Skip to main content
  • Smartsheet
      • Overview
        • Overview & benefits Learn why customers choose Smartsheet to empower teams to rapidly build no-code solutions, align across the entire enterprise, and move with agility to launch everyone’s best ideas at scale.
      • For your role or industry
        • Project management
          Project management icon
          Plan projects, automate workflows, and align teams.
        • IT & Ops
          IT and Operations Icon
          Streamline operations and scale with confidence.
        • Marketing
          Marketing Campaigns Icon
          Align campaigns, creative operations, and more.
        • Construction
          Construction icon
          Streamline your construction project lifecycle.
        • Healthcare & Life sciences
          Healthcare icon
          Improve efficiency — and patient experiences.
        • Higher education
          Education icon
          Maximize your resources and reduce overhead.
        • Financial services
          Finance
          Move faster, scale quickly, and improve efficiency.
        • Federal government
          Government icon
          Deliver results faster with Smartsheet Gov.
        • See all use cases
        • Customer Stories
          smartsheet customer logos
          See how our customers are building and benefiting.
        • Featured Customer Stories
          • Roche
          • McGraw Hill
          • Syngenta
        • Watch a demo
        • Contact sales
      • Overview
        • Smartsheet platform Learn how the Smartsheet platform for dynamic work offers a robust set of capabilities to empower everyone to manage projects, automate workflows, and rapidly build solutions at scale.
      • Capabilities
        • Team collaboration
          Collaboration Icon
          Connect everyone on one collaborative platform.
        • Workflow automation
          Workflow Automation Icon
          Quickly automate repetitive tasks and processes.
        • Content management
          PM Methodologies Icon
          Organize, manage, and review content production.
        • Process management at scale
          Scaling icon
          Deliver consistent projects and processes at scale.
        • Secure request management
          Trusted secure computer icon
          Streamline requests, process ticketing, and more.
        • Integrations
          Data processing icon
          Work smarter and more efficiently by sharing information across platforms.
        • Streamlined business apps
          Workapps icon
          Build easy-to-navigate business apps in minutes.
        • Governance & administration
          Admin controls icon
          Configure and manage global controls and settings.
        • Intelligent workflows
          Bridge intelligent workflows icon
          Automate business processes across systems.
        • Resource management
          Resource Management Icon
          Find the best project team and forecast resourcing needs.
        • Digital asset management
          Brandfolder digital asset management icon
          Manage and distribute assets, and see how they perform.
        • See all capabilities
        • WorkApps
          Smartsheet Workapps
          Package your entire business program or project into a WorkApp in minutes. No-code required.
        • Developers & API
        • Integrations
          • Microsoft Teams
          • Slack
          • Adobe
          • See all integrations
        • Watch a demo
        • Contact sales
      • Overview
        • Enterprise See how you can align global teams, build and scale business-driven solutions, and enable IT to manage risk and maintain compliance on the platform for dynamic work.
        • PPM
          Project management icon
          Explore modern project and portfolio management.
        • Marketing
          Marketing Campaigns Icon
          Manage campaigns, resources, and creative at scale.
        • Trust Center
          Trust Center Icon
          Meet or exceed your security and governance needs.
        • The Forrester Wave™
          Forrester Wave Menu Item
          Strategic Portfolio Management Tools, Q1 2022
        • 451 Research: Get Ahead of Change
        • Watch a demo
        • Contact sales
      • Learn
        • Learning Center
          learning center video icon
          Find tutorials, help articles & webinars.
        • Community
          community icon
          Find answers, learn best practices, or ask a question.
        • Smartsheet University
          Certification Icon
          Access eLearning, Instructor-led training, and certification.
      • Support
        • Help Center
          help icon
          Get answers to common questions or open up a support case.
        • Technical Support
          Blue support icon
          Get expert coaching, deep technical support and guidance.
      • SERVICES & PARTNERS
        • Professional Services
          Icon Supportive Green Manage Decision Makers
          Get expert help to deliver end-to-end business solutions.
        • Partners
          agreement partners icon
          Find a partner or join our award-winning program.
      • Additional Resources
        • Content Center
          blog icon
          Get actionable news, articles, reports, and release notes.
        • Events
          Events icon
          Explore upcoming events and webinars.
        • Solution Center
          Smartsheet integrations
          Move faster with templates, integrations, and more.
        • Report: Empowering Employees to Drive Innovation
        • Project Management Guide
        • Get started with Smartsheet tutorial
        • Watch a demo
        • Contact sales
    • Pricing
    • Contact
    • Watch a demo
    • Select language
    • Log in
      • Watch a demo
      • Contact sales
    • Try Smartsheet for free
    • Select language
    • Open search
    • Log in

