This Business Associate Addendum is between Asana, Inc. (“Asana”) and the organization agreeing to these terms (“Customer”) and governs Customer’s use of HIPAA compliance for its instance of the Service, unless the parties have executed a separate business associate agreement, in which case that agreement shall govern (in either case, the “Addendum”). This Addendum is effective on the date Customer activates HIPAA compliance for its instance of the Service (the “Addendum Effective Date”). As of the Addendum Effective Date, this Addendum will supplement and be incorporated by reference into the agreement between Customer and Asana that governs Customer’s use of the Service (“Agreement”).

As between the parties, Customer is the “Covered Entity” and Asana is the “Business Associate” (each a “Party” and, collectively, the “Parties”) with regard to their respective obligations pursuant to the privacy and security requirements of the federal Health Insurance Portability and Accountability Act of 1996, as amended, including by the Health Information Technology for Economic and Clinical Health Act of the American Recovery and Reinvestment Act of 2009 (“HITECH Act”), certain regulations promulgated under HIPAA by the United States Department of Health and Human Services at 45 C.F.R. parts 160 and 164 and certain regulations promulgated pursuant to the HITECH Act (collectively, “HIPAA”).

The purpose of this Addendum is to help facilitate Customer’s compliance with the requirements of HIPAA and Business Associate’s compliance with HIPAA to the extent Customer discloses Protected Health Information (as defined below) to Business Associate in connection with Customer’s use of the Service. In circumstances in which Customer may be a business associate, Customer appoints Business Associate as Customer’s subcontractor, which will not change the obligations of either Customer or Business Associate under this Addendum.

To the extent of any conflict or inconsistency between this Addendum and the terms of the Agreement (including the prohibition on sensitive personal information), this Addendum will govern.

A. Definitions.

1. Unless otherwise provided, all capitalized terms in this Addendum will have the same meaning as provided under HIPAA.

2. “Protected Health Information” or “PHI” means PHI, as defined by HIPAA, that is received, maintained, transmitted, used, or otherwise disclosed on behalf of Customer by Business Associate pursuant to the Agreement and in accordance with the Use Requirements of HIPAA – Use Requirements and Limitations.

B. Obligations of Business Associate.

1. Compliance with Laws. Business Associate agrees to comply with the provisions of HIPAA that are applicable to Business Associate.

2. Use and Disclosure of PHI. Business Associate will not use or disclose PHI in a manner that would violate HIPAA if used or disclosed by Customer, provided, however, that Business Associate may use and disclose PHI as Required by Law. Business Associate agrees, to the extent that Business Associate is to carry out one or more of Customer’s obligation(s) under Subpart E of 45 C.F.R. Part 164, to comply with the requirements of Subpart E of 45 C.F.R. Part 164 that apply to Customer in the performance of such obligation(s).

3. Safeguards. Provided that Customer uses the Service as authorized under the Agreement and adheres to the HIPAA – Use Requirements and Limitations attached hereto as HIPAA – Use Requirements and Limitations (the “Use Requirements”), Business Associate will maintain appropriate safeguards to ensure that PHI is not used or disclosed in violation of this Addendum or applicable law. Business Associate will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of any electronic PHI it receives, maintains, or transmits on behalf of Customer and will comply, where applicable, with Subpart C of 45 C.F.R. Part 164 with respect to such electronic PHI to prevent use or disclosure of such electronic PHI other than as provided for by this Addendum.

4. Disclosure to Agents and Subcontractors. Notwithstanding anything to the contrary in the Agreement, Business Associate, subject to the restrictions set forth in this provision, may use subcontractors and agents to fulfill its obligations under this Addendum. If Business Associate discloses PHI received from Customer, or received, maintained, or transmitted by Business Associate on behalf of Customer, to agents, including a subcontractor, Business Associate will, in accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any agents or subcontractors that receive, maintain, or transmit PHI on behalf of Business Associate agree to the same restrictions, conditions, and requirements that apply to Business Associate under this Addendum with respect to such information. Business Associate will ensure that any such agent, including a subcontractor, agrees to implement reasonable and appropriate safeguards to protect the confidentiality, integrity, and availability of the electronic PHI that it receives, maintains, or transmits on behalf of Business Associate or Customer.

5. Minimum Necessary. Business Associate agrees to make reasonable efforts to limit use and disclosure of PHI to the minimum necessary to accomplish the intended purposes, consistent with Business Associate’s policies and procedures. Business Associate may rely on Customer’s instructions in complying with this Section 5.

6. Individual Rights. Business Associate agrees as follows:

   • a. Individual Right to Copy or Inspection. To the extent Business Associate or its agents or subcontractors maintains PHI in a Designated Record Set, if an Individual makes a request for access directly to Business Associate, Business Associate will within fifteen (15) business days forward such request in writing to Customer. Customer will be responsible for making all determinations regarding the grant or denial of an Individual’s request for PHI and Business Associate will make no such determinations. Except as Required by Law, only Customer will release and be responsible for releasing PHI to an Individual pursuant to such a request.

