International Data Transfers

Purpose

At Smartsheet, data privacy and security are paramount, especially when international data transfers are involved. Whether acting as a Controller for Personal Data collected via Smartsheet's Privacy Notice or as a Processor for Customer Content, our mission is to ensure that data is lawfully and securely transferred. This page is designed to help you understand Smartsheet's data handling practices within the context of international transfers.

Unless otherwise defined on this page, capitalized terms used throughout are defined in our Glossary.

This page does not, and is not intended to, constitute legal advice. Smartsheet recommends that you consult with your own legal counsel to familiarize yourself with the laws and regulations that govern your specific situation.

Smartsheet’s Data Roles

As with many software-as-a-service (SaaS) applications, Smartsheet acts in two capacities with respect to Personal Data: as a Controller and as a Processor.

As a Controller. Smartsheet collects certain personal data, such as Account Information, user profile data, and System Data, in relation to the purchase and use of the Services and Sites. Smartsheet's Privacy Notice describes the specific ways Smartsheet collects, uses, shares, and otherwise processes such Personal Data for its legitimate business purposes.

As a Processor. For the data, images, files, or other content that you upload or submit to the Smartsheet Services, Smartsheet acts as a Processor. Smartsheet's Data Processing Addendum ("DPA") limits the ways in which Smartsheet may process Personal Data contained in Customer Content and serves as the written embodiment of a Customer's processing instructions to Smartsheet. Smartsheet’s DPA is automatically incorporated into its User Agreement.

For more information about the distinction between these roles and how they apply to different categories of data, please see our Privacy FAQs.

Illustration of a lock on top of a world map

What Is an International Transfer of Personal Data?

An international transfer of Personal Data occurs when Personal Data collected in one country is sent to, stored in, or accessed from another country ("International Transfer"). To facilitate a lawful International Transfer, appropriate safeguards must be in place to ensure adequate levels of data protection ("Transfer Mechanisms").

What Transfer Mechanisms Does Smartsheet Rely On?

Smartsheet relies upon Standard Contractual Clauses, adequacy decisions, and recognized regulatory frameworks, such as the EU-U.S. Data Privacy Framework ("DPF"). In addition to these Transfer Mechanisms, Smartsheet employs supplementary technical, organizational, and contractual measures to protect Personal Data. These measures are further described within Smartsheet's Transfer Impact Assessments, which are available upon request through your account representative or by submitting this form.

Standard Contractual Clauses ("SCCs"). Standard Contractual Clauses are regulatory-mandated, standardized contractual provisions that provide a legal framework for transferring Personal Data out of a jurisdiction. SCCs impose contractual obligations on both the data exporter (the party sending or providing access to the data) and the data importer (the party receiving or accessing the data) to uphold specific data protection standards. In practice, the contracting parties extend the protections of the originating jurisdiction's data protection laws to the transferred data.

Smartsheet utilizes the 2021 European Union SCCs ("EU SCCs") and the International Transfer Addendum to the EU SCCs ("UK Addendum"), which was adopted by the United Kingdom post-Brexit to enable lawful international transfers of UK Personal Data using the 2021 EU SCCs.

Subprocessors and Affiliates. Smartsheet has executed the EU SCCs and UK Addendum with its affiliates and Subprocessors to ensure appropriate data protection safeguards are in place for any International Transfers. For a current list of Subprocessors, please visit Smartsheet’s Subprocessors page.
Customers. Both the EU SCCs and the UK Addendum are incorporated into Smartsheet's DPA to ensure that Transfer Mechanisms are in place for customers. As noted above, the DPA is automatically incorporated into the User Agreement.

Adequacy Decisions. An adequacy decision is a formal determination by a data protection authority that a particular country, territory, sector, or international organization provides a level of data protection that is essentially equivalent to its own. When an adequacy decision exists, Personal Data can flow freely to the deemed-adequate destination without requiring additional Transfer Mechanisms such as SCCs.

Regulatory Frameworks. International transfers of Personal Data can also occur pursuant to international agreements between regulatory bodies. These agreements create a recognizable framework intended to ensure that Personal Data transferred across jurisdictions is subject to appropriate safeguards, including protection from governmental overreach. One of the most recognizable examples is the EU-U.S. Data Privacy Framework, which provides a structured mechanism — involving self-certification and adherence to a set of privacy principles — that enables lawful data transfers with robust privacy protections and redress mechanisms for individuals.
To learn more about the Data Privacy Framework and to view Smartsheet's certification, please visit https://www.dataprivacyframework.gov.

When Does Smartsheet Rely Upon These Transfer Mechanisms?

Several factors determine the applicable Transfer Mechanisms for an International Transfer, including Smartsheet's role with respect to the Personal Data, the origin and destination of the data transfer, and the identity of the data recipient.

As a Controller. As described in the Privacy Notice, Smartsheet is the Controller of Personal Data that it collects in connection with the purchase and use of its Services and Sites. In accordance with the GDPR and our obligations as a Controller, Smartsheet has appropriate intercompany agreements in place — including the EU SCCs and UK Addendum — for the lawful transfer of data between Smartsheet entities.

