Privacy Frequently Asked Questions
At Smartsheet, privacy is a critical component of building and maintaining trust with our customers. We want you to feel comfortable uploading your organization’s data to Smartsheet. This webpage is designed to assist you in addressing commonly asked questions about privacy and your use of Smartsheet.
This is not intended to provide legal advice or replace consulting with your organization’s legal representative. We urge you to seek appropriate legal counsel in regards to your specific use of Smartsheet and your organization’s data protection obligations.
If you or your organization have any additional questions, please do not hesitate to reach out to the Smartsheet Privacy team at privacy@smartsheet.com.
Table of Contents
Data Processing Addendum (DPA)
The General Data Protection Regulation (GDPR)
The EU-US Data Privacy Framework (DPF)
The California Consumer Privacy Act (CCPA)
General Questions
Is Smartsheet a data processor or a data controller?
A processor is an entity that only processes, or uses, stores, transmits, etc., personal data in accordance with the instructions of a controller.
A controller, by contrast, is an entity that determines the purposes and the means of the data processing. In other words, the controller decides why and how to process personal data. Determining what personal data is to be used for, whether to disclose the data (and, if so, to whom), and how long to retain the data are all decisions that can only be made by a controller.
An organization doesn't have to be just a controller or just a processor; it can fulfill different roles in respect to different data. For example, a cloud hosting provider may be a processor of the data it hosts for its customers but will be a controller of data about its own employees and it may be a controller of certain kinds of account data about its customers.
How does this apply to Smartsheet?
The same is true for Smartsheet. As a SaaS provider, Smartsheet acts as both a processor and a controller.
How do Smartsheet AI tools work?
Smartsheet AI tool uses large language models with your Smartsheet data, providing powerful, context-aware AI features with a focus on data privacy.
Learn more in our AI whitepaper and help article.
Is my data used to train public AI models?
We do not own your AI Data and do not use it to train public models.
Learn more in our AI whitepaper.
Can my organization unsubscribe from all marketing and sales communications?
Yes. Smartsheet can unsubscribe a customer account from receiving marketing and sales communications. Please have your account sys admin submit the unsubscribe request to this form.
Customer Content
What is Customer Content?
As covered in Section 12 of the Smartsheet User Agreement, “Customer Content” means any data, file attachments, text, images, reports, personal information, or other content that is uploaded or submitted to the application by Customer or Users and is processed by Smartsheet on behalf of Customer.
Who is the controller of Customer Content?
Smartsheet customers are controllers of Customer Content uploaded to the Smartsheet application. Where Smartsheet is a data processor, Customers control the data submitted and contained in Customer Content. The data processed will vary according to the Customer’s use-case. Customers remain responsible for ensuring that submission of any special categories of Personal Data complies with applicable laws.
How does Smartsheet process Customer Content?
As covered in the Smartsheet User Agreement, Smartsheet may process Customer Content only: as required by applicable law; as requested by Customer in writing or as allowed by Customer via a Service’s access controls; or as necessary to provide, support, or optimize the application or prevent or address technical problems with the application or violations of this Agreement.
What subprocessors does Smartsheet utilize to process Customer Content?
Subprocessors for Smartsheet applications are documented on this webpage.
How can I be notified when Smartsheet adds a new subprocessor?
Customers wishing to be notified of changes to the Smartsheet subprocessor list can fill out this form.
Where is Customer Content hosted?
Currently, the Smartsheet platform is hosted from the United States (US) or from the European Union (EU). When customers choose the EU region as the hosting location, customer content will be processed in the EU region (Germany as primary, with backup in Ireland). For more information on data access and data transfers to the US, please refer to the Smartsheet Trust Center.
Where is Customer Support located?
Smartsheet's platform is web hosted and available across the globe. In order to provide support in a timely manner, Smartsheet may utilize support staff outside of the customer’s selected hosting region, and support may be provided from the US, UK, Philippines, Costa Rica, or Australia. Users may choose to access the Smartsheet application from many locations so data may be processed outside of the selected region at the direction of your users. For more information, please refer to the Smartsheet Trust Center.
How does Smartsheet protect Customer Content?
