Smartsheet Agreement Supplement
The terms and conditions of this Smartsheet Agreement Supplement (“Supplement”) supplement and amend the agreement between Smartsheet Inc. (“Smartsheet”) and Customer that governs Customer’s access to and use of Smartsheet Services (the “Agreement”) if and only if Customer or Customer's Service qualifies under applicability provisions as indicated below and the Agreement or an Order incorporates this Supplement by reference. If there is any conflict between this Supplement and the Agreement, the applicable terms in this Supplement will prevail. Capitalized terms not defined in this Supplement have the meanings set forth in the Agreement.
For purposes of this Supplement, “U.S. Government Entity” means a federal agency, federally funded agency, or local or tribal government entity in the United States. Nothing in this Supplement is intended to qualify Smartsheet as a government contractor or subcontractor for any federal, state, local, or foreign government.
Smartsheet reserves the right to revise this Supplement by posting a revised version on the Site, which will be effective upon Customer’s renewal of any Services or purchase of additional Services via an Order. For the avoidance of doubt, continued access to and use of the Services after the effective date of any such revision will constitute Customer’s acceptance of the revised Supplement.
1. Customer: U.S. Government Entities.
- 1.1 Applicability. The provisions in this Section 1 of this Supplement apply to a Customer that is a U.S. Government Entity (“Government Customer”).
- 1.2 Governing Law. If required by the laws governing the establishment of the Government Customer ("Customer Jurisdictional Laws"), the Agreement and this Supplement will be governed by the Customer Jurisdictional Laws, without regard to conflict of law rules.
- 1.3 Customer Users. “Customer” within the Agreement shall mean the Government Customer entity itself and shall not apply to or bind any individual User. Smartsheet will look solely to Government Customer to enforce the Agreement and this Supplement in the event of any violation or breach of the Agreement or this Supplement by such User, subject to applicable laws.
- 1.4 Liability. Liability for any breach of the Agreement or this Supplement or any claim arising from the Agreement or this Supplement will be limited pursuant to the terms of the Agreement as determined under the Federal Tort Claims Act and the Contracts Disputes Act or other applicable law.
- 1.5 Indemnification. Any provisions in the Agreement related to Government Customer’s indemnification obligations are hereby waived and shall not apply, except to the extent allowed by applicable law.
2. Customer: Non-Government Entity Using Smartsheet Gov.
- 2.1 Applicability. The provisions of this Section 2 of this Supplement apply to a Customer that is not a U.S. Government Entity (“Non-Government Customer”) accessing and using the Smartsheet Gov cloud service provisioned according to certain Federal Risk and Authorization Management Program security control baselines (“FedRAMP Controls”) at https://app.smartsheetgov.com (“Smartsheet Gov”).
- 2.2 Service References. Any reference to the “Subscription Service” in the Agreement will be deemed to refer to Smartsheet Gov.
- 2.3 FedRAMP Controls. Smartsheet will meet its reported FedRAMP Controls notwithstanding any security controls described in the Agreement.
- 2.4 U.S. Person. Non-Government Customer represents and warrants that Non-Government Customer is a person who is a citizen of or lawful permanent resident in the United States, or a corporation, partnership, or other organization organized under the laws of the United States.
- 2.5 Processing Government Data. Non-Government Customer will process Customer Content in Smartsheet Gov on behalf of a U.S. Government Entity (“Government Content”) in compliance with all applicable laws, statutes, regulations, and such U.S. Government Entity’s policies and instructions.
- 2.6 Security Incident. If requested by Smartsheet to fulfill Security Incident obligations, Non-Government Customer will provide Smartsheet with the identity and contact information of each U.S. Government Entity for which it processes Government Content.
3. Customer: Educational Institutions.
- 3.1 Applicability. The provisions in this Section 3 of this Supplement apply to a Customer that is an educational agency or institution that receives funds under an applicable program of the United States Department of Education (“Education Customer”).
- 3.2 FERPA. For the purposes of the Family Educational Rights and Privacy Act (“FERPA”), Smartsheet is a “school official” with a “legitimate educational interests,” as those terms have been defined under FERPA and its associated implementing regulations. Smartsheet agrees to abide by the limitations and requirements imposed by 34 CFR 99.33(a) on school officials. Education Customer understands that it has control over and responsibility for education records uploaded or submitted to the Services. Education Customer is responsible for obtaining any parental consent required by applicable law for any User’s access or use of the Services granted by the Education Customer to User or other third parties. Education Customer acknowledges its responsibility to convey notification, on behalf of Smartsheet, to students (or, with respect to a student under eighteen (18) years of age and not in attendance at a postsecondary institution, to the student’s parent) of any judicial order or subpoena requiring the disclosure of education records within the Services as may be required under applicable law.