Data Processing Addendum

Terms of Service

  • User Agreement
  • Security Practices
  • Agreement Supplement
    • Customer: U.S. Government Entities
    • Customer: Non-Government Entity Using Smartsheet Gov
    • Customer: Educational Institutions
    • Service: Event Reporting
    • Service: Learning Services
    • Service: Bridge by Smartsheet
  • Service Level Agreement

Privacy

  • Privacy Notice
    • General Privacy Notice
      • Personal Data We Collect
      • How We Use Personal Data
      • How We Share Personal Data
      • Blogs; Forums; Testimonials
      • Linked Sites; Third Party Widgets
    • General Privacy Notice Table
    • Offerings Privacy Notice
      • Scope
      • Personal Data We Collect
      • How We Use Personal Data
      • How We Share Personal Data
      • Integrations; Notifications; Forms; Linked Websites
      • Mobile Application; Geolocation Data
      • Choices Related to Your Use of the Offerings
    • Offerings Privacy Notice Table
    • Cookie Notice
      • What is a Cookie?
      • What are the Different Types of Cookies used by Smartsheet?
      • How Does Smartsheet Use Cookies?
      • Your Choices
      • Other Tracking Technologies
      • Updating this Notice
      • How to Contact Us?
      • Cookies Used in our Offerings
      • Cookies Used on the Sites
    • Candidate Privacy Notice
      • Personal Data We Collect
      • How We Use Personal Data
      • How We Share Personal Data
  • Data Processing Addendum
  • Business Associate Agreement
  • Privacy FAQs

Other Agreements

  • Mobile End-User License Agreement
  • Downloadable Software End User License Agreement
  • Developer Agreement

Smartsheet University

  • Terms and Conditions
  • Smartsheet Certified Candidate Agreement

Policies

  • Limits Policy
  • Acceptable Use Policy
  • Travel And Expense Policy

Miscellaneous

  • Site Terms
  • Report Abuse
  • Content Issues
  • Intellectual Property
  • Insurance Certificate
  • Code of Business Conduct and Ethics
  • UK Modern Slavery Act Statement
  • Australian Modern Slavery Act Statement

To incorporate the following terms into your agreement with Smartsheet Inc. for access to and use of the Subscription Service, please complete this form.


 

This Data Processing Addendum ("DPA") is incorporated into and forms a part of the agreement between Smartsheet Inc. ("Smartsheet") and Customer that governs Customer’s access to and use of the online Services ("Agreement").  Capitalized terms not defined herein have the meaning given in the Agreement.

 

1.       Definitions. In this DPA, the following terms (and derivations thereof) have the meanings set out below:

  • "Affiliate" means any person or entity that owns or controls, is owned or controlled by, or is under common control or ownership with, a party to this Agreement, where “control” is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract, or otherwise.

  • “Controller” means the individual or entity that determines the purposes and means of the Processing of Personal Data.

    “Customer” means the individual or entity that has entered into the Agreement and agreed to the incorporation of this DPA into the Agreement.

    “Customer Content” means any data, file attachments, text, images, reports, personal information, or other content that is uploaded or submitted to an online Service by Customer or Users and is Processed by Smartsheet on behalf of Customer. 

    “Customer Personal Data” means Personal Data that is contained within Customer Content.

    “Data Breach” means a breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Content.

    “Data Protection Laws” means, to the extent applicable to a Party, the data protection or privacy laws of any country regarding the Processing of Customer Personal Data.