Smartsheet has implemented technical, organizational, and administrative measures to protect data that Smartsheet processes. Many of these measures have been reviewed by independent third-party auditors and found to meet the standards of SOC2, ISO 27001:2013, ISO 27018:2019, and ISO 27701:2019. For more information, please refer to the Smartsheet Trust Center.
Does Smartsheet use the data I upload to the application for marketing or sales purposes?
No. Data entered or uploaded to the application by our customers is referred to as Customer Content. Smartsheet only uses Customer Content as described in Section 2.2 of the Smartsheet User Agreement. Customers occasionally refer to the Smartsheet Privacy Notice when trying to answer this question. However, our Privacy Notice does not apply to Customer Content therefore any references in the Privacy Notice to marketing or sales activities do not apply to the data entered or uploaded to Smartsheet.
Usage Data
What is Usage Data?
Usage Data generally refers to any analytical, statistical, learned, technical, or usage information collected and processed by Smartsheet. Smartsheet collects and processes Usage Data to provide insight into how the Services are used by a customer or individual, to accurately bill customers for their use of the Services, to troubleshoot problems that arise on the network, prevent fraud and abuse, and to comply with Smartsheet’s legal and accounting obligations. We rely upon this data to run our business, secure the Services, and enable product improvements. Examples of Usage Data include, but are not limited to, diagnostic reports, page response times, and service usage metrics.
Importantly, Usage Data is not Customer Content, which is defined in the User Agreement.
Does Usage Data include customer data that is uploaded into the Services (i.e. Customer Content)?
No. Usage Data does not include or reveal Customer Content, including any personal data therein. Customer Content remains owned and controlled by a customer, in accordance with Smartsheet’s User Agreement.
Who owns Usage Data and why?
Smartsheet is the owner and controller of Usage Data because we solely determine why and how Usage Data is collected and processed. Smartsheet’s use and collection of Usage Data is subject to applicable law and limited to the purposes described in our DPA and our Offerings Notice. Smartsheet does not allow for customer-ownership or joint-ownership of Usage Data.
Why does Smartsheet need to be a controller of Usage Data?
Smartsheet processes service Usage Data to accurately bill customers for their use of the services, to troubleshoot problems that arise on the network, prevent fraud and abuse, pay taxes and comply with laws. We rely upon this data to run our business, secure the services and for product enhancements.
Smartsheet is a controller because we determine why and how Usage Data needs to be processed. This doesn’t mean that Smartsheet can do what it likes with your data, though: we are constrained by what the law allows and the terms of our contract with you. Smartsheet can’t, for example, sell your end-user data or process it for any reason other than what is strictly necessary for the operation of the service.
Smartsheet also determines how long Usage Data needs to be retained: once we no longer have a need to process the data for the purposes outlined above, we follow our retention practices and securely dispose of the data. So while Smartsheet needs to act as a controller of Usage Data, it is only for limited purposes and for a limited time.
Why is Usage Data collected and used?
Usage Data is collected and used by Smartsheet to provide, support, secure, and defend the Services. The insights derived from Usage Data are essential for Smartsheet’s continuous maintenance, enhancement, and improvement of the Services.
Does Usage Data stay in a customer’s selected hosting region?
As a data controller, Smartsheet transfers usage data and account information to its primary business functions in the United States from other data regions. These functions include most of our finance, marketing, sales, and support, all of which rely on usage data and account information to provide, secure, support, and optimize Smartsheet’s service for our customers. By consolidating such data and information, Smartsheet creates efficient and high-performing functions and limits the data footprint and threat vectors. Accordingly, Smartsheet doesn’t offer data residency options regarding usage data and account information. More information about data hosting can be found in Smartsheet’s Data Residency help article.
Is Usage Data identifiable?
Smartsheet uses Usage Data in an identifiable form or in a form that can be reasonably identifiable for its internal business purposes, including, but not limited to, account management and support services.
Does Smartsheet share Usage Data, identifiable or otherwise, with third-parties?
