Smartsheet Supplement

The terms and conditions of this Smartsheet Supplement (“Supplement”) supplement and amend the agreement between Smartsheet Inc. (“Smartsheet”) and Customer that governs Customer’s access to and use of Smartsheet Services (the “Agreement”) if and only if Customer, Customer's Service, or Customer's Region qualifies under applicability provisions of the sections below and the Agreement or an Order incorporates this Supplement by reference. If there is any conflict between this Supplement and the Agreement, the applicable terms in this Supplement will prevail. Capitalized terms not defined in this Supplement have the meanings set forth in the Agreement. 

For purposes of this Supplement, “U.S. Government Entity” means a federal agency, federally funded agency, state, or local or tribal government entity in the United States. Nothing in this Supplement is intended to qualify Smartsheet as a government contractor or subcontractor for any federal, state, local, or foreign government.  

Smartsheet reserves the right to revise this Supplement by posting a revised version on the Site, which will be effective upon Customer’s renewal of any Services or purchase of additional Services via an Order. For the avoidance of doubt, continued access to and use of the Services after the effective date of any such revision will constitute Customer’s acceptance of the revised Supplement. 

 

1.    Customer: U.S. Government Entities.

1.1    Applicability. The provisions in this Section 1 of this Supplement apply to a Customer that is a U.S. Government Entity (“Government Customer”).

1.2   Governing Law.  If required by the laws governing the establishment of the Government Customer ("Customer Jurisdictional Laws"), the Agreement and this Supplement will be governed by the Customer Jurisdictional Laws, without regard to conflict of law rules.  

1.3   Customer Users. “Customer” within the Agreement shall mean the Government Customer entity itself and shall not apply to or bind any individual User. Smartsheet will look solely to Government Customer to enforce the Agreement and this Supplement in the event of any violation or breach of the Agreement or this Supplement by such User, subject to applicable laws.  

1.4   Liability. Liability for any breach of the Agreement or this Supplement or any claim arising from the Agreement or this Supplement will be limited pursuant to the terms of the Agreement as determined under the Federal Tort Claims Act and the Contracts Disputes Act or other applicable law. 

1.5   Indemnification. Any provisions in the Agreement related to Government Customer’s indemnification obligations are hereby waived and shall not apply, except to the extent allowed by applicable law. 

 

2.    Customer: Non-Government Entity Using Smartsheet Gov.  

2.1    Applicability. The provisions of this Section 2 of this Supplement apply to a Customer that is not a U.S. Government Entity (“Non-Government Customer”) accessing and using the Smartsheet Gov cloud service provisioned according to certain Federal Risk and Authorization Management Program security control baselines (“FedRAMP Controls”) at https://app.smartsheetgov.com (“Smartsheet Gov”).  

2.2   Service References. Any reference to the “Subscription Service” in the Agreement will be deemed to refer to Smartsheet Gov.

2.3   FedRAMP Controls. Smartsheet will meet its reported FedRAMP Controls notwithstanding any security controls described in the Agreement. 

2.4   U.S. Person. Non-Government Customer represents and warrants that Non-Government Customer is a person who is a citizen of or lawful permanent resident in the United States, or a corporation, partnership, or other organization organized under the laws of the United States. 

2.5   Processing Government Data. Non-Government Customer will process Customer Content in Smartsheet Gov on behalf of a U.S. Government Entity (“Government Content”) in compliance with all applicable laws, statutes, regulations, and such U.S. Government Entity’s policies and instructions.  

2.6   Security Incident. If requested by Smartsheet to fulfill Security Incident obligations, Non-Government Customer will provide Smartsheet with the identity and contact information of each U.S. Government Entity for which it processes Government Content.  

 

3.    Customer: Educational Institutions. 

3.1    Applicability. The provisions in this Section 3 of this Supplement apply to a Customer that is an educational agency or institution that receives funds under an applicable program of the United States Department of Education (“Education Customer”).

3.2   FERPA. For the purposes of the Family Educational Rights and Privacy Act (“FERPA”), Smartsheet is a “school official” with a “legitimate educational interests,” as those terms have been defined under FERPA and its associated implementing regulations. Smartsheet agrees to abide by the limitations and requirements imposed by 34 CFR 99.33(a) on school officials. Education Customer understands that it has control over and responsibility for education records uploaded or submitted to the Services. Education Customer is responsible for obtaining any parental consent required by applicable law for any User’s access or use of the Services granted by the Education Customer to User or other third parties. Education Customer acknowledges its responsibility to convey notification, on behalf of Smartsheet, to students (or, with respect to a student under eighteen (18) years of age and not in attendance at a postsecondary institution, to the student’s parent) of any judicial order or subpoena requiring the disclosure of education records within the Services as may be required under applicable law.

 

4.    Service: Event Reporting. 

4.1    Applicability.  The provisions in this Section 4 of this Supplement apply to a Customer accessing or using Event Reporting. 

