Transfer Mechanisms

The Transfer Mechanisms (defined below) contained within this Smartsheet Transfer Mechanisms Addendum (“Transfer Mechanism Addendum”) are incorporated by reference and supplement the Data Processing Addendum (“DPA”) between Smartsheet and Customer. Capitalized terms not defined herein have the meanings set forth in the DPA.

1.     Applicability. The parties acknowledge and agree that the Processing of Personal Data may involve an international transfer. To the extent that a Transfer Mechanism applies to the Processing of Personal Data, then the terms specified herein will apply in addition to the terms of the DPA.

2.    Definitions.

“Data Privacy Framework (DPF)” means, as applicable, the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework self-certification programs operated by the U.S. Department of Commerce, and their respective successors.

“Data Privacy Framework Principles” means the principles and supplemental principles contained in the relevant Data Privacy Framework, as may be amended, superseded, or replaced from time to time.

“EEA Standard Contractual Clauses” means the Standard Contractual Clauses approved by the European Commission in decision 2021/914 on 4 June 2021.

“Transfer Mechanism” means an international transfer of Personal Data that is subject to the applicable jurisdiction-specific provisions contained in this Transfer Mechanisms Addendum.

“UK Addendum” means the template Addendum issued by the Information Commissioner’s Office (ICO) and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section ‎18.

3.     Remediation. If a party determines that it can no longer comply with its obligations under an applicable Transfer Mechanism, or if the use of a Transfer Mechanism is no longer lawful, then the party will promptly provide written notice to the other party so that the parties can take reasonable and appropriate steps to remediate such non-compliance.

4.     European Transfer Mechanisms. This Section applies to international transfers (whether direct or onward) of Personal Data originating from and that is subject to the Data Protection Laws of the European Economic Area (EEA), United Kingdom (UK), or Switzerland, as applicable (“European Transfer”).

4.1     Data Privacy Framework. If the DPF applies, Smartsheet will ensure that any Personal Data subject to a European Transfers is provided at least the same level of protection as is required by the Data Privacy Framework Principles.

4.2    EEA Standard Contractual Clauses. If Data Protection Laws require any European Transfer to be subject to the EEA Standard Contractual Clauses, the parties agree that the EEA Standard Contractual Clauses shall be incorporated into the DPA and deemed signed by the parties. The EEA Standard Contractual Clauses will apply in the following manner:

4.2.1    Module One (Controller to Controller) will apply where Smartsheet is Processing System Data and Account Information that may be considered Personal Data.

4.2.2   Module Two (Controller to Processor) will apply where Customer is a Controller of Customer Personal Data and Smartsheet is a Processor of Customer Personal Data;

4.2.3   For each module, where applicable:

4.2.3.1   in Clause 7, the optional docking clause will not apply;

4.2.3.2   in Clause 9, Option 2 will apply, and the process for providing notice and the time period for objections of Subprocessor changes will be as set forth in Section 4 (Subprocessors) of the DPA;

4.2.3.3   in Clause 11, the optional language will not apply;

4.2.3.4   in Clause 17, the EEA Standard Contractual Clauses will be governed by the laws of Germany.

4.2.3.5   in Clause 18(b), disputes will be resolved before the courts of Germany.

4.2.3.6   In Annex I, Part A: 

Data Exporter:  Customer and authorized Affiliates of Customer.

Contact Details:  Customer’s account owner email address, or to the email address(es) for which Customer elects to receive privacy communications.

Data Exporter Role:  As set forth in the DPA and Agreement.

Signature & Date:  By entering into the DPA, Data Exporter is deemed to have signed the EEA Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date of the DPA.

Data Importer: Smartsheet Inc.

Contact Details: Smartsheet Privacy - privacy@smartsheet.com; Smartsheet Security - security@smartsheet.com.

Data Importer Role: As set forth in the DPA and Agreement.

Signature & Date: By entering into the DPA, Data Importer is deemed to have signed the EEA Standard Contractual Clauses, incorporated herein, including their Annexes, as of the Effective Date of the DPA.

4.2.3.7   In Annex I, Part B:

Module One (Controller to Controller)

The categories of Data Subjects are described in Smartsheet’s Privacy Notice.

The sensitive data transferred is described in Smartsheet’s Privacy Notice.

The frequency of transfers are on a continuous basis.

The nature of the Processing is described in Smartsheet’s Privacy Notice.

The purpose of the Processing is described in Smartsheet’s Privacy Notice.

The period of the Processing is described in Smartsheet’s Privacy Notice.

For transfers to Subprocessors, the subject matter, nature, and duration of the Processing is outlined on the Smartsheet Subprocessors page (available on the Site).

Module Two (Controller to Processor)

The categories of Data Subjects are described in Schedule 1 of the DPA.

The sensitive data transferred is described in Schedule 1 of the DPA.

The frequency of transfers are on a continuous basis for the duration of the Agreement.

The nature of the Processing is described in Schedule 1 of the DPA.

The purpose of the Processing is described in Schedule 1 of the DPA.

The period of the Processing is described in Schedule 1 of the DPA.

For transfers to Subprocessors, the subject matter, nature, and duration of the Processing is outlined on the Smartsheet Subprocessors page (available on the Site).

4.2.3.8   In Annex I, Part C: in accordance with clause 13, the competent supervisory authority is identified as follows:

Where the data exporter is established in an EU Member State: The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer shall act as competent supervisory authority.

Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679: The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established shall act as the competent supervisory authority.

Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679: Commission nationale de l'informatique et des libertés (CNIL) - 3 Place de Fontenoy, 75007 Paris, France shall act as the competent supervisory authority.

Where the data exporter is established in the United Kingdom or falls within the territorial scope of application of UK Data Protection Laws and Regulations, the Information Commissioner's Office shall act as the competent supervisory authority.

Where the data exporter is established in Switzerland or falls within the territorial scope of application of Swiss Data Protection Laws and Regulations, the Swiss Federal Data Protection and Information Commissioner shall act as competent supervisory authority insofar as the relevant data transfer is governed by Swiss Data Protection Laws and Regulations.

4.2.3.9   Smartsheet’s Security Practices serve as Annex II of the EEA Standard Contractual Clauses.

4.2.4    Switzerland. With respect to any European Transfers from Switzerland, references in the EEA Standard Contractual Clauses will be interpreted to include applicable terminology for Switzerland (e.g., “Member State” shall be interpreted to mean “Switzerland”). To the extent required by law, any such European Transfers will also apply to the transfer of information relating to an identified or identifiable legal entity where such information is protected similarly as Personal Data.

4.2.5   UK Addendum. If Data Protection Laws require any European Transfer to be subject to the UK Addendum, the parties agree that the  UK Addendum shall be incorporated into the DPA and deemed signed by the parties. The UK Addendum will apply in the same manner as the EEA Standard Contractual Clauses.

Last Updated: April 17, 2026