// Trust & Security Report
Smartsheet Inc.
Work management and collaboration platform; includes Smartsheet (sheets, dashboards, forms, automation, AI), Smartsheet Gov (FedRAMP/IL4-authorized variant for US federal agencies), and Advanced Work Management (enterprise PPM tier)
Certifications held
10
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on smartsheet.com“Smartsheet uses external auditors to verify the adequacy of its security measures and controls for certain Services, including the Subscription Services. The resulting audit will be performed according to AICPA SOC2 standards... result in the generation of a SOC2 report. The Audit Report will be made available to Customer upon written request no more than annually.”
Verify on smartsheet.com“SOC 3 is an abbreviated version of the SOC 2 Type 2 audit report and is publicly available.”
Verify on smartsheet.com“Smartsheet achieved certifications for internationally recognized information security and data privacy standards. These certification audits were performed by an accredited third-party auditor and reviewed by a certification body. Certifications include ISO/IEC 27001:2013. [Verified on-domain: the vendor's own certificate page (https://www.smartsheet.com/smartsheet-iso-27001-certificate) shows the current issued certificate is ISO/IEC 27001:2022, issued Feb 27, 2024, valid until Feb 26, 2027, by EY CertifyPoint; the compliance-page text reading :2013 is stale.]”
Verify on smartsheet.com“Smartsheet achieved certifications for internationally recognized information security and data privacy standards, including ISO/IEC 27017:2015 (Code of practice for cloud services information security). These certification audits were performed by an accredited third-party auditor and reviewed by a certification body.”
Verify on smartsheet.com“Smartsheet achieved certifications for internationally recognized information security and data privacy standards, including ISO/IEC 27018:2019 (Protection of personally identifiable information in public clouds). These certification audits were performed by an accredited third-party auditor and reviewed by a certification body.”
Verify on smartsheet.com“Smartsheet achieved certifications for internationally recognized information security and data privacy standards, including ISO/IEC 27701:2019 (Privacy Information Management). These certification audits were performed by an accredited third-party auditor and reviewed by a certification body.”
Verify on smartsheet.com“Smartsheet Gov has been granted a Moderate ATO by the FedRAMP PMO. [NOTE: This applies to Smartsheet Gov only, not the standard commercial Smartsheet product.]”
Verify on smartsheet.com“Smartsheet Gov also received Impact Level 4 (IL-4) authorization from the Defense Information Systems Agency (DISA). [NOTE: Applies to Smartsheet Gov only, not the standard commercial product.]”
Verify on help.smartsheet.com“Customers are only permitted to upload PHI into the Subscription Services if (1) using PHI Eligible Services and (2) they have executed a Business Associate Agreement (BAA) with Smartsheet. Only Enterprise users have the ability to implement the Smartsheet features and functionalities necessary for you to meet your obligations under HIPAA.”
Verify on smartsheet.com“The terms of Smartsheet's DPA have been specifically tailored to depict our Subscription Service's unique operational and technical controls. The DPA incorporates EU Standard Contractual Clauses and UK data transfer mechanisms. For EEA customers, E.U. Data Protection Laws includes the General Data Protection Regulation (EU 2016/679).”
> Show 3 unconfirmed / not-held certifications
source: smartsheet.comSmartsheet does not intend the use of the Offerings to be in compliance with the Payment Card Industry Security Standards. [PCI DSS is explicitly out of scope per vendor statement; third-party plugins marketed for PCI workflows are customer-side tools, not Smartsheet platform certification.]
source: smartsheet.comA CAIQ self-assessment (CSA STAR Level 1) is available as part of Smartsheet's security pack upon request but is not publicly registered on the CSA STAR registry with confirmed status. No evidence of Level 2 CSA STAR Attestation or Certification found on vendor domain.
source: smartsheet.comNo public evidence of ISO/IEC 42001 certification found on vendor domain or trust center as of June 2026.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
US (default, smartsheet.com), EU-Germany with backup in Ireland (smartsheet.eu), Australia (smartsheet.au). Usage data and account metadata are transferred to US regardless of region choice. Staff worldwide may access data for support and security purposes.
