Smartsheet and GDPR
The General Data Protection Regulation (GDPR) is a European regulation that took effect on May 25, 2018, and sets out new standards for the protection and processing of personal data. Smartsheet and many of its customers may be obligated to comply with some of the GDPR's requirements as a data controller, data processor, or both. This site is intended to provide information that customers of Smartsheet may find useful in their GDPR compliance efforts. The information on this site regards our current practices with respect to customers' uploaded content in our role as a processor of this data. Smartsheet may update this page from time to time to reflect changes in our operations and practices.
The GDPR requires that an adequate transfer mechanism is in place in order to facilitate the transfer of personal data from the European Economic Area (EEA), including the United Kingdom, to the United States.
Currently, all Smartsheet data centers are located in the United States. To facilitate the transfer of data, Smartsheet self-certifies under the EU-US Privacy Shield and Swiss-US Privacy Shield which is a valid transfer mechanism under the GDPR. You can view Smartsheet’s status on the Privacy Shield website.
Smartsheet values individuals’ privacy and understands the desire and interest in knowing how information about you is collected and used. For transparency and clarity, Smartsheet has reorganized and updated our Privacy Notice to ensure individuals understand what data we collect and how we use and share it. The Smartsheet Privacy Notice describes how we collect, use and disclose information that we gather about visitors to our websites; from users of the Smartsheet software-as-a-service application; and the information we collect when we communicate with customers, users or other individuals related to our services (whether by phone, email, or other method). The Privacy Notice also outlines individuals’ rights and choices with regard to the information collected about them. We encourage individuals to periodically review the Privacy Notice for the latest information on our privacy practices.
Does Smartsheet have a Data Protection Contact?
Yes. Smartsheet’s privacy contact can be reached at [email protected].
Does Smartsheet enter into Data Processing Agreements?
Yes; Smartsheet offers a data processing addendum ("DPA") to customers upon request (Smartsheet as processor). Smartsheet’s DPA has been tailored to Smartsheet as a cloud service provider and to address the unique nuances of our product, operations, and the way Smartsheet interacts with Customer Content. Smartsheet's DPA is available at www.smartsheet.com/legal/DPA.
What is Customer Content?
Customer Content is data, information, file attachments, text, images, personally identifiable information, and other content that is uploaded or submitted by users, or collected by users from third parties using forms or other features of the service, to the Smartsheet internet-delivered application.
Is Smartsheet a Data Processor or a Data Controller?
Smartsheet is a data processor with respect to Customer Content.
Where is Customer Content stored?
All Smartsheet data centers, which store Customer Content, are currently located within the United States.
How is Customer Content secured?
Smartsheet engages third party service providers that process Customer Content on our behalf in connection with the provision of our services to customers ("Subprocessors").
Does Smartsheet have written agreements with its Subprocessors?
Yes; our engagement of each Subprocessor is subject to a written agreement containing data protection terms required under the GDPR and other applicable data privacy laws.
List of Current Subprocessors
Below are Subprocessors Smartsheet engages today; this list is subject to change in Smartsheet's discretion.
Updated: December 27, 2019
|Amazon Web Services, Inc.||App Functionality - Hosting provider||United States|
|Elasticsearch, Inc.*||App Functionality - Cloud-based search tool||United States|
|Google LLC||App Functionality - Hosting provider||United States|
|250ok Inc.||Security - Cloud-based email delivery monitoring||United States|
|Mimecast Services Limited||Security - Cloud-based email spam filter||United States|
|Adobe Inc.*||Optional - Cloud-based document converter to PDF||United States|
|Avalara, Inc.||Optional - Cloud-based payment support services||United States|
|Microsoft Corporation||Optional - Hosting provider of optional features||United States|
|PayPal Holdings Inc.||Optional - Cloud-based payment processing services||United States|
Optional - Cloud-based customer support services (ServiceCloud)
Optional - Hosting provider of optional features - Labs Apps (Heroku)
|Stripe, Inc.||Optional - Cloud-based payment processing services||United States|
*Please note that Smartsheet is not currently using these subprocessors but will be in the coming months in connection with updates to current features.
Does Smartsheet have any Corporate Affiliates?
Yes; depending on the geographic location of a customer, and the nature of the Services provided, Smartsheet may also engage one or more of the following affiliates as subprocessors to deliver some or all of the Services provided to customers.
|Entity Name||Entity Location|
|Artefact Product Group LLC dba 10,000ft||United States|
|TernPro, Inc. dba Slope||United States|
|Smartsheet UK Ltd. formally known as Helpa Ltd. and Coverse.ai||United Kingdom|
|Smartsheet Australia Pty Limited||Australia|