To demonstrate our commitment to global privacy standards, Asana has certifications of compliance with ISO 27018:2019 (Protecting Personal Data in the Cloud)​​ and ISO 27701:2019 (Privacy Information Management). 

We also work to ensure our agreements with our customers are up to date–our Data Processing Addendum incorporates the latest data privacy frameworks between the US and EU, United Kingdom, and Switzerland as well as the EU and UK Standard Contractual Clauses, which outlines our contractual privacy obligations and facilitates the transfer of data globally.

EU / UK

Asana has established a comprehensive GDPR/UK GDPR compliance program and is committed to partnering with customers and vendors on our compliance efforts. Some significant steps Asana takes to align its practices with the GDPR/UK GDPR include:

• Revising our policies and contracts with our partners, vendors, and users to reflect legislative developments;

• Enhancing our security practices and procedures;

• Closely reviewing and mapping the data we collect, use, and share;

• Ensuring that we have robust internal privacy and security documentation;

• Training employees on global privacy requirements and privacy/security best practices; and

• Thoughtfully building a data subject rights policy and response process.

APAC

The Act on the Protection of Personal Information (APPI) is the primary data protection law in Japan that regulates the protection of personal information. It applies to business operators handling personal information of individuals in Japan. The APPI has been amended since it was originally enacted in 2003, with the most recent amendments coming into effect April 1, 2022.

Similarly to the distinction between “data controllers” and “data processors” under the GDPR, the APPI makes a distinction between “business operators”—or entities with the authority to control and make decisions about retained personal information (i.e., Asana’s customers) and third-party service providers handling personal information on behalf of a business operator (i.e., Asana).

The APPI also imposes restrictions on cross-border transfers of personal information outside of Japan. Personal information may be transferred to overseas recipients if there are contractual agreements in place that ensure compliance with data protection standards in Japan.

Asana is committed to processing and safeguarding personal information as required by the APPI and its amendments. Asana’s Data Processing Addendum covers

• Our data protection commitments to ensure that we comply with the APPI; 

• How we will assist our customers with their obligations under the APPI; and 

• The technical and organizational measures implemented to protect personal information.

For more information on Asana’s security and data protection practices, please see our Trust Center.

U.S. (federal and state)

California

The CCPA (as amended by CPRA) is a law that provides California consumers certain rights with respect to their personal information. Specifically, the law requires that businesses subject to the statute grant consumers the ability to request access to and deletion of their data, and the ability to opt out of certain types of disclosures of their personal information. The law also restricts how service providers that process personal information on behalf of a business may use that information.

Where a business subject to the CCPA has entered into a service or subscription agreement with Asana, Asana will act as a service provider to that business. Specifically, Asana will process such customers’ personal information only for the purposes set forth in the applicable agreement and will cooperate with customers to fulfill their obligations with respect to deletion or access requests.

Asana's Data Processing Addendum specifically references our obligations under the CCPA. If your organization is a customer of Asana and requires an addendum, please reach out to dpa@asana.com.

HIPAA

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law in the United States that requires the creation of national standards to protect sensitive patient health information from being disclosed without the patient's consent or knowledge. Businesses that are subject to HIPAA can use Asana to support HIPAA-compliant work management.

HIPAA compliance for Asana is governed by Asana’s Business Associate Addendum (BAA). For additional detail on HIPAA and Asana, please refer to the HIPAA Data Sheet.

Gramm-Leach-Bliley Act

The Gramm-Leach-Bliley Act (GLBA) requires financial institutions—companies that offer consumers financial products or services like loans, financial or investment advice, or insurance—to explain their information-sharing practices to their customers and to safeguard sensitive data. Service providers who are permitted by the financial institutions to access their consumers' nonpublic personal information (NPI) are also required to comply with GLBA. Asana is GLBA-ready and aligns our practices in accordance with GLBA's Privacy Rule and Safeguards Rule. In addition to implementing security safeguards, we only use customer work content to provide our services, and not for any other purpose. Customers should not store sensitive personal data (including financial account numbers and social security numbers) in Asana.

Family Educational Rights and Privacy Act

The Family Educational Rights and Privacy Act (FERPA) is a federal law that requires academic institutions like colleges and universities to protect the privacy of student educational records. Asana enables our customers to comply with FERPA by ensuring personal data is kept secure and only used to provide our services as described in our Terms of Service and Privacy Statement. Asana contractually commits to not disclosing customer data except as directed by the contracting academic institution, as allowed by our terms, or as required by law.

As laws, regulations, and guidance from data protection authorities and regulators continue to evolve and more countries are passing new data protection laws and regulations, we will continue to follow these developments closely and evaluate our program for any changes or enhancements as needed.

The provisions of Asana’s DPA reflect Asana’s services and multi-tenant infrastructure. For example, Asana's DPA is tailored to our processes around privacy related notifications, audits, certifications, security measures, and sub-processing activities. Asana’s DPA also seamlessly interoperates with other agreements and relevant Documentation.

Asana has self-certified to the EU-US Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-US Data Privacy Framework as set forth by the US Department of Commerce regarding the transfer of personal information from the European Economic Area (EEA), the United Kingdom, and Switzerland to the United States.

For more information about Asana’s certification, please visit the Data Privacy Framework Program. 

If you would like to exercise your rights, please submit your request by completing our Global Data Protection Rights Requests Form. For more information about how Asana provides individual consumers with the ability to access and request deletion of their personal information under CCPA specifically, please see the Privacy Information for California Residents section of our Privacy Statement.

Artificial Intelligence (AI) has the power to enhance the lives of humans, aid decision making, and free up time for more strategic work. We believe that AI needs to be properly harnessed to avoid unintended consequences and we ensure that we implement AI in ways that enrich the user experience without compromising privacy.

At Asana, we believe AI should be used to empower individuals, to foster new connections across teams, and to ignite and celebrate shared victories. Asana abides by the following AI principles:

• AI should help people achieve their goals

• We design for human + AI teams

• People are accountable for decisions

• We are committed to safety—in the short and long run

• We promote transparency in practice and in product

Learn more about how Asana earns trust through security, reliability, privacy, and compliance at our Trust Center and Asana's Privacy Statement.

For more information, please visit our AI Product Page and our AI & Admin Console Help Center Article.