4.2   Definitions.

• 4.2.1    “Data Protection Laws” means to the extent applicable, the data protection or privacy laws of any country, including but not limited to the General Data Protection Regulation 2016/679 (“GDPR”) and California Consumer Privacy Act of 2018 (“CCPA”). 

• 4.2.2   “Data Controller” means an entity that determines the means and purpose of processing data. 

• 4.2.3   “Event Reporting” means the event reporting Service feature and application programming interface or similar development tool purchased under a Smartsheet Order which enables Customer to access Event Reporting Data.

• 4.2.4   “Event Reporting Data” means data derived from Services Usage Data that Smartsheet enables Customer to access and use through Event Reporting. 

• 4.2.5   “Joint Controller” means a Data Controller, that jointly with another Data Controller, determines the purposes and means of processing personal data (as defined under Data Protection Laws). 

• 4.2.6   “Service Usage Data” means usage data generated by Users in using Smartsheet Services that does not reveal the contents of Customer Content.

4.3    Details of Processing.

• 4.3.1     Smartsheet is sole and independent Data Controller of Service Usage Data. 

• 4.3.2    Customer may independently process Event Reporting Data by its own means and for its own business purposes as a Data Controller (including, but not limited to, Customer’s use of any third party tools used to display or analyze such data), subject to this Supplement and the Agreement. 

• 4.3.3    For the avoidance of doubt, Smartsheet, with respect to Service Usage Data, and Customer, with respect to Event Reporting Data, are each separate Data Controllers and are not Joint Controllers of such respective data.

4.4    Customer Responsibilities.  Customer, as Data Controller of Event Reporting Data, is subject to the following conditions:

• 4.4.1     Customer will process Event Reporting Data in compliance with applicable Data Protection Laws and only for its own business purposes. 

• 4.4.2    Customer will implement appropriate physical, technical, and organizational measures that are designed to ensure and protect the security, integrity, and confidentiality of Event Reporting Data and to protect against unauthorized processing, loss, use, disclosure, acquisition of, or access to, such data. 

• 4.4.3    Customer will provide all applicable notices to, and gain any necessary consents from, data subjects prior to processing Event Reporting Data (including, but not limited to, any employee notice requirements under Data Protection Laws). 

• 4.4.4    Customer may transfer Event Reporting Data to third parties only under written contracts that guarantee at least the same level of data protection as provided for in the Agreement and this Supplement and will remain responsible for such third party’s failure to comply with such terms. 

• 4.4.5   Customer is prohibited from selling Event Reporting Data, as the term “sale” is used in the California Consumer Privacy Act of 2018.

• 4.4.6    Customer is responsible for fulfilling requests from data subjects and supervisory authorities with respect to Event Reporting Data that it processes. 

• 4.4.7    If Customer receives a data subject request or a request from a supervisory authority relating to Event Reporting Data, the recipient will promptly forward such request to the other party unless prohibited by law. 

4.5   International Transfers.  If Event Reporting Data is transferred to a country or territory outside the European Economic Area, the parties agree to the Controller to Controller Standard Contractual Clauses 2021 (Module One) (Commission Decision 2021/914/EC) (“SCCs”) which are hereby incorporated into this Supplement and subject to the following additional terms: 

• 4.5.1    Smartsheet, including its relevant affiliates, is the data exporter and Customer is the data importer and the SCCs shall be governed by the laws of Germany or as otherwise stipulated in the Agreement; 

• 4.5.2   for purposes of clause II(h) of the SCCs, Customer hereby selects option (iii) and agrees to be governed by and comply with the data processing principles set out in Annex A to the SCCs; 

• 4.5.3   for the purpose of Annex B to the SCCs: (i) data subjects are those individuals whose personal data is contained in Event Reporting Data; (ii) the purpose of the transfer is to provide the Services, including Event Reporting to Customer; (iii) the category of data is usage data; and (iv) the contact points for data protection queries are the parties’ respective contacts for matters under the Agreement; and 

• 4.5.4   to the extent the terms of the SCCs conflict with other terms of the Agreement, the terms of the SCCs will control.

4.6    Order of Precedence.  In the event of a conflict between this Supplement and the Agreement or any data processing terms between the parties, the provisions of this Supplement will control with respect to the processing of Event Reporting Data.

 

5.    Service: Learning Services. 

5.1     Applicability.  The provisions in  this Section 5 of this Supplement apply to a Customer accessing or using Smartsheet University All Access, Smartsheet vILT (Virtual Instructor-led Training), Smartsheet eLearning or any other similar online learning Services Smartsheet may make available to Customer (collectively, “Learning Services”). 

5.2    Service References.  Any reference to or use of the term “Service” in the Agreement will be deemed to include Learning Services.

5.3    Account Creation.  Users can only access and use a Learning Service by providing the email address used in association with the Subscription Service account registered with such Learning Service. 

