Skip to main content
  • Smartsheet
        • Product Overview
          Manage projects, automate workflows, and build solutions at scale with Smartsheet. Learn more
      • Features
        • Automation
        • Team collaboration
        • Dashboards and reporting
        • Proofing
        • Account administration
        • Integrations
        • Digital asset management
        • Resource management
        • Portfolio management
        • Secure request management
        • Intelligent workflows
        • No code work apps
        • See all features
        • Discover our latest product updates and enhancements
          Quarterly Disclosure Global Nav Graphic
        • Advanced Work Management Scale, connect, and empower your business for the future. Explore our offering
        • Professional services Information about Smartsheet consulting, training, and implementation support. Available services
        • Trust and security A complete summary of Smartsheet security and reliability. Trust Center
        • Watch a demo
        • Start a trial
      • Featured
        • Project and Portfolio Management
          Modern Project and Portfolio Management
          Explore
        • Marketing and Creative Management
          Marketing and Creative Management
          Explore
      • By use case
        • Project management
        • IT Portfolio management
        • Business PMO
        • Enterprise PMO
        • Marketing management
        • Creative operations
        • Services delivery
      • By Industry
        • Government
        • Construction
        • Financial services
        • Higher education
        • Nonprofit

        • Enterprise
        • Small and medium business
      • View all solutions
        • Template gallery Streamline your work with the perfect template for your team. See all templates
        • Customer stories Behind the scenes with organizations around the world using Smartsheet to do incredible things. See all stories
        • Experience the future of productivity with Smartsheet AI
          Smartsheet AI
        • Recognized as a Leader in 2024 Gartner® Magic Quadrant™
        • Watch a demo
        • Start a trial
        • Content Center Articles and guides about project management, collaboration, automation, and other topics to help you make the most of the Smartsheet platform. Explore the Content Center

        • Managing work
        • Product updates and insights
        • Inside Smartsheet
        • Help and Learning A comprehensive knowledge base, including articles, tutorials, videos, and other resources that cover a range of topics related to using Smartsheet. Get started

        • Smartsheet University
        • Knowledge base
        • Training options
        • Support
        • Professional services
        • Community Explore user-generated content and stay updated on our latest product features. Join the Community
        • Partners Learn about the Smartsheet partner program and access our partner directory. Learn more
        • Smartsheet events Your hub for Smartsheet events, webinars, Q&As, and user groups. See all events
        • ENGAGE
          Engage Header Nav Graphic
          Smartsheet ENGAGE brings together our global customers, experts, and partners to share their experiences, ideas, and best practices. Learn more
        • Project management templates
          Project management templates
        • Smartsheet dashboard gallery
          Dashboard gallery
        • Getting started with the Smartsheet API
          Smartsheet API
        • Watch a demo
        • Start a trial
    • Pricing
    • Contact
    • Select language
    • Log in
      • Start a trial
      • Watch a demo
    • Watch a demo
    • Try Smartsheet for free
    • Select language
    • Open search
    • Log in

Security Practices

    • User Agreement
    • Security Practices
    • Supplement
      • Customer: U.S. Government Entities
      • Customer: Non-Government Entity Using Smartsheet Gov
      • Customer: Educational Institutions
      • Service: Event Reporting
      • Service: Learning Services
      • Service: Bridge by Smartsheet
      • Region: Japan
    • Service Level Agreement
    • Limits Policy
    • Acceptable Use Policy
    • Travel And Expense Policy
    • Support Policy
    • Smartsheet Privacy Notice
      • General Privacy Notice
      • General Privacy Notice Table
      • Offerings Privacy Notice
      • Offerings Privacy Notice Table
      • U.S. State Privacy Notice
      • Candidate Privacy Notice
      • Cookie Notice
      • Glossary
    • Data Processing Addendum
    • Business Associate Agreement
    • Subprocessors
    • Privacy FAQs
    • Mobile End-User License Agreement
    • Downloadable Software End User License Agreement
    • Developer Agreement
    • Terms and Conditions
    • Smartsheet Certified Candidate Agreement
    • Code of Business Conduct and Ethics
    • Anti-Corruption Policy
    • Whistleblower and Complaint Policy
    • Environmental Policy
    • Modern Slavery Act Statement
    • Gender Pay Gap Reporting
    • Transparency in Coverage
    • Site Terms
    • Machine Translation Disclaimer
    • Insurance Certificate
    • Intellectual Property
    • Report Abuse
    • Content Issues

At Smartsheet, we understand that you need to know how your data is protected and secured when using our online Services. These Smartsheet Security Practices describe the practices and safeguards, which include physical, organizational, and technical measures, utilized by Smartsheet that are designed to preserve the security, integrity, and confidentiality of the online Services and Customer Content to protect against information security threats.

