Data Processing Addendum

The below terms are already incorporated into Smartsheet's User Agreement. To sign a copy separately, please complete this form to have a PDF version routed for signature.

Please note that the terms of Smartsheet’s DPA have been specifically tailored to depict our Subscription Service's unique operational and technical controls and our business model as a multi-tenant, data agnostic SaaS provider. In this capacity, Smartsheet treats all data from all customers the same and has built into the subscription service certain controls to account for compliance with applicable data privacy laws. 

Smartsheet requires the use of its DPA because it most accurately reflects Smartsheet’s existing processes and capabilities, particularly as they relate to predominant Data Protection Laws, including the GDPR and applicable U.S. data protection laws, such as the CCPA. While we understand that some customers may prefer to use their own DPA or supplementary data privacy terms, Smartsheet does not accept customer paper. This is designed to ensure accuracy and transparency regarding how data is transferred between the parties and processed by Smartsheet. For more information on Smartsheet's privacy practices generally, please visit our Trust Center.

This Data Processing Addendum ("DPA") is incorporated into and forms a part of the agreement between Smartsheet Inc. ("Smartsheet") and Customer that governs Customer’s access to and use of the Online Services ("Agreement").  Capitalized terms not defined herein have the meaning given in the Agreement.

1.       Definitions. In this DPA, the following terms (and derivations thereof) have the meanings set out below:

• “Controller” means the individual or entity that determines the purposes and means of the Processing of Personal Data.
• “Customer Personal Data” means Customer Content that is Personal Data.
• “Data Protection Laws” means, to the extent applicable to a party, the data protection or privacy laws of any country or jurisdiction regarding Smartsheet's Processing of Customer Personal Data.
• “Data Subject” means an identified or identifiable natural person. 
• “Personal Data” means any information relating to, identifying, describing, or capable of being associated with a Data Subject or a household. 
• “Process” means any operation or set of operations performed upon Customer Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, alignment, combination, restriction, erasure, destruction or disclosure by transmission, dissemination or otherwise making available.
• “Processor” means the individual or entity that Processes Personal Data on behalf of a Controller.
• “Security Breach” means a breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Content.
• “Subprocessor” means any individual or entity (including any third party but excluding Smartsheet personnel) appointed by or on behalf of Smartsheet or its Affiliates to Process Customer Personal Data in connection with the Agreement. 
• “Supervisory Authority” means an independent competent public authority established or recognized under Data Protection Laws. 

2.       Roles of Parties.

2.1    Customer and Smartsheet agree that, as between the parties, Customer is a Controller and Smartsheet is a Processor of Customer Personal Data and that each party is solely responsible for its compliance with Data Protection Laws applicable to it and for fulfilling any of its related obligations to third parties, including Data Subjects and Supervisory Authorities. Each party agrees to immediately inform the other if it reasonably believes that any instruction to Process Customer Personal Data violates, or would violate, Data Protection Laws. Nothing in this DPA or the Agreement will be construed to create a joint controller relationship between Customer and Smartsheet with respect to Customer Personal Data.

2.2    Customer as Controller. 

• 2.2.1    Customer acknowledges that, through its Users, Customer: (a) determines the type and substance of Customer Personal Data; and (b) sets User permissions to access Customer Personal Data.
• 2.2.2   Customer is solely responsible for the accuracy of Customer Personal Data and the legality of the means by which Customer acquires, discloses, and uses Customer Personal Data.
• 2.2.3   Customer’s instructions to Smartsheet to Process Customer Personal Data will comply with Data Protection Laws and be duly authorized, with all necessary rights, permissions, and consents secured for Processing under this DPA. 

2.3    Smartsheet as Processor.

• 2.3.1    Smartsheet will Process Customer Personal Data in accordance with the rights to Process granted by Customer to Smartsheet in the Agreement. Schedule 1 (Details of Processing of Customer Personal Data) describes Smartsheet’s Processing of Customer Personal Data.
• 2.3.2   Smartsheet will access Customer Personal Data only to the extent necessary to fulfill its Processing obligations or exercise its Processing rights under this DPA and the Agreement. 
• 2.3.3    Smartsheet will not re-identify, or attempt to re-identify, any Customer Personal Data that Customer has anonymized or deidentified. 