    “Data Subject” means an identified or identifiable natural person. 

    “Parties” or “Party” means Customer and/or Smartsheet as applicable.

    “Personal Data” means any information relating to, identifying, describing, or capable of being associated with a Data Subject or a household. 

    “Process” means any operation or set of operations performed upon Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, alignment, combination, restriction, erasure, destruction or disclosure by transmission, dissemination or otherwise making available.

    “Processor” means the individual or entity that Processes Personal Data on behalf of a Controller.

    “Professional Services” means implementation, configuration, integration, training, advisory, and other professional services related to the online Services that are provided by Smartsheet and purchased by Customer specified in an Order or SOW.

    “Services” means the Subscription Services, Professional Services, and any other online service or application provided or controlled by Smartsheet for use with the Subscription Services. 

    “Smartsheet Personnel” means any individual authorized by Smartsheet to Process Customer Personal Data.

    “Subprocessor” means any individual or entity (including any third party but excluding Smartsheet Personnel) appointed by or on behalf of Smartsheet to Process Customer Personal Data in connection with the Agreement.

    “Subscription Services” means the subscription-based online work collaboration services and applications that are provided by Smartsheet and purchased by Customer. 

    “Supervisory Authority” means an independent competent public authority established or recognized under Data Protection Laws.

    “User” means any individual authorized or invited by Customer or another User to access and use the online Services under the terms of the Agreement. 

 

2.       Roles of Parties.

2.1.    Customer and Smartsheet agree that, as between the Parties, Customer is a Controller and Smartsheet is a Processor of Customer Personal Data and that each Party is solely responsible for its compliance with Data Protection Laws applicable to it and for fulfilling any of its related obligations to third parties, including Data Subjects and Supervisory Authorities.

2.2.    Customer as Controller. 

  • 2.2.1.   Customer is solely responsible for the accuracy of Customer Personal Data and the legality of the means by which Customer acquires and processes Customer Personal Data.

    2.2.2.   Customer’s instructions to Smartsheet to Process Customer Personal Data will comply with Data Protection Laws and be duly authorized, with all necessary rights, permissions, and consents secured. 

2.3    Smartsheet as Processor.

  • 2.3.1.    Smartsheet will Process Customer Personal Data only: (a) as instructed by Customer in writing or as initiated by authorized Users via an online Service; (b) as necessary to provide the Services and prevent or address technical problems with an online Service or violations of the Agreement or this DPA; or (c) as required by applicable law. Schedule 1 (Details of Processing of Customer Personal Data) sets out a description of Smartsheet’s Processing of Customer Personal Data.

    2.3.2.   Smartsheet will ensure that Smartsheet Personnel: (a) access Customer Personal Data only to the extent necessary to perform Smartsheet’s Processing obligations under this DPA and the Agreement; (b) are bound by confidentiality obligations with respect to Customer Personal Data substantially as protective as those set forth in this DPA and the Agreement; and (c) are subject to appropriate training relating to the Processing of Customer Personal Data. 

    2.3.3.    Smartsheet will not disclose Customer Personal Data to a third party for monetary or other consideration except as otherwise permitted under this DPA or the Agreement. 

    2.3.4.   At Customer’s written request and to the extent Customer is unable to access the relevant information on its own, Smartsheet will provide reasonable assistance to Customer in relation to data protection impact assessments and consultations with Supervisory Authorities, taking into account the nature of Smartsheet’s Processing of Customer Personal Data and the information available to Smartsheet.

    2.3.5.   Smartsheet will not assess the type or substance of Customer Content to identify whether it is Customer Personal Data or subject to any specific legal requirements.

 

3.       Security.

3.1.    Smartsheet will implement and maintain technical, physical, and organizational measures and controls designed to protect and secure Customer Content (including the return and deletion thereof) in accordance with the Agreement. 

3.2.    Customer acknowledges that, through its Users, Customer: (a) controls the type and substance of Customer Content; and (b) sets User permissions to access Customer Content; and therefore, Customer is responsible for reviewing and evaluating whether the documented functionality of an online Service meets Customer’s required security obligations relating to Customer Personal Data under Data Protection Laws.