 

1.       General.

1.1     Information Security Program.  Smartsheet shall maintain a comprehensive written information security program, including policies, standards, procedures, and related documents that establish criteria, means, methods, and measures governing the Processing and security of Customer Content and the Smartsheet systems or networks used to Process or secure Customer Content ("Smartsheet Information Systems") in connection with providing the Services under the Agreement and Supplement. 

1.2     Confidentiality; Training.  Smartsheet will ensure that Smartsheet Personnel: (a) are bound by confidentiality obligations with respect to Customer Content substantially as protective as those set forth in the Agreement; and (b) are subject to appropriate training relating to the Processing of Customer Content.

1.3     Definitions. 

1.3.1    “Agreement” means the agreement that governs Customer’s access to and use of the online Services.

1.3.2    “Customer” means the individual or entity that executes or accepts an Order or registers for free trial access to and use of a Service and has entered into an Agreement.

1.3.3    “Customer Content” means any data, file attachments, text, images, reports, personal information, or other content that is uploaded or submitted to an online Service by Customer or Users and is Processed by Smartsheet on behalf of Customer. 

1.3.4    “Process” means any operation or set of operations performed upon Customer Content, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, alignment, combination, restriction, erasure, destruction or disclosure by transmission, dissemination or otherwise making available.

1.3.5    “Security Breach” means a breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Content.

1.3.6    “Services” means the Subscription Services and any other online service or application provided or controlled by Smartsheet for use with the Subscription Services.

1.3.7    “Smartsheet Personnel”  means any individual authorized by Smartsheet to Process Customer Content.

1.3.8    “Subscription Service” means the subscription-based online services and applications that are provisioned or controlled by Smartsheet. 

1.3.9     "Supplement" means those criteria, means, methods, and measures, and  terms and conditions applicable to certain products and services of Smartsheet or customer types available at www.smartsheet.com/legal/agreement-supplement.

1.3.10    “User” means any individual authorized or invited by Customer or another User to access and use the online Services under the terms of the Agreement.

 

2.      Security Controls.  In accordance with its information security program, Smartsheet shall implement appropriate physical, organizational, and technical controls designed to: (a) ensure the security, integrity, and confidentiality of Customer Content Processed by Smartsheet; and (b) protect Customer Content from known or reasonably anticipated threats or hazards, including to its security, integrity, accidental loss, alteration, disclosure, and other unlawful forms of Processing. Without limiting the foregoing, Smartsheet will, as appropriate, utilize the following controls:

2.1    Firewalls.  Smartsheet will install and maintain firewall(s) to protect data accessible via the Internet. 

2.2    Updates.  Smartsheet will maintain programs and routines to keep the Smartsheet Information Systems up to date with the latest upgrades, updates, bug fixes, new versions, and other modifications.

2.3    Anti-malware.  Smartsheet will deploy and use anti-malware software and will keep the anti-malware software up to date. Smartsheet will use such software to mitigate threats from all viruses, spyware, and other malicious code that are or should reasonably be detected. 

2.4    Testing.  Smartsheet will regularly test its security systems, processes, and controls to ensure they meet the requirements of these Security Practices.

2.5    Access Controls.  Smartsheet will secure Customer Content processed by Smartsheet Information Systems by complying with the following:

  • 2.5.1    Smartsheet will assign a unique ID to Smartsheet Personnel with access to Smartsheet Information Systems. 

  • 2.5.2    Smartsheet will restrict access to Smartsheet Information Systems to only Smartsheet Personnel necessary to perform a specified obligation as permitted by the Agreement. 

  • 2.5.3    Smartsheet will regularly review (at a minimum once every ninety (90) days) the list of Smartsheet Personnel and services with access to Smartsheet Information Systems and remove accounts that no longer require access.

  • 2.5.4    Smartsheet will not use manufacturer supplied defaults for system passwords on any operating systems, software, or Smartsheet Information Systems, will mandate the use of system-enforced “strong passwords” in accordance with or exceeding the best practices (described below), and will require that all passwords and access credentials be kept confidential and not shared among Smartsheet Personnel. 

  • 2.5.5    At a minimum, Smartsheet production passwords will: (i) contain at least eight (8) characters; (ii) not match previous passwords, the user’s login, or common name; (iii) be changed whenever an account compromise is suspected or assumed; and (iv) be regularly replaced.

  • 2.5.6    Smartsheet will enforce account lockout by disabling accounts Processing Customer Content when an account exceeds a designated number of incorrect password attempts in a certain period.

  • 2.5.7    Smartsheet will maintain log data for all use of accounts or credentials by Smartsheet Personnel for access to Smartsheet Information Systems and will regularly review access logs for signs of malicious behavior or unauthorized access. 