Explicitly stated in privacy FAQs: 'We do not own your AI Data and do not use it to train public models.' Smartsheet made a deliberate architectural decision not to use customer content to train third-party foundational models, even in aggregate. Enterprise contracts with AI providers include explicit prohibitions on using customer data for model training. Input prompts and AI outputs are deleted within 180 days of contract termination.
// Security controls
Penetration testing
Annual third-party penetration testing; reports available to customers upon written request under NDA
smartsheet.comAccess controls
Unique IDs per employee, least privilege, 90-day access review cycles, MFA/VPN for remote access, account lockout enforced
smartsheet.comSecurity incident response
Written breach notification to customers without undue delay upon confirmed Security Breach; formal Breach Management program
smartsheet.comDisaster recovery
Annual DR program testing; N+1 redundant data center requirements for IaaS providers; routine backup validation
smartsheet.com// Products & data scope
data: Customer content (sheets, attachments, forms, automations); PHI allowed only on Enterprise plan with BAA
SOC 2 Type 2, ISO 27001/17/18/701 certified. HIPAA requires Enterprise plan plus BAA. FedRAMP and DOD IL4 do NOT apply to this product. Data residency options: US, EU, AU.
data: US federal government customer data; hosted on AWS GovCloud (US)
FedRAMP Moderate ATO and DISA IL4 PA. Separate product from standard Smartsheet. Used by NIH, National Parks Service, Library of Congress.
data: Same as commercial Smartsheet; AI processes customer data within customer's permission model only
Customer data is not used to train public AI models. Contractual prohibitions on third-party LLM providers using customer data for training. AI operates within existing sheet-level permissions.
data: Same as commercial Smartsheet enterprise tier
Enterprise-tier add-on. Included in same SOC 2 and ISO audit scope as core platform.
// What to watch
- ISO 27001 VERSION (RESOLVED): The trust/compliance/iso page text still reads 'ISO/IEC 27001:2013', but the vendor's own certificate page (https://www.smartsheet.com/smartsheet-iso-27001-certificate) confirms the current issued certificate is ISO/IEC 27001:2022, issued Feb 27, 2024, valid until Feb 26, 2027, by EY CertifyPoint. The compliance-page text is outdated; the :2022 certificate is current and authoritative.
- FEDRAMP/IL4 SCOPE: FedRAMP Moderate and DOD IL4 authorizations apply ONLY to Smartsheet Gov, a separate product hosted on AWS GovCloud. The standard commercial Smartsheet product does NOT carry these authorizations. Buyers in regulated sectors must confirm which product they are procuring.
- HIPAA SCOPE: HIPAA compliance (PHI Eligible Services + BAA) is restricted to Enterprise plan customers only. Pro and Business plan users cannot upload PHI. This tier restriction must be communicated in any listing.
- PCI DSS EXPLICITLY OUT OF SCOPE: Smartsheet has stated 'Smartsheet does not intend the use of the Offerings to be in compliance with the Payment Card Industry Security Standards.' Any payment card data processing must NOT use Smartsheet as the compliant store-of-record.
- NO ISO 42001: No evidence of ISO/IEC 42001 (AI Management System) certification as of June 2026 despite active AI feature development.
- CSA STAR UNCONFIRMED: A CAIQ self-assessment may exist in the security pack but no confirmed public CSA STAR registry listing (Level 1 or Level 2) was found on the vendor domain or CSA registry.
// At a glance
Pricing model
Freemium / per-seat subscription (Pro, Business, Enterprise tiers); Advanced Work Management as enterprise add-on; Smartsheet Gov requires separate procurement via channels like Carahsoft
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Smartsheet Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
smartsheet.com