3.3.    Customer acknowledges that Smartsheet security measures may be updated from time to time upon reasonable notice to Customer to reflect process improvements or changing practices (but the modifications will not materially decrease Smartsheet’s obligations as compared to those reflected in such terms as of the Effective Date). Customer is solely responsible for independently assessing and implementing available security configuration settings it deems necessary to meet Customer’s requirements and legal obligations under applicable Data Protection Laws.

 

4.       Subprocessors.

4.1.    Subprocessors will be identified at www.smartsheet.com/legal/subprocessors and may be updated by Smartsheet from time to time in accordance with this DPA. Customer authorizes Smartsheet Affiliates to act as Subprocessors and to use any identified Subprocessors subject to the terms and conditions of this Section 4.

4.2.    Smartsheet will carry out appropriate due diligence on each Subprocessor and have a written agreement with each Subprocessor that includes provisions for Processing Customer Personal Data that are substantially as protective as those set out in this DPA. 

4.3.    Smartsheet is responsible for Subprocessors’ acts and omissions, including a Subprocessor’s appointment of another Subprocessor.

4.4.    New Subprocessors; Right to Object.

  • 4.4.1.    Customer must fill out the form available at www.smartsheet.com/legal/subprocessor-notification to receive notifications of new Subprocessor appointments by Smartsheet. Following submission of such form, Smartsheet will provide prior written notice to Customer if Smartsheet intends to appoint new Subprocessors; provided, however, that Smartsheet will notify Customer in writing without undue delay after the appointment of a new Subprocessor if direct involvement of such Subprocessor is necessary for maintaining the availability and security of the online Services or Customer Content. 
  • 4.4.2.    If Customer objects to a new Subprocessor on a reasonable basis related to the Processing of Customer Personal Data, Customer must notify Smartsheet in writing within fifteen (15) days after receiving an appointment notice; otherwise, Smartsheet will deem the appointment of the new Subprocessor authorized by Customer. Upon receipt of an objection notice from Customer, Smartsheet will use reasonable efforts to make available to Customer a change in the online Services or recommend a commercially reasonable configuration or use of the online Services to avoid the Processing of Customer Personal Data by the new Subprocessor. If Smartsheet cannot address Customer’s objection pursuant to the foregoing efforts, Smartsheet will notify Customer within fifteen (15) days of receipt of Customer’s objection notice. Customer may then, by written notice to Smartsheet within thirty (30) days of Smartsheet’s notice, terminate this DPA and any affected Services and receive a refund of prepaid fees covering the terminated portion of the applicable Service. 

 

5.       Data Subject Requests.

5.1.    Smartsheet will provide Customer access to Customer Personal Data via the online Services to allow Customer to respond to Data Subject requests relating to Customer Personal Data.

5.2.    Smartsheet will notify Customer in writing without undue delay of any requests Smartsheet receives directly from a Data Subject relating to Customer Personal Data, and Smartsheet may respond directly to a Data Subject request: (a) to confirm that such request relates to Customer; (b) as required by applicable law; or (c) with the written consent of Customer.

5.3.    At Customer’s written request and to the extent Customer is unable to access Customer Personal Data on its own, Smartsheet will provide reasonable assistance to Customer in accessing Customer Personal Data for Customer to respond to such Data Subject requests. To the extent legally permitted, Customer will be responsible for any expenses attributable to Smartsheet’s assistance efforts outside the normal course of business.

 

6.       Data Breach.

6.1.    Smartsheet will notify Customer in writing without undue delay upon Smartsheet becoming aware of a Data Breach.

6.2.    Smartsheet will investigate and, as necessary, mitigate or remediate a Data Breach in accordance with Smartsheet’s security incident policies and procedures (“Breach Management”).