3.       Security.

3.1    In accordance with the Agreement, Smartsheet will implement and maintain technical, physical, and organizational measures and controls designed to protect and secure Customer Personal Data. 

3.2   Customer is independently responsible for assessing and implementing the security measures and controls made available by Smartsheet to Customer, as Customer deems necessary to meet its requirements and legal obligations under applicable Data Protection Laws.

4.       Subprocessors.

4.1    Smartsheet will identify its Subprocessors on the Smartsheet Subprocessors page (available on the Site), which may be updated by Smartsheet from time to time in accordance with this DPA. Customer authorizes Smartsheet Affiliates to act as Subprocessors and to use any identified Subprocessors subject to the terms and conditions of this Section 4.

4.2    Smartsheet will carry out appropriate due diligence on each Subprocessor and have a written agreement with each Subprocessor that includes provisions for Processing Customer Personal Data that are at least as protective as those set out in this DPA. 

4.3    In accordance with Data Protection Laws, Smartsheet is responsible for a Subprocessors’ acts and omissions, including a Subprocessor’s appointment of another Subprocessor.

4.4    New Subprocessors; Right to Object.

• 4.4.1    Smartsheet will provide fifteen (15) days' prior written notice to Customer if Smartsheet intends to appoint new Subprocessors; provided, however, that Smartsheet will notify Customer in writing without undue delay after the appointment of a new, temporary Subprocessor if direct involvement of such Subprocessor is necessary for maintaining the availability and security of the Online Services or Customer Content. Notification will be made to Customer’s SysAdmin.
• 4.4.2    If Customer objects to a new Subprocessor on a reasonable basis related to the Processing of Customer Personal Data, Customer must notify Smartsheet in writing within fifteen (15) days after receiving an appointment notice. Customer's failure to provide written notice of objection within such fifteen (15) day period shall constitute Customer's approval and authorization of the new Subprocessor's appointment. Upon receipt of an objection notice from Customer, Smartsheet will use reasonable efforts to make available to Customer a change in the Online Services or recommend a commercially reasonable configuration or use of the Online Services to avoid the Processing of Customer Personal Data by the new, objected-to Subprocessor. If Smartsheet cannot address Customer’s objection pursuant to the foregoing efforts, Smartsheet will notify Customer within fifteen (15) days of receipt of Customer’s objection notice. Customer may then, by written notice to Smartsheet within thirty (30) days of Smartsheet’s notice, terminate any affected Services and receive a refund of prepaid fees covering the terminated portion of the applicable Service. 

5.       Data Subject Requests.

5.1    During Customer's period of authorized access to and use of the Online Services, Customer shall have regular access to Customer Personal Data via the Online Services, allowing Customer to respond to Data Subject requests.

5.2    Smartsheet will notify Customer in writing without undue delay, and in any event within 10 business days, following receipt and verification of any requests Smartsheet receives directly from a Data Subject relating to Customer Personal Data, and Smartsheet may only respond directly to a Data Subject request: (a) to confirm that such request relates to Customer; (b) as required by applicable law; or (c) with the written consent of Customer. Except as provided herein, Smartsheet, as Processor, has no intention to respond to or fulfill any Data Subject requests on Customer's behalf.

5.3    At Customer’s written request and to the extent Customer is unable to access Customer Personal Data on its own, Smartsheet will provide reasonable assistance to Customer in accessing Customer Personal Data for Customer to respond to such Data Subject requests. To the extent legally permitted, Customer will be responsible for any expenses attributable to Smartsheet’s assistance efforts outside the normal course of business.

6.       Security Breach.

6.1    Smartsheet will notify Customer in writing without undue delay, and in any event within seventy-two (72) hours, following confirmation of a Security Breach involving Customer Personal Data.

6.2    Smartsheet will investigate and, as necessary, mitigate or remediate a Security Breach involving Customer Personal Data in accordance with Smartsheet’s security incident policies and procedures (“Breach Management”).

6.3    Subject to Smartsheet’s legal obligations, Smartsheet will provide Customer with information available to Smartsheet as a result of its Breach Management, such as the nature of the Security Breach, specific data sets disclosed, and any relevant mitigation efforts or remediation measures (“Breach Information”), for Customer to comply with its obligations under Data Protection Laws as a result of a Security Breach.  

