The notice states that Smartsheet acts as a data controller for personal data collected through its website and marketing activities, and as a data processor for content and data submitted by enterprise customers through the platform, with the terms of processor activities governed by separate customer agreements.
This analysis describes what Smartsheet's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision determines the allocation of direct regulatory obligations between Smartsheet and its enterprise customers under GDPR and CCPA. Where Smartsheet acts as a processor, enterprise customers bear primary controller obligations for data subject rights fulfilment and breach notification, and must have Data Processing Agreements in place.
Interpretive note: The full text of the processor-specific terms is contained in separate customer agreements not reproduced in this notice, so the complete scope of processor obligations cannot be assessed from this document alone.
The updated privacy policy states that only Smartsheet's U.S.-based affiliates participate in the EU-U.S., UK Extension, and Swiss-U.S. Data Privacy Framework. Previously, the policy referenced participation by Smartsheet and its affiliates without geographic qualification. This narrowed scope may affect the data transfer mechanisms available for processing personal data from EU, UK, and Swiss users if non-U.S. affiliates are involved in data handling. The policy does not explicitly describe alternative transfer mechanisms for non-U.S. affiliates.
View change record →The provision was substantially rewritten from a specific explanation of processor/controller roles to a general introductory statement defining Smartsheet's identity and the layered structure of the privacy notice, and severity increased from medium to high.
View full change record →Under this distinction, individual users whose data is submitted to the platform by an enterprise employer or client may need to direct data subject rights requests to the enterprise customer rather than directly to Smartsheet, depending on the applicable contractual and regulatory framework.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
We use information to enhance the quality, reliability, and/or accuracy of our AI Features by creating, developing, training, testing, improving, and maintaining AI and ML models run by Strava or our service providers. We use aggregated, de-identified data for this purpose. We also use personal info...
Monitoring
Smartsheet has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"On our website, including www.smartsheet.com ("Site"), "we" (or "our," "us") refers to Smartsheet Inc. The Smartsheet Privacy Notice ("Privacy Notice") consists of this page and the specific notices which describe how we collect, use, and share personal data and explain your related rights and choices.— Excerpt from Smartsheet's Smartsheet Privacy Policy
1. REGULATORY LANDSCAPE: This provision implicates GDPR Article 4 (definitions of controller and processor) and Article 28 (processor obligations), UK GDPR equivalents, and CCPA as amended by CPRA regarding service provider designations. Enforcement authorities include EU data protection authorities and the UK ICO. Where Smartsheet acts as a processor, the enterprise customer bears primary controller obligations; however, processors retain independent obligations under GDPR Article 28 and may face direct enforcement in some jurisdictions. 2. GOVERNANCE EXPOSURE: High. The controller-processor distinction has material implications for data subject rights workflows, breach notification obligations, and contractual requirements. If Data Processing Agreements are not in place for EU or UK enterprise customer relationships, both Smartsheet and the enterprise customer face potential regulatory exposure. 3. JURISDICTION FLAGS: Heightened exposure exists for EU and EEA operations under GDPR, UK operations under UK GDPR, and California operations under CCPA and CPRA. The processor designation for enterprise data may also be relevant in Brazil under LGPD and other jurisdictions with similar frameworks. 4. CONTRACT AND VENDOR IMPLICATIONS: Enterprise procurement teams should verify that Data Processing Agreements incorporating the required GDPR Article 28 terms are executed before submitting personal data to the Smartsheet platform. B2B contracts should specify data subject rights fulfilment workflows and breach notification timelines. The notice's assertion that processor terms are governed by separate customer agreements means the main privacy notice does not fully disclose all applicable processor obligations. 5. COMPLIANCE CONSIDERATIONS: Compliance teams should audit whether current enterprise customer agreements include valid Data Processing Agreements, confirm that data subject rights request workflows are documented for both controller and processor scenarios, and verify that subprocessor disclosure requirements are met for all third-party service providers engaged in processing enterprise customer data.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision determines the allocation of direct regulatory obligations between Smartsheet and its enterprise customers under GDPR and CCPA. Where Smartsheet acts as a processor, enterprise customers bear primary controller obligations for data subject rights fulfilment and breach notification, and must have Data Processing Agreements in place.
Under this distinction, individual users whose data is submitted to the platform by an enterprise employer or client may need to direct data subject rights requests to the enterprise customer rather than directly to Smartsheet, depending on the applicable contractual and regulatory framework.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Smartsheet.