Smartsheet Security Practices
At Smartsheet, we understand that you need to know how your data is protected and secured when using our online Services. These Smartsheet Security Practices describe the practices and safeguards, which include physical, organizational, and technical measures, utilized by Smartsheet that are designed to preserve the security, integrity, and confidentiality of the online Services and Customer Content to protect against information security threats.
1.1 Information Security Program. Smartsheet shall maintain a comprehensive written information security program, including policies, standards, procedures, and related documents that establish criteria, means, methods, and measures governing the Processing and security of Customer Content and the Smartsheet systems or networks used to Process or secure Customer Content in connection with providing the Services (“Smartsheet Information Systems”).
1.2 Confidentiality; Training. Smartsheet will ensure that Smartsheet Personnel: (a) are bound by confidentiality obligations with respect to Customer Content substantially as protective as those set forth in the Agreement; and (b) are subject to appropriate training relating to the Processing of Customer Content.
- 1.3.1 “Agreement” means the agreement that governs Customer’s access to and use of the online Services.
- 1.3.2 “Customer” means the individual or entity that executes or accepts an Order or registers for free trial access to and use of a Service and has entered into an Agreement.
- 1.3.3 “Customer Content” means any data, file attachments, text, images, reports, personal information, or other content that is uploaded or submitted to an online Service by Customer or Users and is Processed by Smartsheet on behalf of Customer.
- 1.3.4 “Process” means any operation or set of operations performed upon Customer Content, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, alignment, combination, restriction, erasure, destruction or disclosure by transmission, dissemination or otherwise making available.
- 1.3.5 “Security Breach” means a breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Content.
- 1.3.6 “Services” means the Subscription Services and any other online service or application provided or controlled by Smartsheet for use with the Subscription Services.
- 1.3.7 “Smartsheet Personnel” means any individual authorized by Smartsheet to Process Customer Content.
- 1.3.8 “Subscription Service” means the subscription-based online services and applications that are provisioned or controlled by Smartsheet.
- 1.3.9 “User” means any individual authorized or invited by Customer or another User to access and use the online Services under the terms of the Agreement.
2. Security Controls. In accordance with its information security program, Smartsheet shall implement appropriate physical, organizational, and technical controls designed to: (a) ensure the security, integrity, and confidentiality of Customer Content Processed by Smartsheet; and (b) protect Customer Content from known or reasonably anticipated threats or hazards, including to its security, integrity, accidental loss, alteration, disclosure, and other unlawful forms of Processing. Without limiting the foregoing, Smartsheet will, as appropriate, utilize the following controls:
2.1 Firewalls. Smartsheet will install and maintain firewall(s) to protect data accessible via the Internet.
2.2 Updates. Smartsheet will maintain programs and routines to keep the Smartsheet Information Systems up to date with the latest upgrades, updates, bug fixes, new versions, and other modifications.
2.3 Anti-malware. Smartsheet will deploy and use anti-malware software and will keep the anti-malware software up to date. Smartsheet will use such software to mitigate threats from all viruses, spyware, and other malicious code that are or should reasonably be detected.
2.4 Testing. Smartsheet will regularly test its security systems, processes, and controls to ensure they meet the requirements of these Security Practices.
2.5 Access Controls. Smartsheet will secure Customer Content processed by Smartsheet Information Systems by complying with the following:
- 2.5.1 Smartsheet will assign a unique ID to Smartsheet Personnel with access to Smartsheet Information Systems.
- 2.5.2 Smartsheet will restrict access to Smartsheet Information Systems to only Smartsheet Personnel necessary to perform a specified obligation as permitted by the Agreement.
- 2.5.3 Smartsheet will regularly review (at a minimum once every ninety (90) days) the list of Smartsheet Personnel and services with access to Smartsheet Information Systems and remove accounts that no longer require access.
- 2.5.4 Smartsheet will not use manufacturer supplied defaults for system passwords on any operating systems, software, or Smartsheet Information Systems, will mandate the use of system-enforced “strong passwords” in accordance with or exceeding the best practices (described below), and will require that all passwords and access credentials be kept confidential and not shared among Smartsheet Personnel.
