Skip to main content
  • Smartsheet
      • Overview
        • Overview & benefitsLearn why customers choose Smartsheet to empower teams to rapidly build no-code solutions, align across the entire enterprise, and move with agility to launch everyone’s best ideas at scale.
      • For your role or industry
        • Project management
          icon honest blue project management
          Plan projects, automate workflows, and align teams.
        • IT & Ops
          IT and Operations Icon
          Streamline operations and scale with confidence.
        • Marketing
          Marketing Campaigns Icon
          Align campaigns, creative operations, and more.
        • Construction
          Construction icon
          Streamline your construction project lifecycle.
        • Healthcare & Life sciences
          Healthcare icon
          Improve efficiency — and patient experiences.
        • Higher education
          education cap icon
          Maximize your resources and reduce overhead.
        • Financial services
          Finance
          Move faster, scale quickly, and improve efficiency.
        • Federal government
          Government icon
          Deliver results faster with Smartsheet Gov.
        • 2022欧宝娱乐苹果下载
        • ob电竞体育平台
        • Featured Customer Stories
          • ob3体育
          • McGraw Hill
          • Syngenta
        • Watch a demo
        • Contact sales
      • Overview
        • Smartsheet platformLearn how the Smartsheet platform for dynamic work offers a robust set of capabilities to empower everyone to manage projects, automate workflows, and rapidly build solutions at scale.
      • Capabilities
        • Team collaboration
          Collaboration Icon
          每个人都在一个collaborati连接ve platform.
        • Workflow automation
          Workflow Automation Icon
          Quickly automate repetitive tasks and processes.
        • Content management
          icon honest blue pm methodologies
          Organize, manage, and review content production.
        • Portfolio management at scale
          Scaling icon
          Deliver project consistency and visibility at scale.
        • obao欧宝体育
        • Integrations
          Data processing icon
          Work smarter and more efficiently by sharing information across platforms.
        • ob欧宝app
        • Governance & administration
          Admin controls icon
          Configure and manage global controls and settings.
        • ob欧宝app入口
        • Resource management
          Resource Management by Smartsheet
          Find the best project team and forecast resourcing needs.
        • Digital asset management
          Brandfolder by Smartsheet
          Manage and distribute assets, and see how they perform.
        • See all capabilities
        • What’s up next
          Smartsheet What's Up Next
          A sneak peek at upcoming enhancements. A quarterly roundup of the innovations that’ll make your work life easier.
        • Integrations
          • Microsoft Teams
          • Slack
          • Adobe
          • See all integrations
        • Watch a demo
        • Contact sales
      • Overview
        • Enterprise了解如何使全球团队,构建和宏大e business-driven solutions, and enable IT to manage risk and maintain compliance on the platform for dynamic work.
      • Solutions
        • Modern Project & Portfolio Management
          Connect projects with organization strategy. Ensure portfolio success and deliver impact at scale.
        • Marketing & Creative Management
          Marketing Campaigns Icon
          Manage campaigns, resources, and creative projects at scale.
        • Strategic Transformation
          Plan and implement change fast and mobilize resources to gain a competitive advantage.
        • The Forrester Wave™
          Collaborative Work Management Tools, Q4 2022
          Collaborative Work Management Tools, Q4 2022
        • The Forrester Wave™Strategic Portfolio Management Tools, Q4 2020
        • 451 Research: Get Ahead of Change
        • Watch a demo
        • Contact sales
      • Learn
        • Learning Center
          learning center video icon
          Find tutorials, help articles & webinars.
        • Community
          community icon
          Find answers, learn best practices, or ask a question.
        • Smartsheet University
          blue certificate icon
          Access eLearning, Instructor-led training, and certification.
      • Support
        • Help Center
          icon honest blue help
          Get answers to common questions or open up a support case.
        • Technical Support
          Blue support icon
          Get expert coaching, deep technical support and guidance.
      • SERVICES & PARTNERS
        • Professional Services
          Icon Supportive Green Manage Decision Makers
          Get expert help to deliver end-to-end business solutions.
        • Partners
          agreement partners icon
          Find a partner or join our award-winning program.
      • Additional Resources
        • Content Center
          blog icon
          Get actionable news, articles, reports, and release notes.
        • Events
          Events icon
          Explore upcoming events and webinars.
        • Solution Center
          Smartsheet integrations
          Move faster with templates, integrations, and more.
        • Blog resources
          • Managing WorkCollections of actionable tips, guides, and templates to help improve the way you work.
          • Product Insights
          • Inside Smartsheet
          • Smartsheet Content Center
        • Watch a demo
        • Contact sales
    • Pricing
    • Contact
    • Watch a demo
    • Select language
    • Log in
      • Watch a demo
      • Contact sales
    • Try Smartsheet for free
    • Select language
    • Open search
    • Log in

