Smartsheet and GDPR
The General Data Protection Regulation (GDPR) is a European regulation that took effect on May 25, 2018, and sets out new standards for the protection and processing of personal data. Smartsheet and many of its customers may be obligated to comply with certain of the GDPR's requirements as a data controller, data processor, or both. This site is intended to provide information that customers of Smartsheet may find useful in their GDPR compliance efforts. The information in this site regards our current practices with respect to customers' uploaded content in our role as a processor of this data. Smartsheet may update this page from time to time to reflect changes in our operations and practices.
The GDPR requires that an adequate transfer mechanism is in place in order to facilitate the transfer of personal data from the European Economic Area (EEA) to the United States.
Is Smartsheet certified under Privacy Shield?
Yes. Smartsheet self-certifies under the EU-US Privacy Shield and Swiss-US Privacy Shield which is a valid transfer mechanism under the GDPR. You can view Smartsheet’s status on the Privacy Shield website.
Does Smartsheet sign Standard Contractual Clauses?
Smartsheet does not sign the Standard Contractual Clauses with customers because Smartsheet is Privacy Shield self-certified, which is a valid transfer mechanism under the GDPR. You can verify Smartsheet’s status under Privacy Shield by visiting the Privacy Shield website here.
Does Smartsheet have a Data Protection Contact?
Yes. Smartsheet’s privacy contact can be reached at [email protected].
Does Smartsheet enter into Data Processing Agreements?
Yes; Smartsheet offers a DPA to customers upon request (Smartsheet as processor). Smartsheet’s DPA has been tailored to Smartsheet as a cloud service provider and to address the unique nuances of our product, operations, and the way Smartsheet interacts with Customer Content. Smartsheet's DPA is available at www.smartsheet.com/legal/DPA.
What is Customer Content?
Customer Content is data, information, file attachments, text, images, personally identifiable information, and other content that is uploaded or submitted by users or collected by users from third parties using forms or other features of the service.
Is Smartsheet a Data Processor or a Data Controller?
Smartsheet is a data processor with respect to Customer Content.
Where is Customer Content stored?
Customer Content is currently stored within the United States.
How is Customer Content secured?
For information about Smartsheet’s security practices, please visit the Smartsheet Trust Center.
Smartsheet engages a few third party service providers that process Customer Content on our behalf in connection with the provision of our services to customers ("Subprocessors").
Does Smartsheet have written agreements with its Subprocessors?
Yes; our engagement of each Subprocessor is subject to a written agreement containing data protection terms required under the GDPR.
List of Current Subprocessors
Below are Subprocessors Smartsheet engages today; this list is subject to change in Smartsheet's discretion.
|Amazon Web Services, Inc.||Hosting Provider||United States|
|Google LLC||Hosting Provider of Optional Features||United States|
|Microsoft Corporation||Hosting Provider of Optional Features||United States|
|Heroku, Inc.||Hosting Provider of Optional Features||United States|
|NTT America, Inc.||Internet Service Provider||United States|
|Zayo Group, LLC||Internet Service Provider||United States|
Does Smartsheet have any Corporate Affiliates?
Yes; Smartsheet has an affiliate in Scotland, Smartsheet UK Ltd., that may process Customer Content on Smartsheet's behalf, subject to written data protection terms that comply with the GDPR's requirements.