Smartsheet discloses Usage Data to business service providers that Smartsheet has entered into agreements with that contain appropriate confidentiality and data protection provisions. These disclosures are limited in nature and may include identifiable Usage Data if reasonably necessary for Smartsheet to perform its business functions, such as account management and support services. Except where reasonably necessary, any disclosure of Usage Data would otherwise be as de-identified or aggregate data (as those terms are generally defined under applicable data privacy laws) as to not allow any unauthorized third party from identifying a particular customer or user to which the data relates.
How is Usage Data collected?
Usage Data is collected by Smartsheet in accordance with its Privacy Notice.
How long is Usage Data retained?
Smartsheet determines how long Usage Data needs to be retained based on the purposes for its collection. This period may vary based on the type of Usage Data collected. Any collection of Usage Data is therefore limited to the purposes for collection and retained in accordance with Smartsheet’s data retention policies.
Can access to, or a copy of, Usage Data be requested?
Smartsheet customers can access some Usage Data in reports available within the Admin Center. For information on how System Administrators can configure the application, access reports, and manage accounts, please visit our System Admin information page.
Additional Usage Data may be available upon written request. Usage Data of a particular organization or customer will only be shared with an individual within the same organization or domain.
Who can I contact if I have additional questions about Usage Data?
For questions about Usage Data, please feel free to reach out to legal@smartsheet.com.
Data Processing Addendum (DPA)
Does Smartsheet sign DPAs with customers?
The terms and conditions of Smartsheet's Data Processing Addendum (DPA) are automatically incorporated in our User Agreement to meet the needs of our customers who require specific terms for the processing of Customer Content that includes personal information. Our DPA incorporates both the EU and UK Standard Contractual Clauses (SCC) and has been carefully tailored to account for our subscription service's unique operational and technical controls and to address the applicable privacy obligations and legal responsibilities of both parties, particularly with respect to both the GDPR and applicable US data protection laws, such as the CCPA.
On July 10, 2023, the European Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework (DPF). For the time being, Smartsheet intends to continue to offer its DPA with the current SCCs as permitted for both new and legacy data transfers. Smartsheet will continue to monitor developments with respect to international data transfers and will make any reasonably required updates as we wait for further direction from the Commission.
What is the scope of the DPA?
Smartsheet's Data Processing Addendum (DPA) has been carefully tailored to account for our subscription service's unique operational and technical controls. The language in our DPA that addresses the applicable privacy obligations of both parties is in line with DPAs offered by the major service providers in the SaaS industry. The DPA has been carefully drafted to address the legal responsibilities of both parties under applicable privacy laws, particularly with respect to GDPR and CCPA, so that even customers subject to stringent privacy laws can accept the terms without negotiation. All underlying legal and commercial terms (including terms describing Smartsheet's operational practices) have already been established in the agreement governing your use of and access to the services.
Additionally, as a data processor, Customers control the data submitted and contained in Customer Content. The data processed will vary according to the Customer’s use case. Customers remain responsible for ensuring that submission of any special categories of Personal Data complies with applicable laws. Smartsheet treats all data submitted to the application the same and has built into the subscription service certain controls to account for common requirements.
What laws are considered in the Smartsheet DPA?
Smartsheet's Data Processing Addendum (DPA) has been carefully drafted to address the applicable legal responsibilities of both parties, particularly with respect to GDPR and CCPA, so that even customers subject to stringent privacy laws can accept the terms without negotiation. All underlying legal and commercial terms have already been established in the agreement governing your use of and access to the services and have been carefully drafted to take into account Smartsheet’s technical and operational realities as a SaaS provider.
For more information on Smartsheet’s current privacy and compliance practices, please visit our online Trust Center. Additionally, if you have any questions regarding Smartsheet’s existing processing activities or the data protection laws to which we can contractually commit to at this time, please feel free to review our DPA.
Will Smartsheet sign my organization’s DPA?
Smartsheet's Data Processing Addendum, the terms of which are automatically incorporated into our User Agreement, has been specifically tailored to depict our Subscription Service's unique operational and technical controls and our business model as a multi-tenant, data agnostic SaaS provider. In this capacity, Smartsheet treats all data from all customers the same and has built into the subscription service certain controls to account for compliance with applicable data privacy laws.