Smartsheet Security Practices

    • User Agreement
    • Security Practices
    • Supplement
      • Customer: U.S. Government Entities
      • Customer: Non-Government Entity Using Smartsheet Gov
      • Customer: Educational Institutions
      • Service: Event Reporting
      • Service: Learning Services
      • Service: Bridge by Smartsheet
    • Service Level Agreement
    • Smartsheet Privacy Notice
      • General Privacy Notice
      • General Privacy Notice Table
      • Offerings Privacy Notice
      • Offerings Privacy Notice Table
      • Candidate Privacy Notice
      • Cookie Notice
      • Glossary
    • Data Processing Addendum
    • Business Associate Agreement
    • Subprocessors
    • Privacy FAQs
    • Mobile End-User License Agreement
    • Downloadable Software End User License Agreement
    • Developer Agreement
    • Terms and Conditions
    • Smartsheet Certified Candidate Agreement
    • Limits Policy
    • Acceptable Use Policy
    • Travel And Expense Policy
    • Site Terms
    • Report Abuse
    • Content Issues
    • Intellectual Property
    • Insurance Certificate
    • Code of Business Conduct and Ethics
    • UK Modern Slavery Act Statement
    • Australian Modern Slavery Act Statement

At Smartsheet, we understand that you need to know how your data is protected and secured when using our online Services. These Smartsheet Security Practices describe the practices and safeguards, which include physical, organizational, and technical measures, utilized by Smartsheet that are designed to preserve the security, integrity, and confidentiality of the online Services and Customer Content to protect against information security threats.

1. General.

1.1Information Security Program。Smartsheet shall maintain a comprehensive written information security program, including policies, standards, procedures, and related documents that establish criteria, means, methods, and measures governing the Processing and security of Customer Content and the Smartsheet systems or networks used to Process or secure Customer Content ("Smartsheet Information Systems") in connection with providing the Services under the Agreement and Supplement.

1.2Confidentiality; Training。Smartsheet will ensure that Smartsheet Personnel: (a) are bound by confidentiality obligations with respect to Customer Content substantially as protective as those set forth in the Agreement; and (b) are subject to appropriate training relating to the Processing of Customer Content.

1.3Definitions。

1.3.1 “Agreement” means the agreement that governs Customer’s access to and use of the online Services.

1.3.2 “Customer” means the individual or entity that executes or accepts an Order or registers for free trial access to and use of a Service and has entered into an Agreement.

1.3.3 “Customer Content” means any data, file attachments, text, images, reports, personal information, or other content that is uploaded or submitted to an online Service by Customer or Users and is Processed by Smartsheet on behalf of Customer.

1.3.4 “Process” means any operation or set of operations performed upon Customer Content, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, alignment, combination, restriction, erasure, destruction or disclosure by transmission, dissemination or otherwise making available.

1.3.5 “Security Breach” means a breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Content.

1.3.6 “Services” means the Subscription Services and any other online service or application provided or controlled by Smartsheet for use with the Subscription Services.

1.3.7 “Smartsheet Personnel” means any individual authorized by Smartsheet to Process Customer Content.

1.3.8 “Subscription Service” means the subscription-based online services and applications that are provisioned or controlled by Smartsheet.

1.3.9 "Supplement" means those criteria, means, methods, and measures, and terms and conditions applicable to certain products and services of Smartsheet or customer types available atwww.santa-greenland.com/legal/agreement-supplement。

1.3.10 “User” means any individual authorized or invited by Customer or another User to access and use the online Services under the terms of the Agreement.

2. Security Controls。按照其信息安全食物ram, Smartsheet shall implement appropriate physical, organizational, and technical controls designed to: (a) ensure the security, integrity, and confidentiality of Customer Content Processed by Smartsheet; and (b) protect Customer Content from known or reasonably anticipated threats or hazards, including to its security, integrity, accidental loss, alteration, disclosure, and other unlawful forms of Processing. Without limiting the foregoing, Smartsheet will, as appropriate, utilize the following controls:

2.1Firewalls。Smartsheet will install and maintain firewall(s) to protect data accessible via the Internet.

2.2Updates。Smartsheet will maintain programs and routines to keep the Smartsheet Information Systems up to date with the latest upgrades, updates, bug fixes, new versions, and other modifications.

2.3Anti-malware。Smartsheet will deploy and use anti-malware software and will keep the anti-malware software up to date. Smartsheet will use such software to mitigate threats from all viruses, spyware, and other malicious code that are or should reasonably be detected.

2.4Testing。Smartsheet will regularly test its security systems, processes, and controls to ensure they meet the requirements of these Security Practices.

2.5Access Controls。Smartsheet will secure Customer Content processed by Smartsheet Information Systems by complying with the following:

  • 2.5.1 Smartsheet will assign a unique ID to Smartsheet Personnel with access to Smartsheet Information Systems.

