Security Statement

Last Updated: August 15, 2016

Your trust is our most important asset. All customer data stored by Smartsheet.com, Inc. (“Smartsheet,” “we,” or “us”) is protected by rigorous infrastructure and administrative procedures. To achieve the high levels of physical and data protection that today’s businesses require, Smartsheet maintains a robust and comprehensive multi-level security environment as described herein. PLEASE NOTE THAT THIS SECURITY STATEMENT APPLIES TO THE SMARTSHEET INTERNET-DELIVERED WORK COLLABORATION SERVICE (“SUBSCRIPTION SERVICE”) AND IT DOES NOT APPLY TO ANY SUBSCRIPTION SERVICE ADD-ONS SUCH AS SMARTSHEET PREMIUM APPS, LABS APPS, OR THIRD PARTY APPLICATIONS. Capitalized terms not defined in this Security Statement shall have the meanings given to them in the agreement that governs your use of the Subscription Service.

Physical Security

The Subscription Service is hosted on dedicated servers in accordance with industry best practices in secure data centers in Ashburn, Virginia and Chicago, Illinois. The data centers provide 24-hour physical security which includes keycard and biometric access controls and continuous surveillance.

Data Encryption

Smartsheet uses proven transport layer security (TLS) technology from the most trusted providers to encrypt all data transmissions between your device and our servers, commonly referred to as on-the-wire encryption. TLS technology is designed to protect your information by establishing trust of our servers through a trusted third party, and then creating a secure channel through which your data can pass to our servers protected from malicious actors.  We also use AES 256 encryption before data is durably stored, commonly referred to as at-rest-encryption. A dedicated firewall provides a strong barrier of network security from the internet and we utilize Amazon’s S3 service to store and serve uploaded files.

User Authentication

Each user in your Smartsheet environment has a unique user name (i.e., their e-mail address). We offer forms-based authentication (username and password) and Google Authentication to all users of Smartsheet and enterprise customers can take advantage of a SAML2.0 SSO integration or AzureAD authentication for compliance with any corporate authentication or identity management policies.  Smartsheet issues a session cookie only to record encrypted authentication information for the duration of a specific session. The session cookie does not include either the user name or password of the user. Smartsheet does not use cookies to store other confidential user and session information, but instead implements more advanced security methods based on dynamic data and encoded session IDs. All account login attempts are logged, and account lockout policies are automatically applied after a certain number of failed login attempts.

Operational Management

We have implemented policies and procedures designed to ensure that your data is secure and backed up to multiple physical locations. Our team is continually evaluating new security threats and implementing updated countermeasures designed to prevent unauthorized access to or unplanned downtime of the Subscription Service. Access to all Smartsheet production systems and data is limited to authorized members of the Smartsheet Technical Operations team.

Audit and Assurance

All administrative access to data, information, file attachments, text, images, personally identifiable information, and other content that is uploaded or submitted to your instance of the Subscription Service is reviewed on a quarterly basis by internal auditors to confirm that we use it only for the purposes permitted by the agreement governing your use of the Subscription Service. (For the avoidance of doubt, any personal information provided to Smartsheet in connection with the creation and management of your account is governed by the Smartsheet Privacy Policy.) Smartsheet contracts with third-party security professionals to conduct network and application penetration testing annually to proactively find new attack vectors and security weakness.

Disclosure

Smartsheet maintains a policy of full event disclosure for security incidents that affect customer data. In the event of any security incident affecting your data, a notification will be sent to your account administrator (e.g., the primary account owner or your SysAdmin). Smartsheet additionally publishes information about the health of our service at http://status.smartsheet.com.

Engagement

If you find a security issue with our products or if you are concerned or suspect that your Smartsheet account has been compromised, please contact us at security@smartsheet.com or call us directly at 425-283-1870.

Changes

We may update this Security Statement as we add new security capabilities and make security improvements to our services. If we make any material changes we will notify you by means of a notice on our Web Properties prior to the change becoming effective. We encourage you to periodically review this page for the latest information on our security practices.