6.3.    Subject to Smartsheet’s legal obligations, Smartsheet will provide Customer with information available to Smartsheet as a result of its Breach Management, including the nature of the incident, specific information disclosed (if known), and any relevant mitigation efforts or remediation measures (“Breach Information”), for Customer to comply with its obligations under Data Protection Laws as a result of a Data Breach.  

6.4.    If Customer requires specific information relating to a Data Breach in addition to the Breach Information, at Customer’s written request and to the extent Customer is unable to access the additional information on its own, Smartsheet will reasonably cooperate with Customer as requested by Customer to attempt to collect and provide such additional information.

 

7.       Audit Rights.

7.1.    Smartsheet will use external auditors to annually audit and verify the adequacy of its security measures and controls (“Audit”). The Audit will: (a) be performed by independent third party security professionals at Smartsheet's selection and expense; (b) include testing of the security measures and controls of the online Services, performed according to AICPA SOC2 standards or such other alternative standards substantially equal to AICPA SOC2, that results in the generation of, at a minimum, a SOC2 report or the substantive equivalent; and (c) include penetration testing of the online Services and result in the generation of a penetration test report.  The reports generated by the Audit (“Reports”) will be made available to Customer upon written request no more than annually subject to the confidentiality obligations of the Agreement or a mutually-agreed non-disclosure agreement. For clarity, each Report will only discuss the online Services in general commercial availability at the time the Report was issued; subsequently released Services, if covered by a Report, will be in the next annual iteration of such Report.

7.2.    If Customer requires information for its compliance with Data Protection Laws in addition to the Reports, at Customer’s sole expense and written request and to the extent Customer is unable to access the additional information on its own, Smartsheet will allow for and cooperate with a Customer mandated audit by a third party auditor in relation to the Smartsheet’s Processing of Customer Personal Data (“Customer Audit”), provided that:

  • 7.2.1.    Customer provides Smartsheet reasonable advance notice including the identity of the auditor and the anticipated date and scope of the Customer Audit;
  • 7.2.2.    Smartsheet approves the auditor by notice to Customer, with such approval not to be unreasonably withheld;
  • 7.2.3.    Customer and the auditor act to avoid causing any damage, injury, or disruption to Smartsheet’s premises, equipment, or business in the course of such Customer Audit; and 
  • 7.2.4.    Customer initiates only one Customer Audit in any calendar year unless otherwise required by a Supervisory Authority.

 

8.       International Provisions.

8.1.    The Parties acknowledge and agree that the Processing of Customer Personal Data by Smartsheet may involve an international transfer of Customer Personal Data from Customer to Smartsheet (“International Transfer”). Customer acknowledges that, as of the Effective Date, Smartsheet’s primary processing activities are in the United States as detailed at https://www.smartsheet.com/data-access-and-transfers.

8.2     To the extent that Smartsheet Processes Customer Personal Data originating from and protected by applicable Data Protection Laws in one of the Jurisdictions listed in Schedule 4 (Jurisdiction Specific Terms), then the terms specified therein with respect to the applicable jurisdiction(s) will apply in addition to the terms of this DPA.

8.3     To the extent that Customer’s use of the Services requires a valid transfer mechanism to lawfully transfer Customer Personal Data from a jurisdiction (i.e., the European Economic Area (“EEA”), the UK, Switzerland or any other jurisdiction listed in Schedule 4) to Smartsheet located outside of that jurisdiction (a “Transfer Mechanism”), the terms and conditions of Schedule 3 (Cross Border Transfer Mechanisms) will apply.

8.4     If any Transfer Mechanism fails as a lawful data transfer mechanism for an International Transfer, the Parties will act in accordance with Section 9.8 (Variations in Data Protection Laws) of this DPA.

 

9.       General.

9.1.    Amendment; Waiver. Unless otherwise expressly stated herein, this DPA may be modified only by a written agreement executed by an authorized representative of each Party.  The waiver of any breach of this DPA will be effective only if in writing, and no such waiver will operate or be construed as a waiver of any subsequent breach. 