  • 2.5.2 Smartsheet will restrict access to Smartsheet Information Systems to only Smartsheet Personnel necessary to perform a specified obligation as permitted by the Agreement.

  • 2.5.3 Smartsheet will regularly review (at a minimum once every ninety (90) days) the list of Smartsheet Personnel and services with access to Smartsheet Information Systems and remove accounts that no longer require access.

  • 2.5.4 Smartsheet will not use manufacturer supplied defaults for system passwords on any operating systems, software, or Smartsheet Information Systems, will mandate the use of system-enforced “strong passwords” in accordance with or exceeding the best practices (described below), and will require that all passwords and access credentials be kept confidential and not shared among Smartsheet Personnel.

  • 2.5.5 At a minimum, Smartsheet production passwords will: (i) contain at least eight (8) characters; (ii) not match previous passwords, the user’s login, or common name; (iii) be changed whenever an account compromise is suspected or assumed; and (iv) be regularly replaced.

  • 2.5.6 Smartsheet will enforce account lockout by disabling accounts Processing Customer Content when an account exceeds a designated number of incorrect password attempts in a certain period.

  • 2.5.7 Smartsheet will maintain log data for all use of accounts or credentials by Smartsheet Personnel for access to Smartsheet Information Systems and will regularly review access logs for signs of malicious behavior or unauthorized access.

2.6Policies。Smartsheet will maintain and enforce appropriate information security, confidentiality, and acceptable use policies for Smartsheet Personnel that meet the standards set forth in these Security Practices, including methods to detect and log policy violations.

2.7Development。Development and testing environments will be separate from Smartsheet Information Systems.

2.8Deletion。Smartsheet will utilize procedures that are at a minimum in accordance with National Institute of Standards and Technology (NIST) SP 800-88 Revision 1 recommendations (or a successor standard widely used in the industry) to render Customer Content unrecoverable prior to disposal of media.

2.9Encryption。内容将利用加密标准mandating authorized algorithms, key length requirements, and key management processes that are consistent with or exceed then-current industry standards, including NIST recommendations, and utilize hardening and configuration requirements consistent in approach with then-current industry standards, including SANS Institute, NIST, or Center for Internet Security (CIS) recommendations. Pursuant to such standards, Smartsheet will encrypt Customer Content at rest within the online Services and will only allow encrypted connections to the online Service for the transfer of Customer Content.

2.10Remote Access。Smartsheet will ensure that any access from outside of its protected corporate or production environments to Smartsheet Information Systems or to Smartsheet’s corporate or development workstation networks will require appropriate connection controls, such as VPN or multi-factor authentication.

3. Use of Third Parties.

3.1General。Third parties engaged by Smartsheet in accordance with the Agreement will maintain (at a minimum) substantially similar levels of security as applicable and required by these Security Practices.

3.2Data Hosting。Smartsheet will ensure that any third party hosting provider (“Infrastructure-as-a-Service” or “IaaS”) utilized by Smartsheet to Process Customer Content meet the following requirements:

  • 3.2.1Base Requirements。At a minimum Smartsheet will ensure IaaS providers: (a) maintain adequate physical security and access controls as set forth in Section 2.5 of these Security Practices; (b) use professional HVAC & environmental controls; (c) utilize professional network/cabling environment; (d) use professional fire detection/suppression capability; and (e) maintain a comprehensive business continuity plan.

  • 3.2.2Annual Audit; Assessment。进行年度风险评估和独立audits. Such assessments and audit reports will be provided to Smartsheet and, if required by law, made available to Customer, provided Smartsheet may remove all commercial and confidential information or terms unrelated to the security practices of the IaaS. In addition, Smartsheet shall conduct annual reviews and assessments of any critical IaaS to validate the security measures at a minimum meet the requirements of these Security Practices.

  • 3.2.3Enhanced Requirements。Possess requirements and capabilities of a highly-available, redundant (“N+1”) data center, where multiple components each give at least one independent backup component to ensure that system functionality continues at acceptable performance levels in the event of a system failure.

4.System Availability。Smartsheet will maintain (or, with respect to systems controlled by third parties, ensure that such third parties maintain) a disaster recovery (“DR”) program designed to recover the Subscription Service’s availability following a disaster. At a minimum, such DR program will include the following elements: (a) routine validation of procedures to regularly and programmatically create retention copies of Customer Content for the purpose of recovering lost or corrupted data; (b) inventories, updated at minimum annually, that list all critical Smartsheet Information Systems; (c) annual review and update of the DR program; and (d) annual testing of the DR program designed to validate the DR procedures and recoverability of the service detailed therein.

5. Security Breach.

5.1Procedure。

  • 5.1.1 Smartsheet will notify Customer in writing without undue delay upon Smartsheet becoming aware of confirmed Security Breach.