- 2.5.5 At a minimum, Smartsheet production passwords will: (i) contain at least eight (8) characters; (ii) not match previous passwords, the user’s login, or common name; (iii) be changed whenever an account compromise is suspected or assumed; and (iv) be regularly replaced.
- 2.5.6 Smartsheet will enforce account lockout by disabling accounts Processing Customer Content when an account exceeds a designated number of incorrect password attempts in a certain period.
- 2.5.7 Smartsheet will maintain log data for all use of accounts or credentials by Smartsheet Personnel for access to Smartsheet Information Systems and will regularly review access logs for signs of malicious behavior or unauthorized access.
2.6 Policies. Smartsheet will maintain and enforce appropriate information security, confidentiality, and acceptable use policies for Smartsheet Personnel that meet the standards set forth in these Security Practices, including methods to detect and log policy violations.
2.7 Development. Development and testing environments will be separate from Smartsheet Information Systems.
2.8 Deletion. Smartsheet will utilize procedures that are at a minimum in accordance with National Institute of Standards and Technology (NIST) SP 800-88 Revision 1 recommendations (or a successor standard widely used in the industry) to render Customer Content unrecoverable prior to disposal of media.
2.9 Encryption. Smartsheet will utilize cryptographic standards mandating authorized algorithms, key length requirements, and key management processes that are consistent with or exceed then-current industry standards, including NIST recommendations, and utilize hardening and configuration requirements consistent in approach with then-current industry standards, including SANS Institute, NIST, or Center for Internet Security (CIS) recommendations. Pursuant to such standards, Smartsheet will encrypt Customer Content at rest within the online Services and will only allow encrypted connections to the online Service for the transfer of Customer Content.
2.10 Remote Access. Smartsheet will ensure that any access from outside of its protected corporate or production environments to Smartsheet Information Systems or to Smartsheet’s corporate or development workstation networks will require appropriate connection controls, such as VPN or multi-factor authentication.
3. Use of Third Parties.
3.1 General. Third parties engaged by Smartsheet in accordance with the Agreement will maintain (at a minimum) substantially similar levels of security as applicable and required by these Security Practices.
3.2 Data Hosting. Smartsheet will ensure that any third party hosting provider (“Infrastructure-as-a-Service” or “IaaS”) utilized by Smartsheet to Process Customer Content meet the following requirements:
- 3.2.1 Base Requirements. At a minimum Smartsheet will ensure IaaS providers: (a) maintain adequate physical security and access controls as set forth in Section 1.2 of these Security Practices; (b) use professional HVAC & environmental controls; (c) utilize professional network/cabling environment; (d) use professional fire detection/suppression capability; and (e) maintain a comprehensive business continuity plan.
- 3.2.2 Annual Audit; Assessment. Conduct annual independent risk assessments and audits. Such assessments and audit reports will be provided to Smartsheet and, if required by law, made available to Customer, provided Smartsheet may remove all commercial and confidential information or terms unrelated to the security practices of the IaaS. In addition, Smartsheet shall conduct annual reviews and assessments of any critical IaaS to validate the security measures at a minimum meet the requirements of these Security Practices.
- 3.2.3 Enhanced Requirements. Possess requirements and capabilities of a highly-available, redundant (“N+1”) data center, where multiple components each give at least one independent backup component to ensure that system functionality continues at acceptable performance levels in the event of a system failure.
4. System Availability. Smartsheet will maintain (or, with respect to systems controlled by third parties, ensure that such third parties maintain) a disaster recovery (“DR”) program designed to recover the Subscription Service’s availability following a disaster. At a minimum, such DR program will include the following elements: (a) routine validation of procedures to regularly and programmatically create retention copies of Customer Content for the purpose of recovering lost or corrupted data; (b) inventories, updated at minimum annually, that list all critical Smartsheet Information Systems; (c) annual review and update of the DR program; and (d) annual testing of the DR program designed to validate the DR procedures and recoverability of the service detailed therein.
5. Security Breach.
- 5.1.1 Smartsheet will notify Customer in writing without undue delay upon Smartsheet becoming aware of confirmed Security Breach.
- 5.1.2 Smartsheet will investigate and, as necessary, mitigate or remediate a Security Breach in accordance with Smartsheet’s security incident policies and procedures (“Breach Management”).
