Data residency

You have control over where certain content is hosted with Smartsheet through Smartsheet Regions, which offers data residency options to activate compliance with privacy and governance requirements. Such requirements are prevalent for customers operating in regulated industries like finance, government, or healthcare; you’re empowered with Smartsheet Regions to meet these obligations.


The data region is the geographic location where the service operates and customer content is physically hosted. You can choose data residency in the United States or the European Union data regions, with backup regions as follows:

Data region

Data region backup

United States

United States

European Union (Germany)

European Union (Ireland)

The United States data region is the default location for the Smartsheet commercial platforms; while the European Union data region is the default location for the Smartsheet EU platform. Smartsheet Gov is held to FedRAMP standards, which requires data to be stored in the US. Regardless of which data region you select, Smartsheet processes your content according to industry-leading security measures described in the Smartsheet Trust Center.

Learn more about Smartsheet Regions.

Data hosted in the data region

Data, images, files, or other content uploaded or submitted by you (via your users) to the Smartsheet service is processed by Smartsheet on your behalf. This content is referred to as Customer Content in Smartsheet’s User Agreement and is the content that is physically hosted in your selected data region. The data residency of customer content is therefore, your selected data region.

Access to customer content from outside a data region

Smartsheet engages personnel and systems located worldwide but primarily in the United States to provision your Smartsheet services. By extension, Smartsheet may need to access your customer content from a location outside your selected data region to provide, secure, support, or optimize your services. Smartsheet performs these activities only to the extent allowed under your agreement with Smartsheet governing your services.


For example, Smartsheet may perform ancillary and limited processing activities on customer content hosted in the European Union from the United States. This is done in response to your request for support or to prevent or address technical problems with your service.
Smartsheet Gov meets DoD requirements; all administrative data access is guaranteed to be performed by US persons.

Smartsheet uses valid data transfer mechanisms to safeguard any personal data accessed from or transferred to a data region different from the host region. For more information, please see Smartsheet’s International Data Transfers data sheet.

To further assist you with your data privacy and governance obligations, Smartsheet also offers a Data Processing Addendum to customers requiring specific terms for the processing of personal data included in customer content. 

Usage data and account information

Smartsheet collects technical, statistical, learned, or other usage data that doesn’t reveal the actual contents of customer content (referred to as usage data) along with payment, billing, profile, or other account information (referred to as account information) about your purchase and use of the services. Whereas Smartsheet acts as the data processor of customer content on your behalf, it acts as a data controller of usage data and account information to carry out its business purposes.
 

As a data controller, Smartsheet transfers usage data and account information to its primary business functions in the United States from other data regions. These functions include most of our finance, marketing, sales, and support, all of which rely on usage data and account information to provide, secure, support, and optimize Smartsheet’s service for our customers. By consolidating such data and information, Smartsheet creates efficient and high-performing functions and limits the data footprint and threat vectors. Accordingly, Smartsheet doesn’t offer data residency options regarding usage data and account information.
 

For Smartsheet Gov, the metadata is processed in accordance with Smartsheet’s FedRAMP ATO and Defense Information System Agency provisional authorization. 
 

For more information on Smartsheet’s data collection practices related to personal data included in usage data and account information, and the purposes for which such data is used, please see Smartsheet’s Privacy Notice.