As a Processor. In addition to the DPF, Smartsheet incorporates Transfer Mechanisms – including the EU SCCs and UK Addendum – within its DPA and for all of its customers to ensure that lawful International Transfers occur, even if one of the other available Transfer Mechanisms is later invalidated or deemed insufficient. To learn more about Smartsheet’s Transfer Mechanisms, please visit https://www.smartsheet.com/legal/dpa/transfer-mechanisms.

Smartsheet's Processing Activities

Smartsheet engages personnel and leverages systems located worldwide, but its operations are maintained primarily in the United States. By utilizing a global workforce, Smartsheet is able to more effectively provide, secure, support, and optimize your services. While this may result in a need to access and transfer data outside of a hosting location, any such activities are subject to appropriate safeguards designed to ensure lawful and secure processing.

Processing activities conducted by Smartsheet include, but are not limited to, the following:

As a Controller: General business operations and other legitimate business purposes, as detailed in our General Privacy Notice Table (for data collected when you interact with Smartsheet or the Sites) and our Services Privacy Notice Table (for data collected during your use of the Services).
As a Processor: Hosting the service, providing technical support, delivering professional services, and performing engineering activities, in each case only to the extent permitted under your agreement with Smartsheet governing your Services. For further detail on Smartsheet's processing obligations as a Processor, please refer to the DPA.

More information about Smartsheet's hosting and processing activities can be found in our Data Residency Trust Center and Privacy FAQs.

Data Residency and Data Access

It is important to distinguish between where Customer Content is hosted (data residency) and where it may be accessed from (data access), as these are related but distinct concepts.

Data Residency. You can control where certain content is hosted in Smartsheet using Smartsheet Regions, which offer data residency options to support your compliance with privacy and governance requirements. A data region is the geographic location where the service operates and Customer Content is physically hosted and resident. Smartsheet currently offers three data regions:

United States — the default hosting location for customers of the Smartsheet and Smartsheet Gov instances, with backup in the United States.
European Union (Germany) — the default hosting location for customers of the Smartsheet Regions EU instance, with backup in the European Union (Ireland).
Australia — the default hosting location for customers of the Smartsheet Regions AU instance, with backup in Australia.

For more information on Smartsheet Regions, please refer to our Data Residency Trust Center.

Access to Customer Content from Outside a Data Region. Smartsheet engages personnel and systems located worldwide to provision Smartsheet’s services. By extension, Smartsheet may need to access your Customer Content from a location outside your selected data region to provide, secure, support, or optimize your services.

For example, Smartsheet may perform ancillary and limited processing activities on Customer Content hosted in Australia or the European Union from the United States, or from other Smartsheet locations as disclosed on the Subprocessors page, in response to your request for support or to prevent or address technical problems with your service.

Supplementary Safeguards

In addition to the Transfer Mechanisms described above, Smartsheet employs supplementary safeguards to protect Personal Data involved in International Transfers:

Technical Measures. Smartsheet has implemented technical, organizational, and administrative measures to protect the data it processes. Many of these measures have been reviewed by independent third-party auditors and found to meet the standards of SOC 2, ISO 27001, ISO 27018, and ISO 27701. For more information, please refer to the Security Trust Center.
Organizational Measures. Smartsheet ensures that its personnel who access Customer Personal Data are bound by confidentiality obligations and receive appropriate training relating to the processing of Personal Data
Contractual Measures. Smartsheet maintains intercompany agreements with its affiliates and contractual arrangements with its Subprocessors that incorporate the EU SCCs and UK Addendum where applicable.
Transfer Impact Assessments. Smartsheet has prepared Transfer Impact Assessments for its Services that evaluate the legal framework and data protection landscape in the countries where data may be accessed or processed. These assessments are available upon request through your account representative or by submitting this form.

Frequently Asked Questions

Do I need to sign a separate DPA with Smartsheet? Smartsheet's DPA is automatically incorporated into its User Agreement, so a separate signature is not required to benefit from its protections. However, if your organization requires a separately signed copy, you may complete this form to have a PDF version routed for signature.

Can I restrict data access to my hosting region? No. Customers can select their preferred hosting region for Customer Content; however, Smartsheet may need to access Customer Content from outside the hosting region for purposes such as support, engineering, and professional services.

What happens if a Transfer Mechanism is invalidated? Smartsheet employs a layered approach to Transfer Mechanisms. In addition to participating in the DPF, Smartsheet puts in place the SCCs for all customers to ensure that lawful International Transfers can continue even if another available Transfer Mechanism is later invalidated or deemed insufficient.

Where can I find Smartsheet's current list of Subprocessors? Smartsheet maintains a current list of Subprocessors at www.smartsheet.com/legal/subprocessors.

How can I access Smartsheet's Transfer Impact Assessments or Security Packet? Transfer Impact Assessments and other security-related documentation are available upon request. Please reach out to your account representative or submit this form to request access.

Additional Information and Resources

Get started today.

Connect with your representative to learn more.