Privacy Frequently Asked Questions
At Smartsheet, privacy is a critical component of building and maintaining trust with our customers. We want you to feel comfortable uploading your organization’s data to Smartsheet. This webpage is designed to assist you in addressing commonly asked questions about privacy and your use of Smartsheet.
Capitalized terms used throughout are defined in our Glossary.
This webpage is not intended to provide legal advice or replace consulting with your organization’s legal representative. We urge you to seek appropriate legal counsel in regards to your specific use of Smartsheet and your organization’s data protection obligations.
If you or your organization have any additional questions, please do not hesitate to reach out to the Smartsheet Privacy team at privacy@smartsheet.com.
Table of Contents
Smartsheet and Customer Content
Data Protection Laws and International Transfers
Contact Smartsheet's Privacy Office
Smartsheet's Data Roles
What are data Controllers and Processors?
Data protection laws primarily refer to two data roles when determining an organization’s obligations with respect to Personal Data: Controller and Processor.
- Controllers: A Controller is an entity that determines the purposes and means of Processing. In other words, the Controller decides why and how to collect and Process Personal Data. Controllers decide what Personal Data is to be used for, whether to disclose the data (and, if so, to whom), and how long to retain the data.
- Processors: By contrast, a Processor is an entity that uses, stores, transmits, and otherwise Processes Personal Data on behalf, and in accordance with the instructions, of a Controller.
An organization doesn't have to be just a Controller or just a Processor; it can fulfill different roles in respect to different data, jointly with, or on behalf of, other entities or by itself. For example, a cloud hosting provider may be a Processor of the data it hosts for its customers, but it will be a Controller of data about its own employees and of account data about its users.
Is Smartsheet considered a Controller or Processor?
Smartsheet acts as both a Controller and Processor depending on the data. For Account Information and System Data, Smartsheet is the Controller because it determines the purpose and means of Processing. Conversely, Smartsheet acts as a Processor with respect to Customer Content because the Processing activities take place at a customer's direction and on their behalf.
Where can I learn more about Smartsheet’s privacy practices as a data controller?
More information about Smartsheet’s privacy practices can be found in our Privacy Notice and Trust Center.
How do I enter into a Data Processing Addendum (DPA) with Smartsheet?
Smartsheet's Data Processing Addendum (DPA) is automatically incorporated into the Smartsheet User Agreement to meet the needs of our customers who require specific terms for the Processing of Customer Content that contains Personal Data.
Smartsheet and Customer Content
Who is the Controller of Customer Content?
Customers are considered Controllers of Customer Content whereas Smartsheet acts as a Processor. As Controller, customers are responsible for complying with any laws applicable to their acquisition, disclosure, use, and Processing of Customer Content, including any Personal Data contained therein. The types and content of data contained within Customer Content are solely determined and controlled by a customer and its users depending on how they use the Online Services.
Importantly, Customer Content does not include System Data or Account Information, which is solely owned and controlled by Smartsheet.
Where is Customer Content hosted?
The hosting region for Customer Content depends on the services being purchased and can be viewed on your order form. For a list of available hosting locations, and more information about this topic generally, please visit Smartsheet’s Data Residency Trust Center.
Will Smartsheet keep my data localized within its hosted region?
Smartsheet engages personnel and systems located worldwide, but primarily in the United States, to provision your Smartsheet services. By extension, Smartsheet may need to access your Customer Content from a location outside your selected data region to provide, secure, support, or optimize your services. Smartsheet performs these activities only to the extent allowed under your agreement with Smartsheet governing your services.
For example, Smartsheet may perform ancillary and limited processing activities on Customer Content hosted in Australia or the European Union from the United States, or other Smartsheet locations, as disclosed on Smartsheet’s Subprocessors webpage, in response to your request for support, to prevent or address technical problems with your service, or based on how you are using the services.
