// Trust & Security Report

    Smartsheet Inc. logo

    Smartsheet Inc.

    Smartsheet AI: AI-powered collaborative work management platform including Smart Assist (in-product AI companion), Smart Columns (AI-enriched data at scale), AI Dashboard Builder, Natural Language Creation, MCP Connectors for third-party AI tools (Claude, Copilot, Gemini, ChatGPT), and Smart Agents (coming soon).

    Certifications held

    10

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    SOC 2 Type 2, available to current or prospective customers through our Security and Governance request form. Audit performed per AICPA SOC2 standards by independent third-party security professionals.

    Verify on smartsheet.com
    SOC 3 (public)
    HELD

    Smartsheet SOC 3, publicly available report.

    Verify on smartsheet.com
    ISO/IEC 27001:2013
    HELD

    ISO/IEC 27001:2013 - Information Security Management. These certification audits were performed by an accredited third-party auditor and reviewed by a certification body.

    Verify on smartsheet.com
    ISO/IEC 27017:2015
    HELD

    ISO/IEC 27017:2015 - Code of practice for information security controls for cloud services. These certification audits were performed by an accredited third-party auditor and reviewed by a certification body.

    Verify on smartsheet.com
    ISO/IEC 27018:2019
    HELD

    ISO/IEC 27018:2019 - Protection of personally identifiable information (PII) in public clouds. These certification audits were performed by an accredited third-party auditor and reviewed by a certification body.

    Verify on smartsheet.com
    ISO/IEC 27701:2019
    HELD

    Smartsheet operates an ISO/IEC 27701:2019 compliant privacy program. ISO 27018:2019 and ISO 27701:2019 certifications align with GDPR requirements.

    Verify on smartsheet.com
    HIPAA (BAA available)
    HELD

    Only Enterprise users have the ability to implement the Smartsheet features and functionalities necessary for you to meet your obligations under HIPAA. To enter into a BAA with Smartsheet, contact your Smartsheet account manager or submit the form to contact the Sales team.

    Verify on help.smartsheet.com
    FedRAMP Moderate
    HELD

    Smartsheet Gov has been granted a Moderate ATO by the FedRAMP PMO. Platform built on AWS GovCloud (US). Used by agencies such as the National Institutes of Health, National Parks Service, Library of Congress, and the U.S. Department of Veterans Affairs.

    Verify on smartsheet.com
    DOD IL4 (Impact Level 4)
    HELD

    Smartsheet Gov has been granted Impact Level 4 (IL-4) PA by the Defense Information Systems Agency (DISA).

    Verify on smartsheet.com
    GDPR (compliance posture)
    HELD

    DPA is automatically incorporated into the Smartsheet User Agreement. Incorporates EU Standard Contractual Clauses. Participates in the EU-U.S. Data Privacy Framework. ISO 27701:2019 certified privacy program.

    Verify on smartsheet.com
    > Show 3 unconfirmed / not-held certifications
    ISO/IEC 42001 (AI Management System)
    NOT CONFIRMED

    Smartsheet is actively pursuing ISO 42001 certification and is planning for compliance with the EU AI Act. Not yet certified as of 2026-06-27.

    source: smartsheet.com
    PCI DSS
    NOT CONFIRMED

    Smartsheet does not intend the use of the Offerings to be in compliance with the Payment Card Industry Security Standards. Explicitly excluded in the Acceptable Use Policy.

    source: smartsheet.com
    CSA STAR
    NOT CONFIRMED

    No public evidence of CSA STAR registration or self-assessment found on vendor domain or CSA STAR Registry as of 2026-06-27.

    source: smartsheet.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Three residency options per vendor data-residency docs: United States (backed up in the US), European Union (Germany, backed up in Ireland), and Australia (backed up in Australia). Region is determined at account creation via the regional login domain (smartsheet.com / smartsheet.eu / smartsheet.au). Specific AWS region names are not published by the vendor.

    Contractual guarantee per AI page and Privacy FAQ: 'Your data never trains third-party foundation models, never mixes with other customers' data, and never leaves your control. This isn't just policy - it's a contractual guarantee.' Privacy FAQ confirms: 'No. We do not own your AI Data and do not use it to train public models.'