   • b. Amendment of an Individual’s PHI or Record. Business Associate will make PHI in a Designated Record Set available to Customer so that Customer can comply with 45 C.F.R. § 164.524. Business Associate will make PHI in a Designated Record Set available to Customer for amendment and incorporate any amendments to the PHI, as may reasonably be requested by Customer in accordance with 45 C.F.R. § 164.526. As between the parties, Customer will be responsible for making all determinations regarding the grant or denial of an Individual’s request for an amendment, and except as Required by Law Business Associate will not make or be responsible for making any such determinations.

   • c. Accounting of Disclosures. Business Associate will make available to Covered Entity the information required to provide an accounting of Disclosures in accordance with 45 C.F.R. § 164.528 of which Business Associate is aware, if requested by Covered Entity. Because Business Associate cannot readily identify which Individuals are identified or what types of PHI are included in Customer Data Customer or any of its End Users upload to the Services under Customer’s account, Customer will be solely responsible for identifying which Individuals, if any, may have been included in Customer Data that Business Associate has disclosed and for providing a brief description of the PHI disclosed.

7. Internal Practices, Policies and Procedures. Except as otherwise specified herein, Business Associate will make its internal practices, books and records related to the use and disclosure of Protected Health Information under the Agreement and this Addendum available to Secretary of the Department of Health and Human Services for the purpose of determining Customer’s compliance with 45 C.F.R. § 164.500 et seq.

8. Security Incident. Business Associate agrees to report to Customer any Security Incident of which Business Associate becomes aware promptly and without unreasonable delay as Required by Law. Notice is hereby deemed provided, and no further notice will be provided, for unsuccessful attempts at such unauthorized access, use, disclosure, modification, or destruction, such as pings and other broadcast attacks on a firewall, denial of service attacks, port scans, unsuccessful login attempts, malware such as worms or viruses, or interception of encrypted information where the key is not compromised, or any combination of the above.

9. Breaches of Unsecured PHI. Business Associate will report in writing to Customer any Breach of Unsecured Protected Health Information, as required at 45 C.F.R. § 164.410 of which it becomes aware, promptly and without unreasonable delay following Business Associate’s discovery of such Breach.

10. Use of Disclosure of PHI Not Provided for by this Agreement. Business Associate agrees to report to Customer any use or disclosure of PHI not provided for by this Agreement of which Business Associate becomes aware.

C. Rights of Business Associate.

1. Performance of Services. Except as prohibited by law, Business Associate may use and disclose PHI for or on behalf of Customer or as requested by Customer to perform the Service and as otherwise permitted in the Agreement.

2. Management and Administration. Except as otherwise limited in this Agreement, Business Associate may use and disclose PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate.

3. Data Aggregation. Business Associate is permitted, for Data Aggregation purposes to the extent permitted under HIPAA, to use, disclose, and combine PHI received on behalf of Customer pursuant to this Agreement with Protected Health Information, as defined by 45 C.F.R. 160.103, received by Business Associate in its capacity as a business associate of other covered entities, to permit data analyses that relate to the Health Care Operations of the respective covered entities and/or Customer, where “business associate” and “covered entities” have the meanings given to them in 45 C.F.R. 160.103.

4. De-identified Information. Business Associate may de-identify any and all PHI received by Business Associate under this Addendum at any location and use all such de-identified data in accordance with the de-identification requirements of HIPAA

5. Reporting Violations of Law. Business Associate may use PHI to report violations of law to appropriate Federal and State authorities, consistent with 45 C.F.R. 164.502(j)(1) and Business Associate’s Law Enforcement Guidelines available at https://asana.com/terms/law-enforcement-guidelines to the extent applicable.

D. Obligations of Customer.

1. Service Requirements. Customer will disclose PHI to Business Associate or otherwise submit PHI to the Service solely in accordance with the Use Requirements.

2. Compliance with Laws. Customer will promptly notify Business Associate of any breach by Customer of any obligation under HIPAA as such breach relates to PHI as defined herein. Customer will not request Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA if done by Customer, and Business Associate is not required to use or disclose PHI in any manner that would not be permissible under HIPAA if done by Customer.

3. Minimum Necessary. Customer will disclose to Business Associate only the “Minimum Necessary” amount of PHI for Business Associate to perform the Service and its rights and obligations under the Agreement, and only in compliance with HIPAA.

4. Withdrawal of Authorization. Customer will promptly notify Business Associate in writing of any changes in, or revocation of, the permission by an Individual to Use or Disclose his or her PHI pursuant to 45 C.F.R. § 164.508, to the extent that such changes may affect Business Associate’s use or disclosure of PHI, and take affirmative steps to remove such PHI from the Service.

5. Changes in Notice of Privacy Practices. Customer shall notify Business Associate in writing of any limitation in any applicable notice of privacy practices in accordance with 45 C.F.R. § 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI.

E. Term and Termination.

1. Term. This Addendum will continue until all PHI provided by Customer to Business Associate, or received by Business Associate on behalf of Customer, is destroyed or returned to Customer, or this Agreement is terminated pursuant to this Article E.

2. Effect of Termination. Upon termination of this Agreement for any reason, Business Associate agrees to return or destroy all PHI received from Customer, or received by Business Associate on behalf of Customer, maintained by Business Associate in any form and to retain no copies in accordance with the terms of the Agreement.

Business Associate may modify the terms of this Business Associate Addendum by providing Customer written notice to the email provided at initial acceptance. No modification or amendment of any portion of this Addendum will be effective unless in writing and accepted by Customer electronically through the acceptance portal.