9.2.    Severance. If any provision of this DPA is held to be unenforceable, then that provision is to be construed either by modifying it to the minimum extent necessary to make it enforceable (if permitted by law) or disregarding it (if not permitted by law), and the rest of this DPA is to remain in effect as written. Notwithstanding the foregoing, if modifying or disregarding the unenforceable provision would result in failure of an essential purpose of this DPA, the entire DPA will be considered null and void.

9.3.    Order of Precedence. Regarding the subject matter of this DPA, in the event of any conflict between this DPA and any other written agreement between the Parties (including the Agreement), this DPA will govern and control. Any data processing agreements that may already exist between Parties are superseded and replaced by this DPA in their entirety.

9.4.    Notices. Unless otherwise expressly stated herein, the parties will provide notices under this DPA in accordance with the Agreement, provided that all such notices may be sent via email.

9.5.    Governing Law and Jurisdiction. Unless prohibited by Data Protection Laws, this DPA is governed by the laws stipulated in the Agreement and the Parties to this DPA hereby submit to the choice of jurisdiction and venue stipulated in the Agreement, if any, with respect to any dispute arising under this DPA.

9.6.    Enforcement.  Regardless of whether Customer or its affiliate(s) or a third-party is a Controller of Customer Personal Data, unless otherwise required by law: (a) only Customer will have any right to enforce any of the terms of this DPA against Smartsheet; and (b) Smartsheet’s obligations under this DPA, including any applicable notifications, will be to only Customer. 

9.7.    Liability. As between the Parties to this DPA, each Party’s liability and remedies under this DPA are subject to the aggregate liability limitations and damages exclusions set forth in the Agreement.

9.8.    Variations in Data Protection Laws. If any variation is required to this DPA as a result of a change in or subsequently applicable Data Protection Law, then either Party may provide written notice to the other Party of that change in law. The Parties will then discuss and negotiate in good faith any variations to this DPA necessary to address such changes, with a view to agreeing and implementing those or alternative variations as soon as practicable, provided that such variations are reasonable with regard to the functionality and performance of the Services and Smartsheet’s business operations.

9.9.    Reservation of Rights. Notwithstanding anything to the contrary in this DPA: (a) Smartsheet reserves the right to withhold information the disclosure of which would pose a security risk to Smartsheet or its customers or is prohibited by applicable law or contractual obligation; and (b) Smartsheet’s notifications, responses, or provision of information or cooperation under this DPA are not an acknowledgement by Smartsheet of any fault or liability.

 



 

SCHEDULE 1: DETAILS OF PROCESSING OF CUSTOMER PERSONAL DATA

 

This Schedule 1 includes certain details of the Processing of Personal Data as required by Article 28(3) of the GDPR.

Subject matter and duration of the Processing of Personal Data:

  • The subject matter and duration of the Processing of Personal Data are set out in the Agreement and this DPA.

The nature and purpose of the Processing of Personal Data

  • Processing of Personal Data by Smartsheet is reasonably required to facilitate or support the provision of the Services as described under the Agreement and this DPA.

Type of Personal Data and Categories of Data Subjects:

  • The types of Personal Data and categories of Data Subject about whom the Personal Data relates are determined and controlled by Customer in its sole discretion. 

Obligations and Rights of the Controller:

  • The obligations and rights of Customer are set out in the Agreement and this DPA.

 



 

SCHEDULE 2: TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

 

Where applicable, this Schedule 2 will serve as Annex II to the Standard Contractual Clauses.

 

The full text of Smartsheet's technical and organizational security measures is available at https://smartsheet.com/legal/security. 

 



 

SCHEDULE 3: CROSS BORDER TRANSFER MECHANISMS

 

1.       Definitions.

1.1.    "Standard Contractual Clauses” means, depending on the circumstances unique to any particular Customer, any of the following:

  • 1.1.1.    EEA Standard Contractual Clauses; and
  • 1.1.2.    UK Standard Contractual Clauses.

1.2.    "EEA Standard Contractual Clauses” or "Approved EU SCCs" means the Standard Contractual Clauses approved by the European Commission in decision 2021/914.

1.3.    “UK Standard Contractual Clauses” means the template Addendum issued by the Information Commissioner’s Office (ICO) and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section ‎18.

