Your data may be transferred to and stored in the United States or other countries with different privacy laws. For EU and UK users, Smartsheet states it uses approved legal mechanisms like Standard Contractual Clauses to make that transfer lawful.
This analysis describes what Smartsheet's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Data transferred to the US is subject to US surveillance laws and may not receive the same legal protections as in the EU or UK, making the adequacy of transfer mechanisms a material compliance question for European organizations.
Interpretive note: The adequacy of Smartsheet's specific transfer impact assessments and supplementary measures is not disclosed in the notice, and the legal status of adequacy decisions may change, creating ongoing uncertainty about transfer lawfulness.
The updated privacy policy states that only Smartsheet's U.S.-based affiliates participate in the EU-U.S., UK Extension, and Swiss-U.S. Data Privacy Framework. Previously, the policy referenced participation by Smartsheet and its affiliates without geographic qualification. This narrowed scope may affect the data transfer mechanisms available for processing personal data from EU, UK, and Swiss users if non-U.S. affiliates are involved in data handling. The policy does not explicitly describe alternative transfer mechanisms for non-U.S. affiliates.
View change record →Removal of explicit international data transfer disclosure eliminates important notice about cross-border data flows and differences in data protection standards, which is particularly significant for non-U.S. users.
View full change record →If you are located outside the US, including in the EU or UK, your personal data will be transferred to and processed in the United States, where data protection laws may provide fewer protections; Smartsheet states it uses Standard Contractual Clauses or adequacy decisions to authorize those transfers.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
Your personal information may be transferred to, and maintained on, computers located outside of your state, province, country, or other governmental jurisdiction where the privacy laws may not be as protective as those in your jurisdiction.
Your personal information may be transferred to, stored, and processed in the United States or other countries outside of your country of residence, which may have data protection laws that are different from those in your country.
Monitoring
Smartsheet has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"Smartsheet is based in the United States, and personal data we collect is governed by U.S. law. If you are accessing our Site or Services from outside the United States, please be aware that information collected through the Site or Services may be transferred to, processed, stored, and used in the United States and other countries. Data protection laws in the U.S. and other countries may differ from those in your country of residence. Where required, we rely on approved transfer mechanisms such as Standard Contractual Clauses or adequacy decisions to transfer personal data from the EEA and UK.— Excerpt from Smartsheet's Smartsheet Privacy Policy
(1) REGULATORY LANDSCAPE: This provision directly engages GDPR Chapter V on international data transfers, including requirements for adequate safeguards such as Standard Contractual Clauses (SCCs) or adequacy decisions. The UK GDPR has parallel requirements. Following the Schrems II decision, SCCs must be accompanied by a transfer impact assessment (TIA) where required. The relevant enforcement authorities are EU national data protection authorities and the UK ICO. (2) GOVERNANCE EXPOSURE: Medium. Smartsheet's reliance on SCCs and adequacy decisions is consistent with standard industry practice for US-based SaaS providers, but the adequacy of those mechanisms depends on whether supplementary measures and TIAs have been conducted. Organizations in regulated sectors or those handling sensitive personal data face heightened exposure if Smartsheet's transfer documentation is incomplete. (3) JURISDICTION FLAGS: EU and EEA organizations face the primary exposure under GDPR Chapter V. UK organizations face parallel obligations under UK GDPR. Where Smartsheet relies on the EU-US Data Privacy Framework adequacy decision for certain transfers, organizations should monitor the legal status of that framework, which has been subject to legal challenge. (4) CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers should request Smartsheet's SCCs or data transfer documentation as part of vendor due diligence. Procurement teams should confirm which transfer mechanism applies to their specific data flows and whether Smartsheet has conducted TIAs for relevant transfers. (5) COMPLIANCE CONSIDERATIONS: Legal teams should document the transfer mechanisms applicable to their Smartsheet deployments and assess whether supplementary technical or organizational measures are needed. Any changes in the legal status of adequacy decisions or SCCs may require reassessment of transfer lawfulness.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Data transferred to the US is subject to US surveillance laws and may not receive the same legal protections as in the EU or UK, making the adequacy of transfer mechanisms a material compliance question for European organizations.
If you are located outside the US, including in the EU or UK, your personal data will be transferred to and processed in the United States, where data protection laws may provide fewer protections; Smartsheet states it uses Standard Contractual Clauses or adequacy decisions to authorize those transfers.
ConductAtlas has identified this type of provision across 55 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Smartsheet.