Smartsheet and GDPR

The General Data Protection Regulation (GDPR) is a European regulation that took effect on May 25, 2018, and sets out new standards for the protection and processing of personal data. Smartsheet and many of its customers may be obligated to comply with certain of the GDPR's requirements as a data controller, data processor, or both. This site is intended to provide information that customers of Smartsheet may find useful in their GDPR compliance efforts. The information in this site regards our current practices with respect to customers' uploaded content in our role as a processor of this data. Smartsheet may update this page from time to time to reflect changes in our operations and practices.

Data Transfers

The GDPR requires that an adequate transfer mechanism is in place in order to facilitate the transfer of personal data from the European Economic Area (EEA) to the United States.

Is Smartsheet certified under Privacy Shield?

Yes. Smartsheet self-certifies under the EU-US Privacy Shield and Swiss-US Privacy Shield which is a valid transfer mechanism under the GDPR. You can view Smartsheet’s status on the Privacy Shield website.

Does Smartsheet sign Standard Contractual Clauses?

Smartsheet does not sign the Standard Contractual Clauses with customers because Smartsheet is Privacy Shield self-certified, which is a valid transfer mechanism under the GDPR. You can verify Smartsheet’s status under Privacy Shield by visiting the Privacy Shield website here.

Privacy

Smartsheet values individuals’ privacy and understands the desire and interest in knowing how information about you is collected and used. For transparency and clarity, Smartsheet has reorganized and updated our Privacy Policy to ensure individuals understand what data we collect and how we use and share it. The Smartsheet Privacy Policy describes how we collect, use and disclose information that we gather about visitors to our websites; from users of the Smartsheet software-as-a-service application; and the information we collect when we communicate with customers, users or other individuals related to our services (whether by phone, email, or other method). The Privacy Policy also outlines individuals’ rights and choices with regard to the information collected about them. We encourage individuals to periodically review the Privacy Policy for the latest information on our privacy practices.

Does Smartsheet have a Data Protection Contact?

Yes. Smartsheet’s privacy contact can be reached at [email protected].

Does Smartsheet enter into Data Processing Agreements?

Yes; Smartsheet offers a DPA to customers upon request (Smartsheet as processor). Smartsheet’s DPA has been tailored to Smartsheet as a cloud service provider and to address the unique nuances of our product, operations, and the way Smartsheet interacts with Customer Content. Please reach out to [email protected] to request a DPA.

Customer Content

What is Customer Content?

Customer Content is data, information, file attachments, text, images, personally identifiable information, and other content that is uploaded or submitted by users or collected by users from third parties using forms or other features of the service.

Is Smartsheet a Data Processor or a Data Controller? 

Smartsheet is a data processor with respect to Customer Content.

Where is Customer Content stored?

Customer Content is currently stored within the United States.

How is Customer Content secured?

For information about Smartsheet’s security practices, please visit the Smartsheet Trust Center.

Subprocessors

Smartsheet engages a few third party service providers that process Customer Content on our behalf in connection with the provision of our services to customers ("Subprocessors").

Does Smartsheet have written agreements with its Subprocessors?

Yes; our engagement of each Subprocessor is subject to a written agreement containing data protection terms required under the GDPR.

List of Current Subprocessors

Below are Subprocessors Smartsheet engages today; this list is subject to change in Smartsheet's discretion.

SubprocessorCategoryLocation
Amazon Web Services, Inc.Hosting Provider United States
Google LLCHosting Provider of Optional FeaturesUnited States
Microsoft CorporationHosting Provider of Optional FeaturesUnited States
Heroku, Inc.Hosting Provider of Optional FeaturesUnited States
NTT America, Inc.Internet Service ProviderUnited States
Zayo Group, LLCInternet Service ProviderUnited States

 

Does Smartsheet have any Corporate Affiliates? 

Yes; Smartsheet has an affiliate in Scotland, Smartsheet UK Ltd., that may process Customer Content on Smartsheet's behalf, subject to written data protection terms that comply with the GDPR's requirements.

 

Resources