Smartsheet requires the use of its DPA because it most accurately reflects Smartsheet’s existing processes and capabilities, particularly as they relate to predominant Data Protection Laws, including the GDPR and applicable US data protection laws (such as the CCPA). While we understand that some customers may prefer to use their own DPA or supplementary data privacy terms, Smartsheet does not accept customer paper. This is designed to ensure accuracy and transparency regarding how data is transferred between the parties and processed by Smartsheet. For more information on Smartsheet's privacy practices generally, please visit the Smartsheet Trust Center.
The General Data Protection Regulation (GDPR)
What is the GDPR?
The General Data Protection Regulation (GDPR) is a European regulation that took effect on May 25, 2018, and sets out standards for the protection and processing of personal data. For information about Smartsheet and the GDPR, please reference this datasheet.
How does Smartsheet as a service provider comply with the GDPR?
Smartsheet is a global company that considers the privacy of its customers in the implementation of its operational and technical controls. Smartsheet and its affiliates offer privacy assurances aligned with industry standards and applicable data privacy legislation, such as the GDPR. Smartsheet, along with other SaaS providers, employs a shared-responsibility model when it comes to risk assessment and transfer impact assessments, therefore, GDPR compliance is a partnership between customer and vendor.
We are committed to our customers’ success, including supporting them on their GDPR compliance journeys. We have many customers who have determined that Smartsheet meets their GDPR compliance needs and look forward to working with you to meet your needs.
Please reach out to your account representative, or submit this form, if you would like to access our Security Packet which includes the Transfer Impact Assessments (TIA) for our offerings. For information about Smartsheet and the GDPR, please reference this datasheet.
Does Smartsheet have a Data Protection Officer (DPO)?
Smartsheet has appointed a DPO. All contact information for Smartsheet Privacy is available in our Privacy Notice.
As a data processor, will Smartsheet assist my organization in fulfilling its data subject requests?
As covered in Smartsheet's Data Processing Addendum, Smartsheet will provide reasonable assistance to Customer in relation to data protection impact assessments and consultations with Supervisory Authorities, taking into account the nature of Smartsheet’s Processing of Customer Personal Data and the information available to Smartsheet.
As a data controller, does Smartsheet fulfill data subject requests?
Yes, Smartsheet will comply with all legitimate and reasonable requests related to privacy rights. Please complete this form to submit your request to the Smartsheet Privacy Team.
What are the Standard Contractual Clauses?
The Standard Contractual Clauses (SCCs) are a set of contractual commitments that are established by the European Commission to allow for lawful international transfers of personal data. The SCCs are meant to standardize the security and privacy practices of organizations moving personal data on individuals in the European Union (EU) outside the EU. Smartsheet executes SCCs with all vendors and our customers that require a data transfer mechanism.
On July 10, 2023, the European Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework. For the time being, Smartsheet intends to operate under the current SCCs as permitted for both new and legacy data transfers. During this time, Smartsheet will be reviewing its policies and practices with respect to international data transfers and then making any reasonably required updates as we wait for further direction from the Commission.
Will Smartsheet sign Standard Contractual Clauses (SCCs) or Model Clauses?
Following the Schrems II decision and the invalidation of the Privacy Shield, Smartsheet updated updated its Data Processing Addendum to incorporate the Standard Contractual Clauses (SCC) as the lawful transfer mechanism, the validity of which the European Court of Justice expressly upheld.
On July 10, 2023, the European Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework. Smartsheet intends to operate under the most recent SCCs as permitted for both new and legacy data transfers. Smartsheet will continue to monitor developments with respect to international data transfers and make any reasonably required updates as we wait for further direction from the Commission.
Are enhanced protections of EU personal data transferred to the US offered by Smartsheet?
Smartsheet has implemented technical, organizational, and administrative measures to protect data that Smartsheet processes. Many of these measures have been reviewed by independent third-party auditors and found to meet the standards of SOC2, ISO 27001:2022, ISO 27018:2019, and ISO 27701:2019. For more information, please refer to the Smartsheet Trust Center.
The EU-US Data Privacy Framework (DPF)
What is the Data Privacy Framework (DPF)?
