Smartsheet Privacy Practices

Purpose

As an industry leader, Smartsheet is committed to protecting its customers’ privacy by implementing best practices with respect to handling personal data.

This page is intended to, at a high level, describe Smartsheet’s privacy practices and approach to evolving privacy laws and regulations. It is important to note that this page does not provide legal advice. Smartsheet recommends that you consult with a licensed attorney or legal counsel to familiarize yourself with the exact regulations that govern your specific situation.

What is Smartsheet’s approach to its customers’ privacy?

Beginning in 2017, Smartsheet, like many other companies based in the United States, participated in and self-certified to the EU-U.S. Privacy Shield program as a way to publicly commit and acknowledge its dedication to its customers’ privacy rights and treating customer data with the utmost care. Despite its invalidation as a result of the Schrems II decision in July 2020, Smartsheet continues to maintain its Privacy Shield Certification and is committed to continuing to protect personal data in accordance with the Privacy Shield Principles (more information about the Privacy Shield Principles is available here). 

Smartsheet takes a global approach to privacy that adheres to international best practices for data handling, which focuses on facilitating an environment where all customers can be confident their information is protected and their privacy rights are respected.  Smartsheet has demonstrated this commitment with our certifications to ISO 27018:2019 and ISO 27701:2019 (additional information available here). These are two comprehensive and global privacy standards that Smartsheet is audited and evaluated against by an independent third-party auditor. Smartsheet focuses on privacy by design, which ensures privacy principles are contemplated and incorporated in every part of its services, from the development of new features to communication with customers. Smartsheet believes fostering a culture of respect for its customers’ privacy is essential to the company’s success. Smartsheet’s privacy practices are informed by the privacy principles of transparency and security, which guide how Smartsheet uses personal data and interacts with its customers.

What are Smartsheet’s privacy principles?

Smartsheet’s privacy practices align with global privacy principles. Smartsheet’s commitment to using the principles of transparency and security are just two examples of Smartsheet’s broader approach to global privacy compliance. 

Transparency. Smartsheet’s commitment to transparency ensures that customers have an accurate and complete understanding of its privacy practices and that Smartsheet complies with customer requests asserting their privacy rights. Smartsheet uses independent auditors to ensure its privacy notices and internal procedures meet international standards and accurately reflect its treatment of customer information in practice. Smartsheet demonstrates this commitment by at a minimum annually reviewing and updating its privacy notices as needed as its practices change and notifying customers of any material changes. Smartsheet commits to allowing users to easily exercise their privacy rights by providing mechanisms for customers to opt in or out of communications and allowing users to change those preferences at any time. Smartsheet is committed to complying with those requests promptly and ensuring that customers are aware of their privacy rights.

Security. Smartsheet’s dedication to maintaining the security of its customers’ information is central to maintaining trust in its services. Smartsheet’s security measures consist of technical and organizational safeguards to protect customer data. Smartsheet is committed to providing customers with confidence that they control access to their data. Smartsheet engages with independent auditors to ensure the security measures utilized are of the highest standard and that Smartsheet’s security policy and procedures accurately reflect its practices. Smartsheet is certified to the ISO 27001 standard, demonstrating that Smartsheet’s practices comply with the highest international standard of protection. Smartsheet maintains a culture of respect for the security of customers’ information by conducting privacy and security training throughout the organization.

How does Smartsheet approach new or changing international data protection laws?

Smartsheet has customers worldwide, each of which may be subject to varying data protection laws and regulations. To accommodate the privacy needs of all customers, Smartsheet has adopted a global approach to privacy that applies universal best practices, providing customers with confidence in the knowledge that their personal data will be protected regardless of where they are located. To ensure this approach is successful, Smartsheet uses globally recognized standards of privacy protection. Smartsheet was recently certified to ISO 27001:2013, ISO 27018:2019, and ISO 27701:2019, certifications that are carried out by an independent third-party auditor. By obtaining these certifications, Smartsheet has proven it meets international standards for information security, cybersecurity, and privacy protection. Smartsheet has established itself as an industry leader in privacy protection and will continue to affirm its commitment to maintaining its customers’ privacy.

Is Smartsheet compliant with the GDPR and the CCPA?

Smartsheet complies with its respective obligations under both the General Data Protection Regulation (“GDPR”) (please see “Smartsheet and the GDPR” for additional information) and the California Consumer Privacy Act (“CCPA”). Additionally, Smartsheet meets or exceeds the standards for compliance with all major international privacy legislation. However, there are over 160 international privacy laws and many of Smartsheet’s customers have very different privacy concerns and obligations. As a result, Smartsheet’s privacy practices are intended to be adaptable to comply with new legislation as it is introduced and with existing legislation that is frequently revised. This focus on best practices rather than on specific legislation allows Smartsheet to offer all of its customers quality protection of personal information based on transparency, security, and consent.

How does Smartsheet use customer personal data?

Smartsheet will only use customer personal data in lawful ways which are consistent with Smartsheet’s Privacy Notice. Smartsheet respects the privacy rights of customers and provides mechanisms for customers to opt out of communications or disable marketing technology. Smartsheet retains personal data only for as long as reasonably necessary to provide services to our customers or for as long as is required by law. Smartsheet is consistent in its commitment to privacy protection across all of its offerings. 

Does Smartsheet ensure that its partners and vendors respect its customers’ privacy?

Smartsheet engages with partners and vendors that have demonstrated an equal commitment to protecting our customers’ personal data, including meeting or exceeding our Vendor Privacy and Data Handling Expectations. Additionally, for those vendors that qualify as a “subprocessor” under the General Data Protection Regulation, Smartsheet has ensured appropriate safeguards and contractual obligations are in place to protect personal data and meet its obligations under the law. Smartsheet’s list of current subprocessors is available here.

Additional Information and Resources: