// Trust & Security Report

    Smartsheet Inc. logo

    Smartsheet Inc.

    Work management and collaboration platform; includes Smartsheet (sheets, dashboards, forms, automation, AI), Smartsheet Gov (FedRAMP/IL4-authorized variant for US federal agencies), and Advanced Work Management (enterprise PPM tier)

    Certifications held

    10

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type 2
    HELD

    Smartsheet uses external auditors to verify the adequacy of its security measures and controls for certain Services, including the Subscription Services. The resulting audit will be performed according to AICPA SOC2 standards... result in the generation of a SOC2 report. The Audit Report will be made available to Customer upon written request no more than annually.

    Verify on smartsheet.com
    SOC 3
    HELD

    SOC 3 is an abbreviated version of the SOC 2 Type 2 audit report and is publicly available.

    Verify on smartsheet.com
    ISO/IEC 27001
    HELD

    Smartsheet achieved certifications for internationally recognized information security and data privacy standards. These certification audits were performed by an accredited third-party auditor and reviewed by a certification body. Certifications include ISO/IEC 27001:2013. [Verified on-domain: the vendor's own certificate page (https://www.smartsheet.com/smartsheet-iso-27001-certificate) shows the current issued certificate is ISO/IEC 27001:2022, issued Feb 27, 2024, valid until Feb 26, 2027, by EY CertifyPoint; the compliance-page text reading :2013 is stale.]

    Verify on smartsheet.com
    ISO/IEC 27017:2015
    HELD

    Smartsheet achieved certifications for internationally recognized information security and data privacy standards, including ISO/IEC 27017:2015 (Code of practice for cloud services information security). These certification audits were performed by an accredited third-party auditor and reviewed by a certification body.

    Verify on smartsheet.com
    ISO/IEC 27018:2019
    HELD

    Smartsheet achieved certifications for internationally recognized information security and data privacy standards, including ISO/IEC 27018:2019 (Protection of personally identifiable information in public clouds). These certification audits were performed by an accredited third-party auditor and reviewed by a certification body.

    Verify on smartsheet.com
    ISO/IEC 27701:2019
    HELD

    Smartsheet achieved certifications for internationally recognized information security and data privacy standards, including ISO/IEC 27701:2019 (Privacy Information Management). These certification audits were performed by an accredited third-party auditor and reviewed by a certification body.

    Verify on smartsheet.com
    FedRAMP Moderate
    HELD

    Smartsheet Gov has been granted a Moderate ATO by the FedRAMP PMO. [NOTE: This applies to Smartsheet Gov only, not the standard commercial Smartsheet product.]

    Verify on smartsheet.com
    DOD IL4 (DISA Impact Level 4)
    HELD

    Smartsheet Gov also received Impact Level 4 (IL-4) authorization from the Defense Information Systems Agency (DISA). [NOTE: Applies to Smartsheet Gov only, not the standard commercial product.]

    Verify on smartsheet.com
    HIPAA
    HELD

    Customers are only permitted to upload PHI into the Subscription Services if (1) using PHI Eligible Services and (2) they have executed a Business Associate Agreement (BAA) with Smartsheet. Only Enterprise users have the ability to implement the Smartsheet features and functionalities necessary for you to meet your obligations under HIPAA.

    Verify on help.smartsheet.com
    GDPR (DPA with SCCs)
    HELD

    The terms of Smartsheet's DPA have been specifically tailored to depict our Subscription Service's unique operational and technical controls. The DPA incorporates EU Standard Contractual Clauses and UK data transfer mechanisms. For EEA customers, E.U. Data Protection Laws includes the General Data Protection Regulation (EU 2016/679).

    Verify on smartsheet.com
    > Show 3 unconfirmed / not-held certifications
    PCI DSS
    NOT CONFIRMED

    Smartsheet does not intend the use of the Offerings to be in compliance with the Payment Card Industry Security Standards. [PCI DSS is explicitly out of scope per vendor statement; third-party plugins marketed for PCI workflows are customer-side tools, not Smartsheet platform certification.]

    source: smartsheet.com
    CSA STAR (Level 2 Attestation or Certification)
    NOT CONFIRMED

    A CAIQ self-assessment (CSA STAR Level 1) is available as part of Smartsheet's security pack upon request but is not publicly registered on the CSA STAR registry with confirmed status. No evidence of Level 2 CSA STAR Attestation or Certification found on vendor domain.

    source: smartsheet.com
    ISO/IEC 42001 (AI Management System)
    NOT CONFIRMED

    No public evidence of ISO/IEC 42001 certification found on vendor domain or trust center as of June 2026.

    source: smartsheet.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    US (default, smartsheet.com), EU-Germany with backup in Ireland (smartsheet.eu), Australia (smartsheet.au). Usage data and account metadata are transferred to US regardless of region choice. Staff worldwide may access data for support and security purposes.

