Security Policy

We go to great lengths to keep your data safe and secure 

Last Updated: May 05, 2015

Your trust is our most important asset. All customer data that Smartsheet stores is protected by rigorous infrastructure and administrative procedures. To achieve the high levels of physical and data protection that today’s businesses require, Smartsheet.com maintains a robust and comprehensive multi-level security environment.

Physical security

The Smartsheet.com application is hosted on dedicated servers in SOC1 tested and ISO27001 certified data centers in Ashburn, Virginia and Chicago, Illinois. The data centers provide 24-hour physical security which includes keycard and biometric access controls and continuous surveillance. A dedicated firewall provides a strong barrier of network security from the internet. Additionally, we utilize Amazon’s S3 service to store and serve uploaded files.

Data encryption

Smartsheet.com uses proven TLS technology from the most trusted providers to encrypt all data transmissions between your device and our servers. Transport Layer Security (TLS) technology is designed to protect your information by establishing trust of our servers through a trusted third party, then by creating a secure channel through which your data can pass to our service protected from malicious actors.  Additionally, our platform extends data protection to include AES 256 encryption before data is durably stored, commonly referred to as at-rest-encryption.

User Authentication

Each user in your Smartsheet.com environment has a unique user name (their e-mail address). We offer forms-based authentication (username and password) and Google Authentication to all users of Smartsheet and Enterprise customers can additionally take advantage of a SAML2.0 SSO integration or AzureAD authentication to allow for adherence to corporate authentication or identity management policies.  Smartsheet issues a session cookie only to record encrypted authentication information for the duration of a specific session. The session cookie does not include either the user name or password of the user. Smartsheet.com does not use cookies to store other confidential user and session information, but instead implements more advanced security methods based on dynamic data and encoded session IDs. All account login attempts are logged, and account lockout policies are automatically applied after a certain number of failed login attempts.

Operational Management

We have implemented policies and procedures designed to ensure that your data is secure and backed up to multiple physical locations. Access to all Smartsheet production systems and data is limited to authorized members of the Smartsheet Technical Operations team. Our team is continually evaluating new security threats and implementing updated countermeasures designed to prevent unauthorized access or unplanned downtime.

Audit and Assurance

All administrative access to protected data is reviewed on a quarterly basis by internal auditors to confirm that we use it only in the context of responding to customer service matters. Smartsheet contracts with third-party security professionals to conduct network and application penetration testing twice per year to proactively find new attack vectors and security weakness.

Disclosure

Smartsheet maintains a policy of full event disclosure for security incidents that affect customer data. In the event of any security incident affecting your data, a notification will be sent to your account administrator. Smartsheet additionally publishes information about the health of our service at http://status.smartsheet.com

Engagement

If you find any security issue with our products please contact us at security@smartsheet.com or call us directly at 425-283-1870 to file a security incident report. If you are concerned or suspect that your Smartsheet or partner identity has been compromised, please call 425-283-1870 so that we can help resolve the issue.