    // Security controls

    Encryption in transit

    TLS required for all connections; only encrypted connections to the online Service permitted for transfer of Customer Content.

    smartsheet.com

    Encryption at rest

    All Customer Content stored in encrypted form at rest within the online Services. Standards consistent with or exceeding NIST recommendations.

    smartsheet.com

    Access controls

    Unique IDs per employee, principle of least privilege, 90-day access review cycles, account lockout on repeated failed attempts, MFA required for remote/VPN access.

    smartsheet.com

    Penetration testing

    Annual external penetration testing by independent third-party security professionals. Pen Test Reports available to customers on written request.

    smartsheet.com

    Breach notification

    Notification within 72 hours of confirming a Security Breach. Subprocessor notice period: 15 days advance notice.

    smartsheet.com

    Vulnerability / patch management

    Ongoing programs to keep systems updated with latest patches, updates, and bug fixes. Anti-malware deployed and kept current.

    smartsheet.com

    AI architecture

    Each AI request routes through Smartsheet's application layer to the model provider; no customer data retained by the AI model provider at any point. Usage logged separately for admin audit without exposing data to model partners. AWS used as cloud infrastructure partner for AI.

    smartsheet.com

    AI access controls

    Admins control which AI features are enabled and for which users. User permissions enforced: if a user cannot access a sheet, the AI cannot either.

    smartsheet.com

    Infrastructure

    Hosted on AWS. Smartsheet Gov on AWS GovCloud (US). EU region on AWS Frankfurt/Dublin. Disaster recovery program with annual testing.

    smartsheet.com

    // Products & data scope

    Smartsheet (Commercial)Collaborative Work Management with AI

    data: Sheets, dashboards, reports, attachments, automations, AI-enriched columns. Data hosted in US, EU, or AU based on account region.

    Pro, Business, Enterprise tiers. HIPAA BAA available at Enterprise only. AI features availability varies by plan - may require add-on or Enterprise tier.

    Smartsheet GovFedRAMP Moderate / DOD IL4 Government Work Management

    data: CUI and government data. Hosted on AWS GovCloud (US). Separate instance from commercial.

    FedRAMP Moderate ATO, DOD IL4 PA. Used by NIH, NPS, Library of Congress, VA. Separate product from commercial Smartsheet.

    Smartsheet AI / Smart AssistIn-product AI companion

    data: Reads sheet data, project context, permissions enforced. No customer data retained by model provider.

    Built into Smartsheet platform. AI model provider not publicly named (AWS partnership noted). Customer data never trains third-party models.

    Smartsheet MCP ServerAI integration / MCP connector

    data: Exposes live Smartsheet work data to third-party AI tools (Claude, Copilot, Gemini, ChatGPT) in real time via MCP protocol.

    Data filtering/compression applied before reaching third-party AI. Same compliance posture as core platform per vendor claims.

    Smart AgentsAutonomous AI workflow agents

    data: Project monitoring, risk surfacing, workflow execution. Human-in-the-loop approval built in.

    Announced as 'coming soon' as of 2026-06-27. Not yet generally available.

    // What to watch

    • ISO 42001 PURSUIT: Vendor states 'actively pursuing ISO 42001 certification' on the Responsible AI page but is NOT yet certified. The AI homepage listing of 'SOC 2, GDPR, data residency' alongside AI trust statements could be read as implying broader AI-governance certification than currently held. No over-claim found, but monitor for future certificate availability.
    • HIPAA + AI FEATURES: HIPAA BAA is available for Enterprise plans covering the core Smartsheet platform (PHI Eligible Services). It is not publicly documented whether Smartsheet AI features (Smart Assist, MCP Server) are included in HIPAA BAA scope. Healthcare customers using PHI with AI features should confirm coverage before enabling AI capabilities.
    • MCP CONNECTOR DATA FLOW: The MCP Server routes live Smartsheet data to third-party AI models (Claude, Copilot, Gemini, ChatGPT). Smartsheet states data is filtered/compressed before reaching the model and no data is retained by providers. However, security of the third-party model provider interaction is partially a shared-responsibility concern that customers should review for their specific AI tool integrations.
    • ISO 27001 VERSION: The vendor's ISO compliance page lists ISO/IEC 27001:2013 (not the 2022 revision). The 2026-03 security capabilities whitepaper references ISO 27001 without a year. AIFOXX should display 27001:2013 unless the vendor publishes an updated 27001:2022 certificate. ISO 27017:2015 is corroborated on the ISO compliance page and in the same whitepaper ('ISO/IEC 27001, 27017, & 27018'), so 27017 is treated as confirmed.
    • SMART AGENTS NOT YET AVAILABLE: Smart Agents are listed as 'coming soon' on the AI page. Any security assessment of this capability is premature until GA launch.

    // At a glance

    Pricing model

    Freemium with tiered subscriptions (Pro, Business, Enterprise, Advanced Work Management). AI features may require Enterprise tier or add-on. Smartsheet Gov is a separate government SKU.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Smartsheet Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    smartsheet.com

    > Browse all vendor trust reports