    Explicitly stated in privacy FAQs: 'We do not own your AI Data and do not use it to train public models.' Smartsheet made a deliberate architectural decision not to use customer content to train third-party foundational models, even in aggregate. Enterprise contracts with AI providers include explicit prohibitions on using customer data for model training. Input prompts and AI outputs are deleted within 180 days of contract termination.

    // Security controls

    Encryption at rest

    AES-256 via Amazon RDS encryption

    smartsheet.com

    Encryption in transit

    TLS 1.2 minimum for all connections to online services

    smartsheet.com

    Penetration testing

    Annual third-party penetration testing; reports available to customers upon written request under NDA

    smartsheet.com

    Access controls

    Unique IDs per employee, least privilege, 90-day access review cycles, MFA/VPN for remote access, account lockout enforced

    smartsheet.com

    Security incident response

    Written breach notification to customers without undue delay upon confirmed Security Breach; formal Breach Management program

    smartsheet.com

    Infrastructure

    Hosted on AWS (commercial); Smartsheet Gov hosted on AWS GovCloud (US)

    smartsheet.com

    Disaster recovery

    Annual DR program testing; N+1 redundant data center requirements for IaaS providers; routine backup validation

    smartsheet.com

    Media disposal

    NIST SP 800-88 Rev 1 standards for secure media destruction

    smartsheet.com

    // Products & data scope

    Smartsheet (Commercial)Work Management / Project Collaboration

    data: Customer content (sheets, attachments, forms, automations); PHI allowed only on Enterprise plan with BAA

    SOC 2 Type 2, ISO 27001/17/18/701 certified. HIPAA requires Enterprise plan plus BAA. FedRAMP and DOD IL4 do NOT apply to this product. Data residency options: US, EU, AU.

    Smartsheet GovWork Management / Government / Federal

    data: US federal government customer data; hosted on AWS GovCloud (US)

    FedRAMP Moderate ATO and DISA IL4 PA. Separate product from standard Smartsheet. Used by NIH, National Parks Service, Library of Congress.

    Smartsheet AIAI-Powered Work Management

    data: Same as commercial Smartsheet; AI processes customer data within customer's permission model only

    Customer data is not used to train public AI models. Contractual prohibitions on third-party LLM providers using customer data for training. AI operates within existing sheet-level permissions.

    Advanced Work ManagementEnterprise PPM / Portfolio Management

    data: Same as commercial Smartsheet enterprise tier

    Enterprise-tier add-on. Included in same SOC 2 and ISO audit scope as core platform.

    // What to watch

    • ISO 27001 VERSION (RESOLVED): The trust/compliance/iso page text still reads 'ISO/IEC 27001:2013', but the vendor's own certificate page (https://www.smartsheet.com/smartsheet-iso-27001-certificate) confirms the current issued certificate is ISO/IEC 27001:2022, issued Feb 27, 2024, valid until Feb 26, 2027, by EY CertifyPoint. The compliance-page text is outdated; the :2022 certificate is current and authoritative.
    • FEDRAMP/IL4 SCOPE: FedRAMP Moderate and DOD IL4 authorizations apply ONLY to Smartsheet Gov, a separate product hosted on AWS GovCloud. The standard commercial Smartsheet product does NOT carry these authorizations. Buyers in regulated sectors must confirm which product they are procuring.
    • HIPAA SCOPE: HIPAA compliance (PHI Eligible Services + BAA) is restricted to Enterprise plan customers only. Pro and Business plan users cannot upload PHI. This tier restriction must be communicated in any listing.
    • PCI DSS EXPLICITLY OUT OF SCOPE: Smartsheet has stated 'Smartsheet does not intend the use of the Offerings to be in compliance with the Payment Card Industry Security Standards.' Any payment card data processing must NOT use Smartsheet as the compliant store-of-record.
    • NO ISO 42001: No evidence of ISO/IEC 42001 (AI Management System) certification as of June 2026 despite active AI feature development.
    • CSA STAR UNCONFIRMED: A CAIQ self-assessment may exist in the security pack but no confirmed public CSA STAR registry listing (Level 1 or Level 2) was found on the vendor domain or CSA registry.

    // At a glance

    Pricing model

    Freemium / per-seat subscription (Pro, Business, Enterprise tiers); Advanced Work Management as enterprise add-on; Smartsheet Gov requires separate procurement via channels like Carahsoft

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Smartsheet Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    smartsheet.com

    > Browse all vendor trust reports