4. Service: Event Reporting.
- 4.1 Applicability. The provisions of this Section 4 of this Supplement apply to a Customer accessing or using Event Reporting.
- 4.2 Definitions.
- i. “Data Protection Laws” means to the extent applicable, the data protection or privacy laws of any country, including but not limited to the General Data Protection Regulation 2016/679 (“GDPR”) and California Consumer Privacy Act of 2018 (“CCPA”).
- ii. “Data Controller” means an entity that determines the means and purpose of processing data.
- iii. “Event Reporting” means the event reporting Service feature and application programming interface or similar development tool purchased under a Smartsheet Order which enables Customer to access Event Reporting Data.
- iv. “Event Reporting Data” means data derived from Services Usage Data that Smartsheet enables Customer to access and use through Event Reporting.
- v. “Joint Controller” means a Data Controller, that jointly with another Data Controller, determines the purposes and means of processing personal data (as defined under Data Protection Laws).
- vi. “Service Usage Data” means usage data generated by Users in using Smartsheet Services that does not reveal the contents of Customer Content.
- 4.3 Details of Processing.
- i. Smartsheet is sole and independent Data Controller of Service Usage Data.
- ii. Customer may independently process Event Reporting Data by its own means and for its own business purposes as a Data Controller (including, but not limited to, Customer’s use of any third party tools used to display or analyze such data), subject to this Supplement and the Agreement.
- iii. For the avoidance of doubt, Smartsheet, with respect to Service Usage Data, and Customer, with respect to Event Reporting Data, are each separate Data Controllers and are not Joint Controllers of such respective data.
- 4.4 Customer Responsibilities. Customer, as Data Controller of Event Reporting Data, is subject to the following conditions:
- i. Customer will process Event Reporting Data in compliance with applicable Data Protection Laws and only for its own business purposes.
- ii. Customer will implement appropriate physical, technical, and organizational measures that are designed to ensure and protect the security, integrity, and confidentiality of Event Reporting Data and to protect against unauthorized processing, loss, use, disclosure, acquisition of, or access to, such data.
- iii. Customer will provide all applicable notices to, and gain any necessary consents from, data subjects prior to processing Event Reporting Data (including, but not limited to, any employee notice requirements under Data Protection Laws).
- iv. Customer may transfer Event Reporting Data to third parties only under written contracts that guarantee at least the same level of data protection as provided for in the Agreement and this Supplement and will remain responsible for such third party’s failure to comply with such terms.
- v. Customer is prohibited from selling Event Reporting Data, as the term “sale” is used in the California Consumer Privacy Act of 2018.
- vi. Customer is responsible for fulfilling requests from data subjects and supervisory authorities with respect to Event Reporting Data that it processes.
- vii. If Customer receives a data subject request or a request from a supervisory authority relating to Event Reporting Data, the recipient will promptly forward such request to the other party unless prohibited by law.
- 4.5 International Transfers. If Event Reporting Data is transferred to a country or territory outside the European Economic Area, the parties agree to the Controller to Controller Standard Contractual Clauses 2004 (Set II) (Commission Decision 2004/915/EC) (“SCCs”) which are hereby incorporated into this Supplement and subject to the following additional terms:
- i. Smartsheet, including its relevant affiliates, is the data exporter and Customer is the data importer and the governing law of the SCCs is the choice of jurisdiction stipulated in the Agreement;
- ii. for purposes of clause II(h) of the SCCs, Customer hereby selects option (iii) and agrees to be governed by and comply with the data processing principles set out in Annex A to the SCCs;
- iii. for the purpose of Annex B to the SCCs: (i) data subjects are those individuals whose personal data is contained in Event Reporting Data; (ii) the purpose of the transfer is to provide the Services, including Event Reporting to Customer; (iii) the category of data is usage data; and (iv) the contact points for data protection queries are the parties’ respective contacts for matters under the Agreement; and
- iv. to the extent the terms of the SCCs conflict with other terms of the Agreement, the terms of the SCCs will control.
- 4.6 Order of Precedence. In the event of a conflict between this Supplement and the Agreement or any data processing terms between the parties, the provisions of this Supplement will control with respect to the processing of Event Reporting Data.
Last Updated: February 2020