartsheet User Agreement, within one hundred eighty (180) days following termination or expiration of any Term, Smartsheet will delete and render Customer Content unrecoverable and, upon Customer’s written request, certify such process in writing. Notwithstanding the foregoing, Smartsheet may retain copies of Customer Content as part of records, documents, or broader data sets in accordance with Smartsheet’s legal and financial compliance obligations, provided that Smartsheet continues to comply with all the requirements of the Agreement in relation to any such retained Customer Content.

 

How does Smartsheet handle legal requests for Customer Content?

Smartsheet, as a United States based company, may be required to disclose certain data if it receives a valid legal order. However, please note that with respect to such required disclosures, Smartsheet is subject to Section 6.3 of the User Agreement: “the Receiving Party may disclose Confidential Information to the extent required by law or legal process, provided, however, the Receiving Party will (unless prohibited by law or legal process): (a) give the Disclosing Party prior written notice of such disclosure to afford the Disclosing Party a reasonable opportunity to appear, object, and obtain a protective order or other appropriate relief regarding such disclosure; (b) use diligent efforts to limit disclosure to that which is legally required; and (c) reasonably cooperate with the Disclosing Party, at the Disclosing Party’s expense, in its efforts to obtain a protective order or other legally available means of protection."

 

 

Data Processing Addendum (DPA)

Does Smartsheet sign DPAs with customers?

Smartsheet offers a Data Processing Addendum ("DPA") for our customers who require specific terms for the processing of Customer Content that includes personal information. Our DPA incorporates the Standard Contractual Clauses (“SCC”) and has been carefully tailored to account for our subscription service's unique operational and technical controls and to address the applicable privacy obligations and legal responsibilities of both parties, particularly with respect to both the GDPR and CCPA.

If you have determined that you require a DPA with Smartsheet, you may submit this webform in order to have a copy of our DPA routed via DocuSign to the authorized signer entered into the form. Once signed, a copy will also be sent to the form submitter for their records.

 

What is the scope of the DPA?

The Smartsheet DPA has been carefully tailored to account for our subscription service's unique operational and technical controls. The language in our DPA that addresses the applicable privacy obligations of both parties is in line with DPAs offered by the major service providers in the SaaS industry. The DPA has been carefully drafted to address the legal responsibilities of both parties under applicable privacy laws, particularly with respect to GDPR and CCPA, so that even customers subject to stringent privacy laws can accept the document without negotiation. All underlying legal and commercial terms (including terms describing Smartsheet's operational practices) have already been established in the agreement governing your use of and access to the services. 

Additionally, as a data processor, Customers control the data submitted and contained in Customer Content. The data processed will vary according to the Customer’s use-case. Customers remain responsible for ensuring that submission of any special categories of Personal Data complies with applicable laws. Smartsheet treats all data submitted to the application the same and has built into the subscription service certain controls to account for common requirements. Please let us know if you have specific questions or concerns relating to our DPA.

 

What laws are considered in the Smartsheet DPA?

The Smartsheet DPA has been carefully drafted to address the applicable legal responsibilities of both parties, particularly with respect to GDPR and CCPA, so that even customers subject to stringent privacy laws can accept the document without negotiation. All underlying legal and commercial terms have already been established in the Smartsheet User Agreement in place between the parties and have been carefully drafted to take into account Smartsheet’s technical and operational realities as a SaaS provider.

 

Will Smartsheet sign my organization’s DPA?

The Smartsheet DPA has been carefully drafted to take into account Smartsheet’s technical and operational realities as a SaaS provider and to address the applicable legal responsibilities of both parties, particularly with respect to GDPR and CCPA, so that even customers subject to stringent privacy laws can accept the document without negotiation. If you would like Smartsheet to consider your organization’s DPA, please contact your Sales Representative. 

 

 

The General Data Protection Regulation (GDPR)

What is the GDPR?

The General Data Protection Regulation (GDPR) is a European regulation that took effect on May 25, 2018, and sets out standards for the protection and processing of personal data. Learn more about Smartsheet and the GDPR, including how to request a Data Processing Agreement (DPA) with Smartsheet as a data processor.

 

How does the GDPR apply to Smartsheet?

Smartsheet is a global company and takes the privacy of its customers very seriously. Smartsheet and its affiliates offer world-class privacy assurances aligned with applicable data privacy legislation such as the GDPR. As a data agnostic SaaS company, Smartsheet, along with other SaaS providers, employs a shared-responsibility model between the Customer and Smartsheet. Therefore, GDPR compliance is a partnership between customer and vendor. 

We are committed to our customers’ success, including supporting them on their GDPR compliance journeys. We have many customers who have determined that Smartsheet meets their GDPR compliance needs and look forward to working with you to meet your needs.

For information about Smartsheet and the GDPR, please reference this datasheet. 

 

Does Smartsheet have a Data Protection Officer (DPO)?

Smartsheet has appointed a DPO. All contact information for Smartsheet Privacy is available on the Smartsheet Privacy Notice.

 

As a data processor, will Smartsheet assist my organization in fulfilling its data subject requests?