6.4    If Customer requires specific information relating to a Security Breach in addition to the Breach Information, at Customer’s written request and to the extent Customer is unable to access the additional information on its own, Smartsheet will reasonably cooperate with Customer as requested by Customer to attempt to collect and provide such additional information.

7.       Audit Rights.

7.1    Upon Customer’s written request, Smartsheet will provide reasonable assistance and information to Customer in relation to data protection impact assessments and consultations with Supervisory Authorities, taking into account the nature of Smartsheet’s Processing activities and the information available to Smartsheet. 

7.2   As set forth in the Agreement, Smartsheet will reasonably cooperate with Customer to the extent audit rights are required by Data Protection Laws.

8.      International Provisions.

8.1    The parties acknowledge and agree that the Processing of Customer Personal Data by Smartsheet may involve an international transfer of Customer Personal Data from Customer to Smartsheet. To the extent applicable, the parties agree that the terms and conditions of Smartsheet’s Transfer Mechanisms (available on the Site) are incorporated into this DPA and will apply to international transfers of Customer Personal Data.

8.2    If Smartsheet Processes Customer Personal Data originating from and protected by applicable Data Protection Laws in one of the jurisdictions listed in Schedule 2 (Jurisdiction Specific Terms), then the terms specified therein with respect to the applicable jurisdiction(s) will apply in addition to the terms of this DPA.

8.3    Each party agrees to inform the other party within five (5) business days if, in its reasonable opinion, such party can no longer meet its obligations under this DPA, including those relating to International Transfers.

8.4    If any applicable data transfer mechanism incorporated into this DPA is no longer legally valid, the parties will act in accordance with Section 10.8 (Variations in Data Protection Laws) of this DPA. 

9.    Term and Termination. This DPA will remain in effect for the duration of the Agreement.  The return and deletion of Customer Personal Data will occur in accordance with the Agreement. To the extent that Smartsheet retains copies of Customer Personal Data, the terms of this DPA and the Agreement will continue to apply.

10.      General.

10.1    Order of Precedence. Regarding the subject matter of this DPA, in the event of any conflict between this DPA and any other written agreement between the Parties (including the Agreement), this DPA will govern and control; except that to the extent there is any conflict between Smartsheet’s Transfer Mechanisms and any other terms in this DPA, the provisions of the applicable transfer mechanism will prevail. Any other data processing agreements that may already exist between Parties are superseded and replaced by this DPA in their entirety. 

10.2   Notices. Unless otherwise expressly stated herein, the parties will provide notices under this DPA in accordance with the Agreement.

10.3   Governing Law and Jurisdiction. Unless prohibited by Data Protection Laws, this DPA is governed by the laws stipulated in the Agreement and the parties to this DPA hereby submit to the choice of jurisdiction and venue stipulated in the Agreement, if any, with respect to any dispute arising under this DPA.

10.4   Enforcement.  Regardless of whether Customer or its Affiliates or a third-party is a Controller of Customer Personal Data, unless otherwise required by law: (a) only Customer will have any right to enforce any of the terms of this DPA against Smartsheet; and (b) Smartsheet’s obligations under this DPA, including any applicable notifications, will be to only Customer. 

10.5   Liability. As between the parties to this DPA, each party’s liability and remedies under this DPA are subject to the aggregate liability limitations and damages exclusions set forth in the Agreement. 

10.6   Variations in Data Protection Laws. If any variation is required to this DPA as a result of a change in or subsequently applicable Data Protection Law, then either party may provide written notice to the other party of that change in law. The parties will then discuss and negotiate in good faith any variations to this DPA necessary to address such changes, with a view to agreeing and implementing those or alternative variations as soon as reasonably practicable.

10.7   Reservation of Rights. Notwithstanding anything to the contrary in this DPA: (a) Smartsheet reserves the right to reasonably withhold information of which the disclosure would pose a security risk to Smartsheet or its customers or is prohibited by applicable law or contractual obligation; and (b) Smartsheet’s notifications, responses, or provision of information or cooperation under this DPA are not an acknowledgement by Smartsheet of any fault or liability.