In the event data is accessed or transferred outside of a selected region, Smartsheet uses valid data transfer mechanisms to safeguard any personal data accessed fromor transferred to a data region different from the host region. For more information, please see Smartsheet’s International Data Transfers webpage.
Why does Smartsheet process Customer Content?
Smartsheet processes Customer Content: to provide, support, or optimize the Services; as required by applicable law; as requested by a customer in writing or as permitted by a customer via an Online Service’s access controls; and as necessary to prevent or address technical problems with Smartsheet’s services or violations of applicable agreements. Authorization for these purposes of processing are set out in the Smartsheet User Agreement.
Does Smartsheet sell my Customer Content or use it for marketing purposes?
No. Smartsheet does not sell Customer Content or use it for marketing purposes. Marketing activities take place pursuant to Smartsheet’s Privacy Notice.
Does Smartsheet use Subprocessors to Process Customer Content?
Smartsheet uses Subprocessors to provide its services, and a full list of Subprocessors can be found on our Subprocessors webpage. If new Subprocessors are onboarded, Smartsheet will update your SysAdmin. Additional notification(s) for updates can be subscribed to by filling out this form.
How does Smartsheet protect Customer Content?
Smartsheet has implemented technical, organizational, and administrative measures to protect your Customer Content. Some of Smartsheet’s implemented security controls include data encryption (at rest and in transit), stringent access controls, and regular program testing, to name a few.
These measures are regularly reviewed by independent third-party auditors and have been found to meet the standards of SOC2, ISO 27001:2013, ISO 27018:2019, and ISO 27701:2019. For more information, please refer to the Smartsheet Trust Center.
Additional information about measures employed by Smartsheet to protect Customer Content can be found in our Security Practices and within your Security Packet.
How does Smartsheet ensure that its Subprocessors will protect Customer Content?
Smartsheet’s selection and engagement of each Subprocessor is subject to written agreements that contain data protection terms required by applicable laws and that are at least as protective as our contractual commitments with our customers. In addition to this, Smartsheet carries out initial due diligence during onboarding of its Subprocessors and then conducts periodic security reviews to ensure appropriate security controls remain in place to protect Customer Content. This includes reviewing security attestations for Subprocessors, such as SOC I and/or SOC II reports, vulnerability and penetration tests, PCI-DSS audits, and/or external security risk assessments.
What happens if there is a security breach involving Customer Content?
Smartsheet handles and communicates information pertaining to security breaches involving Customer Content in accordance with its documented Security Practices or the signed agreement between the affected customer and Smartsheet.
If I end my relationship with Smartsheet, what happens to my Customer Content?
Following termination or expiration of your relationship with Smartsheet, Smartsheet will return or delete your Customer Content as set forth in your agreement.
Data Protection Laws and International Transfers
How does Smartsheet lawfully transfer Personal Data across borders?
Smartsheet’s Data Processing Addendum (DPA) incorporates the EU Standard Contractual Clauses alongside the United Kingdom International Data Transfer Addendum (collectively, the “SCCs”) as its primary data transfer mechanism for Customer Content containing EU and UK Personal Data.
Additionally, Smartsheet participates in the EU-U.S. Data Privacy Framework ("EU-U.S. DPF"), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework ("Swiss-U.S. DPF") as set forth by the U.S. Department of Commerce (collectively, the "Data Privacy Framework"). To learn more about the Data Privacy Framework, and to view our certification, please visit https://www.dataprivacyframework.gov. Smartsheet’s commitments under the Data Privacy Framework Principles are subject to the investigatory and enforcement powers of the United States Federal Trade Commission (FTC).
Smartsheet has also implemented intercompany agreements for transfers of Personal Data between our affiliated companies, which require all of our affiliates to protect Personal Data they Process in accordance with applicable data protection law. We have implemented similar appropriate safeguards where legally required with our third-party service providers and partners. Please see our Subprocessors page for additional details.
