Do you think this would be unethical?

Ted Williams Smith

Under the User subscription model, would it be unethical to share my sheets with external email addresses of colleagues instead of our internal domain address to get around having to pay for a license? It seems like a huge loophole and our sales rep said it was not against any Smartsheet terms of use but I wonder if there would be downsides to doing this from either an ethical or security standpoint?

Daniel Medved

Hi Ted,

Weighty questions of ethics aside, you’re absolutely asking the right question regarding security risks. While it may seem like a convenient workaround, sharing Smartsheet assets with external email addresses—especially free personal accounts like Gmail—creates significant security, compliance, and governance risks that most IT and security teams would strongly discourage.

1. Data Leakage Risks

External sharing bypasses internal security controls, making it difficult to track who is accessing, modifying, or redistributing company data. This increases the risk of accidental leaks, unauthorized downloads, and loss of sensitive information to unmanaged devices or unapproved users.

2. Compliance & Legal Risks

If your organization is subject to regulations like SOC 2, ISO 27001, GDPR, or HIPAA, external sharing can create gaps in access controls, audit trails, and data retention policies. Security audits may flag this as a compliance risk, and in regulated industries, improper access could expose the company to legal liability or financial penalties.

3. Increased Exposure to Security Threats

External accounts often lack enterprise-grade security controls like Single Sign-On (SSO), Multi-Factor Authentication (MFA), and conditional access policies. If an external recipient’s email is compromised, an attacker could gain access to critical company data, increasing the risk of phishing, credential theft, or data breaches.

4. Non-Compliance with Security Policies

Most organizations restrict sharing to approved domains and managed identity providers to enforce security and governance. Bypassing these policies—even if not explicitly restricted by Smartsheet—could violate internal security guidelines, industry best practices, or contractual obligations.

In closing, this isn’t an area where Smartsheet policy should generally be the biggest consideration; security risk and increasing your organization’s vulnerability to threat actors is the primary reason why we’d strongly discourage this practice.