10.8   Regulatory Requests. If Smartsheet is required by law or legal process to disclose Customer Personal Data, Smartsheet will make reasonable efforts (unless prohibited by law or legal process) to: (a) give Customer prior written notice of such disclosure to afford the Customer a reasonable opportunity to appear, object, and obtain a protective order or other appropriate relief regarding such disclosure; (b) to limit disclosure to that which is legally required; and (c) cooperate with the Customer, at the Customer’s expense, in its efforts to obtain a protective order or other legally available means of protection.
 

SCHEDULE 1: DETAILS OF PROCESSING OF CUSTOMER PERSONAL DATA

This Schedule 1 includes certain details of the Processing of Customer Personal Data.

Subject matter and duration of the Processing of Customer Personal Data:

• The subject matter and duration of the Processing of Customer Personal Data are set out in the Agreement and this DPA.

The nature and purpose of the Processing of Customer Personal Data:

• Processing of Customer Personal Data by Smartsheet is reasonably required to facilitate or support the provision of Services described under the Agreement and this DPA.

Type of Personal Data and Categories of Data Subjects:

• The types of Customer Personal Data, including whether or not any is considered "sensitive," and categories of Data Subject about whom Customer Personal Data relates are determined and controlled by Customer in its sole discretion. 

Frequency of Transfer(s):

• Continuous.

Obligations and Rights of the Controller:

• As set out in the Agreement and this DPA.

SCHEDULE 2: JURISDICTION SPECIFIC TERMS

1.       United States.

1.1    The definition of “U.S. Data Protection Laws” includes any federal or state data protection laws in effect and applicable to Smartsheet’s Processing of Customer Personal Data in the United States, including, but not limited to, the California Consumer Privacy Act, California Civil Code § 1798.100 et seq. (as may be amended from time to time), and its implementing regulations (collectively, “CCPA”).

1.2    The terms “business”, “commercial purpose”, “service provider”, and “sell” have the meanings given in applicable U.S. Data Protection Laws and apply in the context of Customer Personal Data that is Processed pursuant to this DPA. 

1.3   Customer and Smartsheet agree that, as between the parties, Smartsheet is a service provider to Customer that Processes Customer Personal Data in accordance with the Agreement.

1.4    Smartsheet will not (a) sell or share Customer Personal Data; (b) retain, use, process, or disclose any Customer Personal Data for any purpose other than for those set forth in the Agreement, outside of the direct business relationship between Smartsheet and Customer; or (c) combine Customer Personal Data with other Personal Data that Smartsheet receives from another entity or collects from individuals, except as permitted by applicable law, as necessary to perform a business purpose, or as authorized by Customer.

1.5    The parties acknowledge and agree that Smartsheet’s Processing of Customer Personal Data is integral to its performance of the Agreement and the direct business relationship between the parties. Smartsheet agrees to inform Customer if, in its reasonable opinion, Smartsheet can no longer meet its applicable obligations under applicable U.S. Data Protection Laws.

1.6    Notwithstanding anything in the Agreement or any Order, the parties acknowledge and agree that Smartsheet’s access to Customer Personal Data does not constitute remuneration or part of the consideration exchanged by the parties.

1.7    To the extent that any Account Information or System Data is considered Personal Data, Smartsheet is the business with respect to such data and will Process such data in accordance with its Privacy Notice (available on the Site). 

1.8    Remediation Requirements. Customer shall have the right to take reasonable and appropriate steps to (a) verify that Smartsheet uses Customer Personal Data in a manner consistent with this DPA so that Customer can meet its obligations under Data Protection Law; (b) stopping and remediating Smartsheet’s unauthorized use of Customer Personal Data; and (c) taking any such other remediation efforts reasonably agreed upon by the parties.

1.9    Certification. Smartsheet certifies that it understands and will comply with the obligations set forth in the DPA, including the restrictions on its Processing of Customer Personal Data. 

2.      EEA.

2.1     The definition of “E.U. Data Protection Laws” includes the General Data Protection Regulation (EU 2016/679) (“GDPR”).