 

2.      The EEA Standard Contractual Clauses.  For data transfers from the European Economic Area that are subject to the EEA Standard Contractual Clauses, the EEA Standard Contractual Clauses will apply in the following manner:

2.1.   Module One (Controller to Controller) will apply where Smartsheet is processing online Services usage data as a Controller.

2.2.   Module Two (Controller to Processor) will apply where Customer is a Controller of Customer Personal Data and Smartsheet is a Processor of Customer Personal Data;

2.3.   For each module, where applicable:

  • 2.3.1.    in Clause 7, the optional docking clause will not apply;
  • 2.3.2.    in Clause 9, Option 2 will apply, and the process for providing notice and the time period for objections of sub-processor changes will be as set forth in Section 4 (Subprocessors) of this DPA;
  • 2.3.3.    in Clause 11, the optional language will not apply;
  • 2.3.4.    in Clause 17, the EEA Standard Contractual Clauses will be governed by the laws of Germany.
  • 2.3.5.    in Clause 18(b), disputes will be resolved before the courts of Germany.
  • 2.3.6.    In Annex I, Part A: 
  •  
  • Data Exporter:  Customer and authorized affiliates of Customer. 
  • Contact Details:  Customer’s account owner email address, or to the email address(es) for which Customer elects to receive privacy communications.
  • Data Exporter Role:  The Data Exporter’s role is outlined in Section 2 of this DPA.
  • Signature & Date:  By entering into the DPA, Data Exporter is deemed to have signed these Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date.
  •  
  • Data Importer: Smartsheet Inc.
  • Contact Details: Smartsheet Privacy - privacy@smartsheet.com; Smartsheet Security - security@smartsheet.com.
  • Data Importer Role: The Data Importer’s role is outlined in Section 2 of this DPA.
  • Signature & Date: By entering into the DPA, Data Importer is deemed to have signed these Standard Contractual Clauses, incorporated herein, including their Annexes, as of the Effective Date.
  •  
  • 2.3.7.    In Annex I, Part B: 
  • The categories of data subjects are described in Schedule 1.
  • The sensitive data transferred is described in Schedule 1.
  • The frequency of the transfer is a continuous basis for the duration of the Agreement.
  • The nature of the processing is described in Schedule 1.
  • The purpose of the processing is described in Schedule 1.
  • The period of the processing is described in Schedule 1.
  • For transfers to sub-processors, the subject matter, nature, and duration of the processing is outlined at https://www.smartsheet.com/legal/subprocessors.
  •  
  • 3.3.8.    In Annex I, Part C: in accordance with clause 13, the competent supervisory authority is identified as follows:
  • Where the data exporter is established in an EU Member State: The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer shall act as competent supervisory authority.
  • Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679: The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established shall act as the competent supervisory authority.
  • Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679: Commission nationale de l'informatique et des libertés (CNIL) - 3 Place de Fontenoy, 75007 Paris, France shall act as the competent supervisory authority.
  • Where the data exporter is established in the United Kingdom or falls within the territorial scope of application of UK Data Protection Laws and Regulations, the Information Commissioner's Office shall act as the competent supervisory authority.
  • Where the data exporter is established in Switzerland or falls within the territorial scope of application of Swiss Data Protection Laws and Regulations, the Swiss Federal Data Protection and Information Commissioner shall act as competent supervisory authority insofar as the relevant data transfer is governed by Swiss Data Protection Laws and Regulations.
  •  
  • 2.3.9.    Schedule 2 serves as Annex II of the Standard Contractual Clauses. 

 

3.      To the extent there is any conflict between the Standard Contractual Clauses and any other terms in this DPA, including Schedule 4 (Jurisdiction Specific Terms), the provisions of the applicable Standard Contractual Clauses will prevail.

 



 

SCHEDULE 4: JURISDICTION SPECIFIC TERMS

 

1.       California.

1.1.    The definition of “Data Protection Law” includes the California Consumer Privacy Act ("CCPA").

1.2.    The terms “business”, “commercial purpose”, “service provider”, “sell”, and “personal information” have the meanings given in the CCPA. 