On July 10, 2023, the European Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework. The decision concludes that the United States ensures an adequate level of protection – comparable to that of the European Union – for personal data transferred from the EU to US companies under the new framework (replacing the Privacy Shield). To learn more about the Data Privacy Framework, and to view our certification, please visit https://www.dataprivacyframework.gov.
How does the Data Privacy Framework apply to Smartsheet?
Smartsheet and its affiliates participate in the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce (collectively, the Data Privacy Framework). We are committed to complying with the Data Privacy Framework Principles with respect to personal data transferred to the United States from the European Economic Area (EEA), the United Kingdom (UK), and Switzerland. To learn more about the Data Privacy Framework, and to view our certification, please visit https://www.dataprivacyframework.gov. Smartsheet’s commitments under the Data Privacy Framework Principles are subject to the investigatory and enforcement powers of the United States Federal Trade Commission (FTC).
Even though Smartsheet was not relying upon the Privacy Shield certification as a data transfer mechanism, Smartsheet maintained its existing certification, as we continued to uphold the commitments we made to the FTC and our customers about the processing of personal data under the Privacy Shield principles. As a participant in good standing, we were able to quickly transition to the Data Privacy Framework.
The California Consumer Privacy Act (CCPA)
What is the CCPA?
The California Consumer Privacy Act (CCPA) is the first comprehensive data privacy legislation passed by a State. The CCPA went into effect in January of 2020. The law aims to outline acceptable collection, use, and storage of personal information. The CCPA also outlines transparency requirements for organizations selling personal information.
How does the CCPA apply to Smartsheet?
For more information on the privacy practices of Smartsheet, please refer to this datasheet.
Does Smartsheet sell personal information?
No. Smartsheet does not sell personal information. Please refer to our Privacy Notice for more information on how Smartsheet collects, uses, and shares personal information.
Does Smartsheet comply with other state privacy laws?
Smartsheet expects that more state laws will continue to come into effect and will continue to monitor and update its policies and practices accordingly. We expanded the definition of “Data Protection Law” under our agreements to include any federal or state data protection laws in effect and applicable to Smartsheet’s Processing of Customer Personal Data in the United States.
Integration and Forms
Why is the Smartsheet Privacy Notice included in the footer of Smartsheet Forms?
The Smartsheet application includes a feature that allows customers to publish online forms which allow individuals to submit data to the Smartsheet application. The data collected via the form and provided by an individual is considered Customer Content. As users submit forms, Smartsheet may collect usage data (e.g., IP address, submission date and time, browser type, etc.) that may be used for Analytics and Improvements; Protecting Legal Rights and Preventing Misuse; and to Comply with Legal Obligations, as further outlined in our Privacy Notice.
Why do the Microsoft integrations with Smartsheet ask for permission to share data to a third-party service?
Connectors and Integrations can be used to pull and/or push information from or to the Smartsheet application, and to enable the applicable third-party to receive notifications, such as sheet updates, from the application. For example, while customers are setting up integrations in Microsoft products (e.g., Outlook, Teams) they will be presented with a prompt from Microsoft (help article) to allow sharing of data with a third-party service. In this context, Smartsheet is the third-party service and Microsoft is requesting to share data. Additionally, any information you authorize to be transferred from the application to an integration partner is governed by the third-party’s privacy statement. We encourage you to carefully read the privacy statement of any third-party you authorize to receive information from the Smartsheet application.
Audit and Certifications
What privacy certifications has Smartsheet achieved?
Smartsheet holds certifications to two global privacy standards: ISO 27018:2019 and ISO 27701:2019. For more information, please refer to the Smartsheet Trust Center.
Is Smartsheet GDPR certified?
Smartsheet has achieved certification to two global privacy standards which meet many of the requirements under the GDPR: ISO 27018:2019 and ISO 27701:2019. For more information, please refer to the Smartsheet Trust Center.
Can my organization audit the privacy practices of Smartsheet?
Smartsheet supports millions of users worldwide. It is not practical to allow each customer to audit our practices. This is why we have completed certifications to global privacy standards: ISO 27018:2019 and ISO 27701:2019. For more information, please refer to the Smartsheet Trust Center.