Data Security & Privacy

Millions of users around the world rely on Asana to manage and organize their work—and rely on us to be a responsible steward of their data.

Our approach to data security

Customers trust Asana with their data so that they can focus on the work that matters most to their businesses. That’s why we are focused not only on creating an easy-to-use collaborative work management solution, but also on implementing robust safeguards to keep our customers’ data safe.

  • Our information security program is audited to SOC 2 Type II standards.
  • We are certified to ISO 27001, ISO 27017, and ISO 27018 standards to ensure that our data security programs are running as intended.
  • We encrypt user data in transit and at rest.
  • We perform regular security assessments on our product and infrastructure.
  • Our public “Bug Bounty” and vulnerability program incentivizes security researchers to quickly report security vulnerabilities to Asana.

Inside Asana’s Bug Bounty

During a three-month period in 2021, Asana fielded 120 submissions from independent security researchers through its “Bug Bounty” program. The program, which launched in late 2020 in partnership with security research firm Bugcrowd, aims to crowdsource penetration testing of Asana’s security framework.

In each case, researchers reported finding security flaws in Asana’s product. However, of those 120 submissions, just a fraction warranted action by Asana—and only one was viewed as a critical vulnerability that required immediate attention.

“These results underscore the careful and proactive approach Asana takes to securing its product,” says Sean Cassidy, Asana’s head of security. “At the same time, the Bug Bounty program’s cutting-edge, crowdsourced approach to identifying security vulnerabilities represents a powerful tool in the work we do to keep our users’ most important data safe from would-be attackers.”

Our approach to data protection and privacy

At Asana, we’re committed to protecting and honoring the privacy rights of our customers and users.

Protecting data goes beyond simply securing that information. We believe it’s essential to be transparent about how we gather and use personal information and believe in giving our customers control over their data in Asana.

Privacy Statement

A new, improved privacy statement

All too often, corporate privacy policies are exercises in frustration for readers, with jargon and legal terminology obscuring the information users really want to know: How will the company use and protect my data?

In late 2021, we transformed our privacy policy into a privacy statement to more effectively and clearly communicate information to our customers about how Asana processes their data. Here are a few of the user-friendly changes we made:

Less to read

We reduced the statement to nearly half of its original length.

Easier to understand

We rewrote our statement using simple, everyday language, reducing legal jargon and complex terms. We also added more examples and descriptions to make elements of the statement easier to grasp.

More clarity on users’ data

We added outlines about how we use, share, and store users’ information.

New details on how data is processed

We created new sections on how we process users’ data based on their relationship with Asana and in relation to new features.

Data Rights

A global approach to privacy

In recent years, data rules such as the European Union’s General Data Protection Regulation (GDPR) have given consumers more control over their personal data. At Asana, we’ve extended these data subject rights, such as the rights to access and erasure of data, to our customers around the world—regardless of whether they live in an area governed by these new regulatory frameworks. We also received the ISO 27701 certification, a GDPR-mapped privacy certification, in 2022.

Asana, like most technology companies, occasionally receives requests from US and international law enforcement agencies seeking information about our customers. While Asana will comply with legally valid governmental requests, we care deeply about maintaining the trust of our customers. One way to maintain that trust is to inform our customers and the public about law enforcement requests that we receive through publication of our annual “Law Enforcement Transparency Report.”

Health Care

Added privacy for the health care industry

To further support Asana’s enterprise advancements, we plan to launch in 2022 a broader Health Insurance Portability and Accountability Act (HIPAA) offering to better serve customers in the health care industry.

Users

More privacy control for users

We commit to empowering users to gain more control over their personal data by continuing to pursue additional privacy and security certifications.

At Asana, we believe privacy and data protection are fundamental in maintaining and building trust with our customers. We take a global approach to how we think about and implement privacy.

Whitney Merrill

data protection officer

Data Officer

Asana’s data protection officer

Asana’s dedicated data protection officer oversees compliance with global privacy laws and addresses data protection and privacy inquiries. At least twice a year, our data protection officer presents to Asana’s Audit Committee information about privacy strategy and program progress, including changes and adjustments designed to keep pace with the changing global privacy climate. Privacy certifications and policies also are considered during annual planning sessions and semi-annual reviews.

Learn more about how Asana earns trust through security, reliability, privacy, and compliance at www.asana.com/trust.