2.2     When Smartsheet engages a Subprocessor, it will:

• 2.2.1    require any appointed Subprocessor to protect Customer Personal Data to the standard required by applicable Data Protection Laws, such as including the same data protection obligations referred to in Article 28(3) of the GDPR, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR; and
• 2.2.2    require any appointed Subprocessor to agree in writing to only process data in a country that the European Union has declared to have an “adequate” level of protection; or to only process data on terms equivalent to the Standard Contractual Clauses.

3.      Switzerland.

3.1    The definition of “Swiss Data Protection Laws” includes the Swiss Federal Act on Data Protection.

3.2   When Smartsheet engages a Subprocessor, it will

• 3.2.1    require any appointed Subprocessor to protect Customer Personal Data to the standard required by applicable Data Protection Laws, such as including the same data protection obligations referred to in Article 28(3) of the GDPR, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR; and
• 3.2.2    require any appointed Subprocessor to agree in writing to only process data in a country that the European Union has declared to have an “adequate” level of protection; or to only process data on terms equivalent to the Standard Contractual Clauses.

3.3    To the extent allowed and required by the Swiss Federal Act on Data Protection, a Data Subject may bring legal proceedings against the data exporter and/or data importer before the courts of Switzerland.

3.4    To the extent required by the version of the Swiss Federal Act on Data Protection then in effect, the applicability of the Standard Contractual Clauses will be interpreted to include data pertaining to legal entities as Customer Personal Data.

4.      United Kingdom.

4.1     References in this DPA to GDPR will be deemed to be references to the corresponding laws of the United Kingdom (including the UK GDPR and Data Protection Act 2018), collectively, "UK Data Protection Laws."

4.2     When Smartsheet engages a Subprocessor, it will

• 4.2.1    require any appointed Subprocessor to protect Customer Personal Data to the standard required by applicable Data Protection Laws, such as including the same data protection obligations referred to in Article 28(3) of the GDPR, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR; and

• 4.2.2    require any appointed Subprocessor to agree in writing to only process data in a country that the European Union has declared to have an “adequate” level of protection; or to only process data on terms equivalent to the Standard Contractual Clauses.

  
   

5.      Australia

5.1      The definition of “Australian Data Protection Laws” includes the Privacy Act 1988 (Cth) and the Australian Privacy Principles (“APPs”). The definition of “Personal Data” includes “Personal Information” as defined under the Privacy Act 1988.

5.2      Customer and Smartsheet acknowledge that for the purposes of the Australian Data Protection Laws, Customer is the responsible APP entity (acting as Controller) and Smartsheet is contracted to handle Customer Personal Data as a Processor.

5.3      Smartsheet will process Customer Personal Data in a manner consistent with applicable Australian Data Protection Laws. When Smartsheet engages a Subprocessor, it will require any appointed Subprocessor to protect Customer Personal Data to a standard that is at least as protective as those set out in this DPA. The Parties agree that Smartsheet's compliance with this provision satisfies Customer’s obligation to take reasonable steps under APP 8.1 (Cross-border disclosure of personal information).

5.4      The definition of “Security Breach” includes an “eligible data breach” as defined under the Notifiable Data Breaches (NDB) scheme of the Privacy Act 1988. In the event of a Security Breach, Smartsheet will provide Customer with Breach reasonably requested Information to assist Customer in complying with its obligations under the NDB scheme.

6.      Japan

6.1      The definition of “Japanese Data Protection Laws” includes the Act on the Protection of Personal Information of Japan (“APPI”).

6.2     With respect to the Processing of Customer Personal Data, Customer acts as the Personal Information Handling Business Operator (equivalent to a Controller) and Smartsheet acts as the entrusted party (equivalent to a Processor) processing Customer Personal Data on behalf of Customer.

4.2.2.    6.3     To the extent that Smartsheet Processes Customer Personal Data originating from and protected by applicable Japanese Data Protection Laws, Smartsheet will maintain a system conforming to the standards prescribed by the Personal Information Protection Commission (PIPC) rules establishing continuous equivalent measures for the protection of Customer Personal Data transferred outside of Japan. Upon written request, Smartsheet will provide Customer with information reasonably necessary for Customer to confirm that Smartsheet has established a system for the proper handling of Customer Personal Data.

Last Updated: April 17, 2026