2.6    Policies.  Smartsheet will maintain and enforce appropriate information security, confidentiality, and acceptable use policies for Smartsheet Personnel that meet the standards set forth in these Security Practices, including methods to detect and log policy violations. 

2.7    Development.  Development and testing environments will be separate from Smartsheet Information Systems. 

2.8    Deletion.  Smartsheet will utilize procedures that are at a minimum in accordance with National Institute of Standards and Technology (NIST) SP 800-88 Revision 1 recommendations (or a successor standard widely used in the industry) to render Customer Content unrecoverable prior to disposal of media.  

2.9    Encryption.  Smartsheet will utilize cryptographic standards mandating authorized algorithms, key length requirements, and key management processes that are consistent with or exceed then-current industry standards, including NIST recommendations, and utilize hardening and configuration requirements consistent in approach with then-current industry standards, including SANS Institute, NIST, or Center for Internet Security (CIS) recommendations. Pursuant to such standards, Smartsheet will encrypt Customer Content at rest within the online Services and will only allow encrypted connections to the online Service for the transfer of Customer Content.

2.10  Remote Access.  Smartsheet will ensure that any access from outside of its protected corporate or production environments to Smartsheet Information Systems or to Smartsheet’s corporate or development workstation networks will require appropriate connection controls, such as VPN or multi-factor authentication. 

 

3.      Use of Third Parties.

3.1    General.  Third parties engaged by Smartsheet in accordance with the Agreement will maintain (at a minimum) substantially similar levels of security as applicable and required by these Security Practices.

3.2   Data Hosting.  Smartsheet will ensure that any third party hosting provider (“Infrastructure-as-a-Service” or “IaaS”) utilized by Smartsheet to Process Customer Content meet the following requirements:

  • 3.2.1    Base Requirements.  At a minimum Smartsheet will ensure IaaS providers: (a) maintain adequate physical security and access controls as set forth in Section 2.5 of these Security Practices; (b) use professional HVAC & environmental controls; (c) utilize professional network/cabling environment; (d) use professional fire detection/suppression capability; and (e) maintain a comprehensive business continuity plan.

  • 3.2.2    Annual Audit; Assessment.  Conduct annual independent risk assessments and audits. Such assessments and audit reports will be provided to Smartsheet and, if required by law, made available to Customer, provided Smartsheet may remove all commercial and confidential information or terms unrelated to the security practices of the IaaS. In addition, Smartsheet shall conduct annual reviews and assessments of any critical IaaS to validate the security measures at a minimum meet the requirements of these Security Practices.

  • 3.2.3    Enhanced Requirements.  Possess requirements and capabilities of a highly-available, redundant (“N+1”) data center, where multiple components each give at least one independent backup component to ensure that system functionality continues at acceptable performance levels in the event of a system failure.

 

4.      System Availability.  Smartsheet will maintain (or, with respect to systems controlled by third parties, ensure that such third parties maintain) a disaster recovery (“DR”) program designed to recover the Subscription Service’s availability following a disaster. At a minimum, such DR program will include the following elements: (a) routine validation of procedures to regularly and programmatically create retention copies of Customer Content for the purpose of recovering lost or corrupted data; (b) inventories, updated at minimum annually, that list all critical Smartsheet Information Systems; (c) annual review and update of the DR program; and (d) annual testing of the DR program designed to validate the DR procedures and recoverability of the service detailed therein.

 

5.      Security Breach.

5.1    Procedure. 

  • 5.1.1     Smartsheet will notify Customer in writing without undue delay upon Smartsheet becoming aware of confirmed Security Breach. 

  • 5.1.2    Smartsheet will investigate and, as necessary, mitigate or remediate a Security Breach in accordance with Smartsheet’s security incident policies and procedures (“Breach Management”).

  • 5.1.3    Subject to Smartsheet’s legal obligations, Smartsheet will provide Customer with information available to Smartsheet as a result of its Breach Management, including the nature of the incident, specific information disclosed (if known), and any relevant mitigation efforts or remediation measures (“Breach Information”), for Customer to comply with its obligation under applicable laws as a result of a Security Breach.

  • 5.1.4    If Customer requires information relating to a Security Breach in additional to the Incident Information, at Customer’s sole expense and written request and to the extent Customer is unable to access the additional information on its own, Smartsheet will reasonably cooperate with Customer as requested by Customer to attempt to collect and provide such additional information.

5.2    Unsuccessful Attempts.  An unsuccessful attack or intrusion is not a Security Breach subject to this Section 5. An “unsuccessful attack or intrusion” is one that does not result in unauthorized or unlawful access to Customer Content and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond IP addresses or TCP/UDP headers), or similar incidents.