  • 5.1.2 Smartsheet will investigate and, as necessary, mitigate or remediate a Security Breach in accordance with Smartsheet’s security incident policies and procedures (“Breach Management”).

  • 5.1.3 Subject to Smartsheet’s legal obligations, Smartsheet will provide Customer with information available to Smartsheet as a result of its Breach Management, including the nature of the incident, specific information disclosed (if known), and any relevant mitigation efforts or remediation measures (“Breach Information”), for Customer to comply with its obligation under applicable laws as a result of a Security Breach.

  • 5.1.4 If Customer requires information relating to a Security Breach in additional to the Incident Information, at Customer’s sole expense and written request and to the extent Customer is unable to access the additional information on its own, Smartsheet will reasonably cooperate with Customer as requested by Customer to attempt to collect and provide such additional information.

5.2Unsuccessful Attempts。An unsuccessful attack or intrusion is not a Security Breach subject to this Section 5. An “unsuccessful attack or intrusion” is one that does not result in unauthorized or unlawful access to Customer Content and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond IP addresses or TCP/UDP headers), or similar incidents.

5.3Customer or User Involvement。Unauthorized or unlawful access to Customer Content that results from the Customer’s configuration settings, compromise of a User’s login credentials, or from the intentional or inadvertent sharing or disclosure of Customer Content by the Customer or a User is not a Security Breach.

5.4Notifications。Notification(s) of Security Breach, if any, will be delivered to one or more of Customer’s SysAdmin users by any reasonable means Smartsheet selects, including email. Customer is solely responsible for maintaining accurate contact information in the online Service at all times.

5.5Disclaimer。Smartsheet’s obligation to report or respond to a Security Breach under this Section 5 is not an acknowledgement by Smartsheet of any fault or liability of Smartsheet with respect to the Security Breach.

6. Auditing and Reporting.

6.1Monitoring。Smartsheet monitors the effectiveness of its information security program on an ongoing basis by conducting various audits, risk assessments, and other monitoring activities to ensure the effectiveness of its security measures and controls.

6.2Audit Reports。Smartsheet uses external auditors to verify the adequacy of its security measures and controls for certain Services, including the Subscription Services. The resulting audit will: (a) include testing of the entire measurement period since the previous measurement period ended; (b) be performed according to AICPA SOC2 standards or such other alternative standards that are substantially equivalent to AICPA SOC2; (c) be performed by independent third party security professionals at Smartsheet's selection and expense; and (d) result in the generation of a SOC2 report (“Audit Report”), which will be Smartsheet's Confidential Information. The Audit Report will be made available to Customer upon written request no more than annually, subject to the confidentiality obligations of the Agreement or a mutually-agreed non-disclosure agreement. For the avoidance of doubt, each Audit Report will only discuss Services in existence at the time the Audit Report was issued; subsequently released Services, if within the scope of the Audit Report, will be in the next annual iteration of the Audit Report.

6.3Penetration Testing。Smartsheet uses external security experts to conduct penetration testing of certain online Services, including the Subscription Services. Such testing will: (a) be performed at least annually; (b) be performed by independent third party security professionals at Smartsheet’s selection and expense; and (c) result in the generation of a penetration test report (“Pen Test Report”), which will be Smartsheet’s Confidential Information. Pen Test Reports will be made available to Customer upon written request no more than annually subject to the confidentiality obligations of the Agreement or a mutually-agreed non-disclosure agreement.

6.4客户审计。If Customer legally requires information for its compliance with applicable laws in addition to the Audit and Pen Test Reports, at Customer’s sole expense and written request and to the extent Customer is unable to access the additional information on its own, Smartsheet will allow for and cooperate with a Customer mandated audit by a third party auditor in relation to Smartsheet’s Processing of Customer Content (“客户审计”), provided that:

  • 6.4.1. Customer provides Smartsheet reasonable advance notice including the identity of the auditor and the anticipated date and scope of the Customer Audit;

  • 6.4.2 Smartsheet approves the auditor by notice to Customer, with such approval not to be unreasonably withheld;

  • 6.4.3 Customer and the auditor act to avoid causing any damage, injury, or disruption to Smartsheet’s premises, equipment, or business in the course of such Customer Audit; and

  • 6.4.4. Customer initiates only one Customer Audit in any calendar year unless otherwise required by law enforcement.

Last updated: March 24, 2023

Archived versions
Smartsheet
  • About Us
  • Leadership
  • Investors
  • Newsroom
  • Careers
  • Contact Us
  • Legal
  • Privacy
  • Trust Center
  • Developers & API
  • Help

©2023. All Rights Reserved Smartsheet Inc.

Facebook Twitter LinkedIn TikTok YouTube Instagram