1.3.    With respect to Customer Personal Data, Smartsheet is a service provider under the CCPA.

1.4.    Smartsheet will not (a) sell Customer Personal Data; (b) retain, use, or disclose any Customer Personal Data for any purpose other than for the specific purpose of providing the Services, including retaining, using or disclosing the Customer Personal Data for a commercial purpose other than providing the Services; or (c) retain, use or disclose the Customer Personal Data outside of the direct business relationship between Smartsheet and Customer.

1.5.    The parties acknowledge and agree that the Processing of Customer Personal Data authorized by Customer’s instructions described in this DPA is integral to and encompassed by Smartsheet’s provision of the Services and the direct business relationship between the parties.

1.6.    Notwithstanding anything in the Agreement or any Order Form entered in connection therewith, the parties acknowledge and agree that Smartsheet’s access to Customer Personal Data does not constitute part of the consideration exchanged by the parties in respect of the Agreement.

1.7.    To the extent that any online Services usage data is considered Customer Personal Data, Smartsheet is the business with respect to such data and will Process such data in accordance with its Privacy Notice.

 

2.        EEA.

2.1.     The definition of “Data Protection Laws” includes the General Data Protection Regulation (EU 2016/679) (“GDPR”).

2.2.     When Smartsheet engages a Subprocessor, it will:

  • 2.2.1.    require any appointed Subprocessor to protect Customer Personal Data to the standard required by applicable Data Protection Laws, such as including the same data protection obligations referred to in Article 28(3) of the GDPR, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR; and
  • 2.2.2.    require any appointed Subprocessor to agree in writing to only process data in a country that the European Union has declared to have an “adequate” level of protection; or to only process data on terms equivalent to the Standard Contractual Clauses.

2.3.    GDPR Penalties. Notwithstanding anything to the contrary in this DPA or in the Agreement (including, without limitation, either party’s indemnification obligations), neither party will be responsible for any GDPR fines issued or levied under Article 83 of the GDPR against the other party by a regulatory authority or governmental body in connection with such other party’s violation of the GDPR.

 

3.       Switzerland.

3.1.    The definition of “Data Protection Laws” includes the Swiss Federal Act on Data Protection.

3.2.    When Smartsheet engages a Subprocessor, it will

  • 3.2.1.    require any appointed Subprocessor to protect Customer Personal Data to the standard required by applicable Data Protection Laws, such as including the same data protection obligations referred to in Article 28(3) of the GDPR, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR; and
  • 3.2.2.    require any appointed Subprocessor to agree in writing to only process data in a country that the European Union has declared to have an “adequate” level of protection; or to only process data on terms equivalent to the Standard Contractual Clauses.

 

4.        United Kingdom.

4.1.     References in this DPA to GDPR will to that extent be deemed to be references to the corresponding laws of the United Kingdom (including the UK GDPR and Data Protection Act 2018).

4.2.     When Smartsheet engages a Subprocessor, it will

  • 4.2.1.    require any appointed Subprocessor to protect Customer Personal Data to the standard required by applicable Data Protection Laws, such as including the same data protection obligations referred to in Article 28(3) of the GDPR, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR; and
  • 4.2.2.    require any appointed Subprocessor to agree in writing to only process data in a country that the European Union has declared to have an “adequate” level of protection; or to only process data on terms equivalent to the Standard Contractual Clauses.
     

 

Last Updated: October 4, 2021

Archived versions

These are the legacy versions of the Smartsheet Data Processing Addendum and are provided for informational purposes only.

View archive list

  • 08/07/2020

  • 07/06/2020

  • 02/18/2020

  • 05/07/2019

  • 01/31/2019

Smartsheet
  • About Us
  • Leadership
  • Investors
  • Newsroom
  • Careers
  • Contact Us
  • Legal
  • Privacy
  • Trust Center
  • Developers & API
  • Help

©2022. All Rights Reserved Smartsheet Inc.

Facebook Twitter LinkedIn YouTube Instagram