How does Smartsheet take international data protection laws into consideration with its data activities?
Smartsheet is a global company that considers the privacy of its customers in the implementation of its operational and technical controls by maintaining a privacy program focused on comprehensively integrating data protection best practices throughout its processes. This allows Smartsheet and its affiliates to offer customers privacy assurances aligned with industry standards and predominant data privacy legislation, such as the GDPR and CCPA.
Smartsheet’s commitment to privacy is evidenced by its certification to two global privacy standards: ISO 27018:2019 and ISO 27701:2019. For more information, please refer to the Smartsheet Trust Center.
Are enhanced protections of EU Personal Data transferred to the US offered by Smartsheet?
Smartsheet has implemented technical, organizational, and administrative measures to protect data that Smartsheet processes. Many of these measures have been reviewed by independent third-party auditors and found to meet the standards of SOC2, ISO 27001:2022, ISO 27018:2019, and ISO 27701:2019. For more information, please refer to the Smartsheet Trust Center.
How does Smartsheet comply with state privacy laws throughout the United States?
Smartsheet’s privacy program actively tracks and monitors the enactment and enforcement of U.S. state privacy laws so that it can update its policies and practices accordingly. Smartsheet also maintains a U.S. State Privacy Notice to inform individuals of their rights under state laws in effect.
What privacy certifications have Smartsheet achieved?
Smartsheet has achieved certification to two global privacy standards that meet many of the requirements in predominant privacy laws, such as the GDPR: ISO 27018:2019 and ISO 27701:2019. For more information, please refer to the Smartsheet Trust Center.
Smartsheet’s AI Tools
How do Smartsheet AI tools work?
Smartsheet AI tool uses large language models with your Smartsheet data, providing powerful, context-aware AI features with a focus on data privacy.
Learn more in our AI whitepaper and Smartsheet AI tools help article.
Is my data used to train public AI models?
No. We do not own your AI Data and do not use it to train public models.
Learn more in our AI whitepaper.
System Data
Does System Data include Customer Content?
No. System Data does not include or reveal Customer Content, including any Personal Data therein. Customer Content remains owned and controlled by the customer.
Who owns System Data and why?
Smartsheet is the owner and controller of System Data because we solely determine the purposes and means for which System Data is collected and Processed. Smartsheet’s use and collection of System Data is subject to applicable law and limited to the purposes described in our Offerings Privacy Notice and customer agreements. Smartsheet does not allow for customer-ownership or joint-ownership of System Data.
Why does Smartsheet need to be the Controller of System Data?
Smartsheet is the Controller of System Data because we determine why and how System Data needs to be collected and Processed. Smartsheet relies upon System Data to run our business, secure the services and to enable product enhancements. For example, Smartsheet Processes System Data to accurately bill customers, troubleshoot technical problems, enable product improvements, and to prevent fraud and abuse. More information about how Smartsheet collects and uses System Data can be found in Smartsheet’s Offerings Privacy Notice.
Why is System Data collected and used?
System Data is collected and used by Smartsheet to provide, support, optimize and secure our Online Services. The insights derived from System Data are essential for Smartsheet’s continuous maintenance, enhancement, and improvement of our services.
Does System Data stay in a customer’s selected hosting region?
Smartsheet transfers System Data to its primary business functions in the United States from other data regions. These functions include most of our finance, marketing, sales, and support, all of which rely on System Data and Account Information to provide, support, optimize, and secure Smartsheet’s services to our customers. By consolidating such data and information, Smartsheet creates efficient and high-performing functions and limits the data footprint and threat vectors. Accordingly, Smartsheet doesn’t offer data residency options regarding System Data and Account Information. More information about data hosting can be found in Smartsheet’s Data Residency Trust Center.
Is System Data identifiable?
Smartsheet uses System Data in an identifiable form or in a form that can be reasonably identifiable for its internal business purposes, including, but not limited to, account management, product enhancement, and support services.