As covered in the Smartsheet Data Processing Addendum, Smartsheet will provide reasonable assistance to Customer in relation to data protection impact assessments and consultations with Supervisory Authorities, taking into account the nature of Smartsheet’s Processing of Customer Personal Data and the information available to Smartsheet. 

 

As a data controller, does Smartsheet fulfill data subject requests?

Yes, Smartsheet will comply with all legitimate and reasonable requests related to privacy rights. Please complete this webform to submit your request to the Smartsheet Privacy Team.

 

What are the Standard Contractual Clauses?

The Standard Contractual Clauses (“SCCs”) are a set of contractual commitments that are established by the European Commission. They are meant to standardize the security and privacy practices of organizations moving personal data on individuals in the European Union (“EU”) outside the EU. Smartsheet and Brandfolder execute SCCs with all vendors and many of our customers that require a data transfer mechanism.

 

Will Smartsheet sign Standard Contractual Clauses (SCCs) or Model Clauses?

Following the Schrems II decision and the invalidation of the Privacy Shield, Smartsheet updated the DPA to incorporate the Standard Contractual Clauses (“SCC”) as the lawful transfer mechanism, the validity of which the European Court of Justice expressly upheld. 
 
Our current version of the DPA incorporates the updated SCCs published by the European Commission on June 7, 2021. Smartsheet intends to operate under the prior SCCs as permitted for legacy data transfers. During the allowed transition period, we will amend agreements upon renewals and specific requests. Any changes necessary to allow Smartsheet or its customers to comply with their obligations under applicable data protection laws will be presented to customers as amendments to their existing agreements. Please contact privacy@smartsheet.com if you have any questions.
 
If you have determined that you require a DPA with Smartsheet, you may submit this webform in order to have a copy of our DPA routed via DocuSign to the authorized signer entered into the form. Once signed, a copy will also be sent to the form submitter for their records. 

 

Are enhanced protections of EU personal data transferred to the US offered by Smartsheet?

Smartsheet has implemented technical, organizational, and administrative measures to protect data that Smartsheet processes. Many of these measures have been reviewed by independent third-party auditors and found to meet the standards of SOC2, ISO 27001:2013, ISO 27018:2019, and ISO 27701:2019. For more information, please refer to the Smartsheet Trust Center.
 

 

 

The California Consumer Privacy Act (CCPA)

What is the CCPA?

The California Consumer Privacy Act is the first comprehensive data privacy legislation passed by a State. The CCPA went into effect in January of 2020. The law aims to outline acceptable collection, use, and storage of personal information. The CCPA also outlines transparency requirements for organizations selling personal information.

 

How does the CCPA apply to Smartsheet?

For more information on the privacy practices of Smartsheet, please refer to this datasheet. 

 

Does Smartsheet sell personal information?

No. Smartsheet does not sell personal information.

 

 

Integration and Forms

Why is the Smartsheet Privacy Notice included in the footer of Smartsheet Forms?

The Smartsheet application includes a feature that allows customers to publish online forms which allow individuals to submit data to the Smartsheet application. The data collected via the form and provided by an individual is considered Customer Content. As users submit forms, Smartsheet may collect usage data (e.g., IP address, submission date and time, browser type, etc.) that may be used for Analytics and Improvements; Protecting Legal Rights and Preventing Misuse; and to Comply with Legal Obligations, as further outlined in the Smartsheet Privacy Notice.

 

Why do the Microsoft integrations with Smartsheet ask for permission to share data to a third-party service?

Connectors and Integrations can be used to pull and/or push information from or to the Smartsheet application, and to enable the applicable third-party to receive notifications, such as sheet updates, from the application. For example, while customers are setting up integrations in Microsoft products (e.g., Outlook, Teams) they will be presented with a prompt from Microsoft (help article) to allow sharing of data with a third-party service. In this context, Smartsheet is the third-party service and Microsoft is requesting to share data. Additionally, any information you authorize to be transferred from the application to an integration partner is governed by the third-party’s privacy statement. We encourage you to carefully read the privacy statement of any third-party you authorize to receive information from the Smartsheet application.

 

 

Audit and Certifications

Is Smartsheet GDPR certified?

Smartsheet has achieved certification to two global privacy standards which meet many of the requirements under the GDPR: ISO 27018:2019 and ISO 27701:2019. For more information, please refer to the Smartsheet Trust Center.

 

Can my organization audit the privacy practices of Smartsheet?

Smartsheet supports millions of users worldwide. It is not practical to allow each customer to audit our practices. This is why we have completed certifications to global privacy standards: ISO 27018:2019 and ISO 27701:2019. For more information, please refer to the Smartsheet Trust Center.

 

What privacy certifications has Smartsheet achieved?

Smartsheet holds certifications to two global privacy standards: ISO 27018:2019 and ISO 27701:2019. For more information, please refer to the Smartsheet Trust Center.

 

What about the Privacy Shield?  

We are hopeful that a successor framework to the Privacy Shield will be agreed upon in the coming years. In the meantime, Smartsheet maintains our existing Privacy Shield certification, as we continue to uphold the commitments we made to the FTC and our customers about the processing of personal data under the Privacy Shield principles. Additionally, Smartsheet is confident that the US and EU will continue to work together to allow data transfers across borders.