- 5.1.3 Subject to Smartsheet’s legal obligations, Smartsheet will provide Customer with information available to Smartsheet as a result of its Breach Management, including the nature of the incident, specific information disclosed (if known), and any relevant mitigation efforts or remediation measures (“Breach Information”), for Customer to comply with its obligation under applicable laws as a result of a Security Breach.
- 5.1.4 If Customer requires information relating to a Security Breach in additional to the Incident Information, at Customer’s sole expense and written request and to the extent Customer is unable to access the additional information on its own, Smartsheet will reasonably cooperate with Customer as requested by Customer to attempt to collect and provide such additional information.
5.2 Unsuccessful Attempts. An unsuccessful attack or intrusion is not a Security Breach subject to this Section 5. An “unsuccessful attack or intrusion” is one that does not result in unauthorized or unlawful access to Customer Content and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond IP addresses or TCP/UDP headers), or similar incidents.
5.3 Customer or User Involvement. Unauthorized or unlawful access to Customer Content that results from the Customer’s configuration settings, compromise of a User’s login credentials, or from the intentional or inadvertent sharing or disclosure of Customer Content by the Customer or a User is not a Security Breach.
5.4 Notifications. Notification(s) of Security Breach, if any, will be delivered to one or more of Customer’s SysAdmin users by any reasonable means Smartsheet selects, including email. Customer is solely responsible for maintaining accurate contact information in the online Service at all times.
5.5 Disclaimer. Smartsheet’s obligation to report or respond to a Security Breach under this Section 5 is not an acknowledgement by Smartsheet of any fault or liability of Smartsheet with respect to the Security Breach.
6. Auditing and Reporting.
6.1 Monitoring. Smartsheet monitors the effectiveness of its information security program on an ongoing basis by conducting various audits, risk assessments, and other monitoring activities to ensure the effectiveness of its security measures and controls.
6.2 Audit Reports. Smartsheet uses external auditors to verify the adequacy of its security measures and controls for certain Services, including the Subscription Services. The resulting audit will: (a) include testing of the entire measurement period since the previous measurement period ended; (b) be performed according to AICPA SOC2 standards or such other alternative standards that are substantially equivalent to AICPA SOC2; (c) be performed by independent third party security professionals at Smartsheet's selection and expense; and (d) result in the generation of a SOC2 report (“Audit Report”), which will be Smartsheet's Confidential Information. The Audit Report will be made available to Customer upon written request no more than annually, subject to the confidentiality obligations of the Agreement or a mutually-agreed non-disclosure agreement. For the avoidance of doubt, each Audit Report will only discuss Services in existence at the time the Audit Report was issued; subsequently released Services, if within the scope of the Audit Report, will be in the next annual iteration of the Audit Report.
6.3 Penetration Testing. Smartsheet uses external security experts to conduct penetration testing of certain online Services, including the Subscription Services. Such testing will: (a) be performed at least annually; (b) be performed by independent third party security professionals at Smartsheet’s selection and expense; and (c) result in the generation of a penetration test report (“Pen Test Report”), which will be Smartsheet’s Confidential Information. Pen Test Reports will be made available to Customer upon written request no more than annually subject to the confidentiality obligations of the Agreement or a mutually-agreed non-disclosure agreement.
6.4 Customer Audit. If Customer legally requires information for its compliance with applicable laws in addition to the Audit and Pen Test Reports, at Customer’s sole expense and written request and to the extent Customer is unable to access the additional information on its own, Smartsheet will allow for and cooperate with a Customer mandated audit by a third party auditor in relation to Smartsheet’s Processing of Customer Content (“Customer Audit”), provided that:
- 6.4.1. Customer provides Smartsheet reasonable advance notice including the identity of the auditor and the anticipated date and scope of the Customer Audit;
- 6.4.2 Smartsheet approves the auditor by notice to Customer, with such approval not to be unreasonably withheld;
- 6.4.3 Customer and the auditor act to avoid causing any damage, injury, or disruption to Smartsheet’s premises, equipment, or business in the course of such Customer Audit; and
- 6.4.4. Customer initiates only one Customer Audit in any calendar year unless otherwise required by law enforcement.
Last updated: October 5, 2021