5.3    Customer or User Involvement.  Unauthorized or unlawful access to Customer Content that results from the Customer’s configuration settings, compromise of a User’s login credentials, or from the intentional or inadvertent sharing or disclosure of Customer Content by the Customer or a User is not a Security Breach.

5.4    Notifications.  Notification(s) of Security Breach, if any, will be delivered to one or more of Customer’s SysAdmin users by any reasonable means Smartsheet selects, including email. Customer is solely responsible for maintaining accurate contact information in the online Service at all times.

5.5    Disclaimer.  Smartsheet’s obligation to report or respond to a Security Breach under this Section 5 is not an acknowledgement by Smartsheet of any fault or liability of Smartsheet with respect to the Security Breach.

 

6.      Auditing and Reporting.

6.1    Monitoring.  Smartsheet monitors the effectiveness of its information security program on an ongoing basis by conducting various audits, risk assessments, and other monitoring activities to ensure the effectiveness of its security measures and controls. 

6.2    Audit Reports.  Smartsheet uses external auditors to verify the adequacy of its security measures and controls for certain Services, including the Subscription Services. The resulting audit will: (a) include testing of the entire measurement period since the previous measurement period ended; (b) be performed according to AICPA SOC2 standards or such other alternative standards that are substantially equivalent to AICPA SOC2; (c) be performed by independent third party security professionals at Smartsheet's selection and expense; and (d) result in the generation of a SOC2 report (“Audit Report”), which will be Smartsheet's Confidential Information. The Audit Report will be made available to Customer upon written request no more than annually, subject to the confidentiality obligations of the Agreement or a mutually-agreed non-disclosure agreement. For the avoidance of doubt, each Audit Report will only discuss Services in existence at the time the Audit Report was issued; subsequently released Services, if within the scope of the Audit Report, will be in the next annual iteration of the Audit Report.  

6.3    Penetration Testing.  Smartsheet uses external security experts to conduct penetration testing of certain online Services, including the Subscription Services. Such testing will: (a) be performed at least annually; (b) be performed by independent third party security professionals at Smartsheet’s selection and expense; and (c) result in the generation of a penetration test report (“Pen Test Report”), which will be Smartsheet’s Confidential Information. Pen Test Reports will be made available to Customer upon written request no more than annually subject to the confidentiality obligations of the Agreement or a mutually-agreed non-disclosure agreement.  

6.4    Customer Audit.  If Customer legally requires information for its compliance with applicable laws in addition to the Audit and Pen Test Reports, at Customer’s sole expense and written request and to the extent Customer is unable to access the additional information on its own, Smartsheet will allow for and cooperate with a Customer mandated audit by a third party auditor in relation to Smartsheet’s Processing of Customer Content (“Customer Audit”), provided that:

  • 6.4.1.   Customer provides Smartsheet reasonable advance notice including the identity of the auditor and the anticipated date and scope of the Customer Audit;

  • 6.4.2    Smartsheet approves the auditor by notice to Customer, with such approval not to be unreasonably withheld;

  • 6.4.3    Customer and the auditor act to avoid causing any damage, injury, or disruption to Smartsheet’s premises, equipment, or business in the course of such Customer Audit; and 

  • 6.4.4.   Customer initiates only one Customer Audit in any calendar year unless otherwise required by  law enforcement.

 

Last updated: March 24, 2023

Archived versions
  • Smartsheet
    Smartsheet logo
    • Product
      • Overview
      • Solutions
      • Features
      • Integrations
      • Pricing & plans
      • Advanced Work Management
      • Professional services
      • Trust Center
      • Template Gallery
      • Why Smartsheet
      • Start a trial
      • View pricing and plans
    • Resources
      • Content Center
      • Product insights
      • Help and Learning
      • Smartsheet University
      • Training options
      • Support
      • Community
      • Partner program
      • Release updates
      • Developers & API
      • Watch a demo
    • Company
      • About us
      • Leadership
      • Newsroom
      • Customer stories
      • Careers We're hiring!
      • Privacy
      • Legal
      • Contact us
    • Learn
      • Project management templates
      • Smartsheet dashboard gallery
      • 5 steps for getting started with the Smartsheet API
      • 3 formulas to look up data in Smartsheet

      • Unlock the power of Smartsheet with AI
        Smartsheet AI
      • Learn more about ENGAGE
        Engage Footer Nav Graphic
Download desktop app
  • Facebook
  • X
  • LinkedIn
  • TikTok
  • YouTube
  • Instagram

©2025. All Rights Reserved Smartsheet Inc.

•

Machine Translation Disclaimer

•

Cookie Preferences

•

Your Privacy Choices

Download on the Apple App Store Get it on Google Play