5.4   Event Recordings.  Smartsheet may (directly or through the use of third parties) take photographs or make recordings when providing a live Learning Service (each, an “Event”). By attending an Event, Customer consents to Smartsheet’s use of such photos and recordings (which may include a User’s voice and/or likeness), without payment of any kind, for any legitimate business purpose, which may include use in our marketing materials and publications, and internal business purposes. Customer is responsible for collecting any necessary consents or providing any applicable privacy notices or terms and conditions to Users participating in Events.

5.5    Event Conduct.  Customer is responsible for its Users compliance with any rules or standards of conduct made available by Smartsheet or the relevant third party entity hosting the Event, including all applicable safety and health regulations (collectively, “Event Rules”). If a User acts in violation of the Event Rules or in an unsafe or careless manner at any time during the Event (“Prohibited Conduct”): (a) Smartsheet may remove the User from the Event and Customer will not be entitled to receive any refund; and (b) Customer will defend, indemnify, and hold harmless Smartsheet and the relevant third party host, and  their respective employees, officers, directors, and agents against all third-party claims, losses, or damages to persons or property, governmental charges or fines, and costs (including reasonable attorney's fees) arising out of the Prohibited Conduct.

5.6    Communications.  By registering for the Learning Services, Customer authorizes Smartsheet to send (including via email or by phone) information regarding the Learning Services to Users or Customer, including: (a) notices about use or misuse of the Learning Services; (b) updates to the Learning Services; and (c) Event related information.  

5.7    Modifications.  Smartsheet reserves the right to modify the Learning Services in its sole discretion, including by making updates or changes to content, materials, course descriptions and information used in Learning Services or for an Event, and Smartsheet does not guarantee the availability of any specific content, materials, course descriptions or information after a Learning Service is delivered.

5.8    Specific Commercial Terms.

• 5.8.1    Smartsheet University vILT course registration expires ninety (90) days after purchase. Users will have the ability to reschedule or cancel a course up to seven (7) days prior to the course start date. If a User is no longer able to attend the virtual class due to schedule changes by Smartsheet, Customer may request a refund. 

• 5.8.2    Smartsheet eLearning fees are charged annual in advance, and allow for one year of access to on-demand training available at smartu.smartsheet.com.

 

6.    Service: Bridge by Smartsheet.

6.1.    Applicability.  The provisions in this Section 6 of this Supplement apply to a Customer accessing or using the online Service referred to as Bridge by Smartsheet (“Bridge”). 

6.2.   Service References.  Any reference to or use of the term “online Services” in the Agreement will be deemed to include Bridge. 

6.3.   Template Integrations.  Pre-built template integrations to certain Third Party Products that are included with Bridge (“Template Integrations”) are provided as-is and solely for convenience, and Smartsheet has no responsibility for the availability of and does not endorse such Third Party Products. SMARTSHEET EXPRESSLY DISCLAIMS ALL WARRANTIES, WHETHER EXPRESS OR IMPLIED, REGARDING ANY TEMPLATE INTEGRATION’S FITNESS FOR A PARTICULAR PURPOSE, AND SMARTSHEET DOES NOT GUARANTEE THE ACCURACY, COMPLETENESS, OR USEFULNESS OF A TEMPLATE INTEGRATION.

 

7.    Service: Content Automation.

7.1      Applicability.  The provisions in this Section 7 of this Supplement apply to a Customer accessing or using the online service referred to as Content Automation (formerly known as Outfit).

7.2     Service References.  Any reference to or use of the term “Service” in the Agreement will be deemed to include Content Automation.

7.3     Smartsheet Support and Customer Cooperation.  Notwithstanding Section 2.5.2 (Access Controls) of the Security Practices (available at www.smartsheet.com/legal/security), Content Automation Services require Smartsheet Personnel (as defined in the Security Practices) that perform support to have administrative privileges within such Services. If required and to the extent requested by Smartsheet, Customer will provide Smartsheet with cooperation and security access and information to implement, configure, and otherwise provision the Content Automation Services for Customer. 

 

8.    Region: Japan.

8.1      Applicability.  The provisions in this Section 8 of this Supplement apply to a Customer accessing or using the online services from Japan or any Customer incorporated under Japanese law.

8.2     Organized Crime. Smartsheet and Customer each represent and warrant that itself and any entity that directly or indirectly controls, is controlled by, or is under common control with it (hereinafter, collectively, "the Company'') and its officers and directors are not, and will not be in the future, an Organized Crime Group (as defined below), and have no relationship with any Organized Crime Group, nor are any Organized Crime Group controlling or substantially involved in the management of the Company. Any breach of this Section 8 would be considered a material breach of the Agreement.  Organized Crime Group as used herein means an organized crime group (boryokudan), an organized crime group member, a person who was an organized crime group member within the last three (3) years, a company related to an organized crime group, a corporate extortionist (sokaiya), a racketeering group disguised as social or public campaign (shakaiundo hyobo goro), a crime group specialized in intellectual crimes (tokushu chino boryoku shudan), or any similar person.

 

Last Updated: October 3, 2023