Does Smartsheet share System Data, identifiable or otherwise, with third-parties?
Smartsheet discloses System Data to business service providers that Smartsheet has entered into agreements with that contain appropriate confidentiality and data protection provisions. These disclosures are limited in nature and may include identifiable System Data if reasonably necessary for Smartsheet to perform its business functions, such as account management and support services. Except where reasonably necessary, any disclosure of System Data would otherwise be as de-identified or aggregate data (as those terms are generally defined under applicable data privacy laws) as to not allow any unauthorized third party from identifying a particular customer or user to which the data relates.
How is System Data collected?
System Data is collected by Smartsheet in accordance with its Privacy Notice.
How long is System Data retained?
Smartsheet determines how long System Data needs to be retained based on the purposes for its collection. This period may vary based on the type of System Data collected. Any collection of System Data is therefore limited to the purposes for collection and retained in accordance with Smartsheet’s data retention policies.
Can access to, or a copy of, System Data be requested?
Smartsheet customers can access some System Data in reports available within their Admin Center. For information on how System Administrators can configure the application, access reports, and manage accounts, please visit our System Admin information page.
Additional System Data may be available upon written request. System Data of a particular organization or customer will only be shared with an individual within the same organization or domain.
Who can I contact if I have additional questions about System Data?
For questions about System Data, please feel free to reach out to legal@smartsheet.com.
Integration and Forms
Why is the Smartsheet Privacy Notice included in the footer of Smartsheet Forms?
The Smartsheet application includes a feature that allows customers to publish online forms which allow individuals to submit data to the Smartsheet application. The data collected via the form and provided by an individual is considered Customer Content. As users submit forms, Smartsheet may collect usage data (e.g., IP address, submission date and time, browser type, etc.) that may be used for analytics and product improvements; protection of legal rights and abuse prevention; and for legal and compliance purposes. Collection and use of System Data is further outlined in Smartsheet's Privacy Notice.
Importantly, the input data collected via the form and provided by an individual is owned by the customer, not Smartsheet, and considered Customer Content. To enable customers to meet their data protection obligations, customers can configure online forms to include their privacy notice alongside Smartsheet’s Privacy Notice.
Why do the third-party integrations with Smartsheet ask for permission to share data to the third-party service?
Connectors and Integrations can be used to pull and/or push information from or to the Smartsheet application, and to enable the applicable third-party to receive notifications, such as sheet updates, from the application. Setting up integrations in third-party products allows data to be shared with the third-party service. Any information you authorize to be transferred from the application to an integration partner is governed by the third-party’s privacy statement. We encourage you to carefully read the privacy statement of any third-party you authorize to receive information from the Smartsheet application.
General Questions
Where is Customer Support located?
Smartsheet's platform is web hosted and available across the globe. In order to provide support in a timely manner, Smartsheet may utilize support staff outside of a customer’s selected hosting region. For customers wishing to learn more about Smartsheet’s Support Resources, including options to limit the region of support, please contact your designated account representative.
How do I exercise my privacy rights?
You may have certain rights relating to your Personal Data under applicable data protection laws or based on your use of our services. Our Privacy Notice includes more information about these rights. To exercise your privacy rights, please complete our Privacy Request Form.
How do I unsubscribe from marketing and sales communications?
For individuals: You can modify how we contact you through email for marketing or promotional purposes at any time. Information about how you can exercise your marketing choices is outlined in Smartsheet's Privacy Notice.
For organizations: Smartsheet can unsubscribe a customer account from receiving marketing and sales communications. Please have your account System Administrator submit an unsubscribe request to this form.
Does Smartsheet have a Data Protection Officer (DPO)?
Smartsheet has appointed a DPO. All contact information for Smartsheet Privacy is available in our Privacy Notice.
Contact the Privacy Office
Who do I contact if I have more questions?
All contact information for Smartsheet Privacy is available in our Privacy Notice.