International Data Transfers

Purpose

Smartsheet Inc. and its affiliates (further detailed below) (“Smartsheet”) maintain a strong commitment to privacy and data security for their customers. This page further outlines Smartsheet’s position with respect to data transfers and provides assurances with respect to Smartsheet’s privacy and data handling practices.

Notably, Smartsheet is headquartered in the United States and has established international locations and plans to continue international expansion. As such, Smartsheet stores and processes personal data in the United States and any other country in which Smartsheet maintains an office or leverages subprocessors in its provision of its online services and applications, including any related downloadable software (“Offerings”), and websites, including www.smartsheet.com (“Sites”).

This page does not provide legal advice. Smartsheet recommends that you consult with legal counsel to familiarize yourself with the laws and regulations that govern your specific situation. 

Smartsheet’s Roles Under the GDPR

As with many software-as-a-service applications, Smartsheet acts in two capacities with respect to personal data: as a data controller and data processor.

As a data controller, Smartsheet’s Privacy Notice is its notice to individuals, including visitors to the Sites and users of the Offerings, of the ways Smartsheet collects, uses, shares, and otherwise processes personal data that Smartsheet controls and collects directly from individuals.

For all Customer Content, Smartsheet acts as a data processor. Customers that require specific terms for the processing of Customer Content that includes personal data may choose to execute a Data Processing Addendum (“DPA”) with Smartsheet. The DPA, in connection with the agreement governing a customer’s use of the Offerings and applicable law, limits the ways in which Smartsheet may process Customer Content and is the written embodiment of a Customer’s processing instructions to Smartsheet. 

Illustration of a lock on top of a world map

What is an International Transfer of Personal Data? 

There is an international transfer of personal data (“International Transfer”) when such data is made available outside the European Economic Area (“EEA”). International Transfer may include the storage of personal data in a country outside the EEA but also the access to personal data stored in the EU from subprocessors located outside the EEA (e.g., for support services). 

What are the European Commission’s Standard Contractual Clauses?

The European Commission’s standard contractual clauses (“SCCs”) are legal contracts entered into between parties that are transferring EU personal data outside of the EU to countries that lack adequate or equivalent data protection. The initial standard contractual clauses for controller-to-processor transfers were drafted and approved by the European Commission in 2010. Following the Schrems II decision, the European Commission drafted new standard contractual clauses to incorporate the requirements of GDPR and the Schrems II decision.  The new SCCs were subject to consultation until December 10, 2020 and their final version was published on June 7, 2021.  The European Commission grants companies a transitional period of 18 months to implement the new SCCs into their existing contracts.  Smartsheet’s updated DPA incorporates the recently adopted new SCCs.

For those customers with older agreements that do not include reference to the SCCs or include the prior version of the SCCs, we encourage you to review the updated DPA. If you have determined that you require an updated DPA with Smartsheet, you may submit a form agreeing to the terms of the DPA here.  By submitting the form, a copy of the DPA will be routed via DocuSign to the authorized signer entered into the form. Once signed, a copy will also be sent to the individual who submitted the form for their records.

Map with multiple locations highlighted

What Mechanism Does Smartsheet Use for Transferring Personal Data?

As a Controller. As noted in the Privacy Notice, Smartsheet is the controller of personal data collected by Smartsheet.  In accordance with the GDPR and our obligation as data controller, we have appropriate intercompany contractual agreements in place which include the Standard Contractual Clauses ("SCCs") for the lawful transfer of data between the organizations.

As a Processor. Following the Schrems II decision, Smartsheet updated its DPA to incorporate the SCCs as the lawful transfer mechanism. As mentioned above, Smartsheet recently updated its DPA to incorporate the latest version of the SCCs. If you have determined that you require a DPA with Smartsheet, you may submit a form agreeing to the terms of the DPA here.  By submitting the form, a copy of the DPA will be routed via DocuSign to the authorized signer entered into the form. Once signed, a copy will also be sent to the individual who submitted the form for their records. 

Where are the Offerings Hosted? 

Customers have the ability to select the location where their Customer Content is hosted. Please see our Trust Center or Regional Differences page for additional information. Smartsheet continues exploring options for additional data hosting locations. Please feel free to submit a  Smartsheet Product Enhancement Request if there is a particular region or country you’d like to see offered in the future. 

Sharing Personal Data - As Required by Law

As noted in the Smartsheet Privacy Notice, Smartsheet may share personal data as required by law in accordance with a valid legal process, such as a subpoena or bankruptcy proceeding.

When receiving a request for access to or preservation of personal data, including a national security or other law enforcement request, Smartsheet will, to the extent permitted by law, object to such request and notify the customer to whom the data relates. However, in some instances, Smartsheet may be legally required to share such personal data in accordance with a valid legal order and without notification to customers of such requests. In any event, we will do so in accordance with our confidentiality obligations in the agreement governing a customer’s use of the Offerings (i.e., “Required Disclosures” of the User Agreement). 

 

Sharing Personal Data - To Third Party Service and Infrastructure Providers 

As noted in the Smartsheet Privacy Notice, Smartsheet may share personal data with our service and infrastructure providers. Smartsheet only engages such third party providers that have demonstrated an equal commitment to protecting our customers’ personal data, including meeting or exceeding our Vendor Privacy and Data Handling Expectations. Additionally, for those providers that qualify as a “subprocessor” under the GDPR, Smartsheet has ensured appropriate safeguards and contractual obligations are in place to protect personal data and meet its obligations under the law. Smartsheet’s list of current subprocessors is available here.

In all instances, if Smartsheet is sharing personal data with a third party provider, Smartsheet does so under a valid contract which includes appropriate data protection obligations and, if transferring data outside the EEA, the SCCs. 

 

Government Agency Access – Only When Compelled by Law

At times, Smartsheet will receive a request from a government agency or law enforcement authority seeking access to content belonging to a customer. When we receive such a request, our goal is to protect our customers, while complying with applicable laws. We will notify an affected customer unless we are explicitly prohibited from doing so by law. Where possible, we refer the requesting governmental agency to work with the affected customer directly. Smartsheet is not the controller of Customer Content and we strongly believe that any governmental agency seeking to access such content should address its request directly with the customer where possible.

We do not provide direct access to or disclose Customer Content to government agencies unless compelled by law and we challenge unlawful requests. We review each government request on a case-by-case basis and only comply if and to the extent we determine the request is lawful. When reviewing the lawfulness of a government request, we take into account all applicable laws, including the laws of other jurisdictions, where applicable. We require governmental agencies to follow the required legal process under applicable laws, such as issuing their request via a subpoena, court order, or search warrant. Where we believe a government request for Customer Content is invalid or unlawful, we try to challenge it.

With regard to US governmental agencies, the SCCs require Smartsheet (as the data importer) to promptly notify the data exporter of any legally binding request for disclosure of the personal data by a law enforcement authority, unless otherwise prohibited. In its history, Smartsheet has not received a FISA warrant or similar request for data processed by Smartsheet that would violate its obligations under the SCCs. 

Smartsheet Affiliates

To facilitate Smartsheet’s global operations, Smartsheet Inc. may transfer personal data globally and allow access to such personal data from affiliate offices located in international jurisdictions. When sharing personal data among Smartsheet affiliates, Smartsheet Inc. has executed SCC to safeguard personal data and ensure appropriate data protection obligations are in place between the Smartsheet affiliates. More information about Smartsheet’s affiliates is available here.

Additional Information and Resources