Security, Privacy, and Infrastructure
Our approach to security
We earn and maintain the trust of our customers by implementing a range of robust safeguards that protect our customers’ data. Asana’s Head of Security is responsible for our security program that consists of the following teams of security engineers and analysts:
- Infrastructure security
- Product security
- Corporate security
- Threat detection
- Investigation and response
- Security risk and compliance
The Head of Security, or other security representative presents to the Audit Committee at least twice a year on security strategy, policies, procedures, and potential risks, and attends four Audit Committee meetings per year in total. Asana maintains a list of owners for each area of responsibility and security control.
Our security safeguards include:
- SOC 2 Type 2 audits, which regularly evaluate our information security program against Trust Service Principles for security, availability, and confidentiality.
- ISO 27001 and ISO 27017 certifications, which demonstrate our commitment to global security standards
- Encryption of user data in transit and at rest.
- Training of personnel on security and best practices upon hire and at least annually thereafter.
- Regular security assessments, including vulnerability scanning and annual penetration testing of our product and infrastructure.
- Our public “Bug Bounty” program, which incentivizes independent security researchers to quickly report security vulnerabilities to Asana.
- Our incident response program, which ensures that the security team triages, investigates, remediates, and reports on security incidents. Asana has contracted with a third-party digital forensics and incident response firm to aid in the investigation of security incidents as needed.
- Our Data Security Standards, which outline our security commitments to protect customer data.
Security Case Study
One of the largest European financial exchanges expanded its use of Asana to thousands of seats in FY23. Its product, data, engineering, analytics, and machine learning teams rely on Asana to manage their roadmaps and project execution. Of all the work management platforms the exchange considered, Asana was the only one to meet its stringent security and compliance requirements.
Our approach to privacy & data protection
Our global privacy program is focused on trust and facilitating privacy protections for customers’ data (including their most sensitive data), respecting the rights of our customers, complying with global privacy and data protection laws and regulations, and demonstrating privacy compliance through third-party audits.
We demonstrate our commitment to privacy through:
- Our global approach to privacy, presented in a customer-friendly manner.
- Transparency in how we collect, process, and use personal data.
- Compliance with ISO 27018 (Protecting Personal Data in the Cloud) and ISO 27701 (Privacy Information Management) certifications to demonstrate our commitment to global privacy standards.
- Training Asanas on a mix of privacy policies, data governance, and privacy best practices upon hire and at least annually thereafter.
- Privacy assessments, including reviews of third-party vendors and new product features.
- Privacy compliance terms for those in the U.S. healthcare, finance, and education sectors.
- Our Data Processing Addendum, with the newest versions of the EU and U.K. Standard
- Contractual Clauses, which outlines our contractual privacy obligations and facilitates the transfer of data globally.
Data Protection Officer
Our Data Protection Officer (DPO) oversees compliance with global privacy laws and addresses data protection and privacy inquiries. At least twice a year, our DPO presents to the Board’s Audit Committee on our privacy strategy, designed to keep pace with the changing global privacy climate. Our DPO attends four Audit Committee meetings in total each year. Privacy certifications, assessments, and policies are considered during annual planning and semi-annual reviews.
At Asana, we believe privacy and data protection are fundamental in maintaining and building trust with our customers. We take a global approach to how we think about and implement privacy.
Data Protection Officer
Respecting data rights
We believe in giving every user access to—and control over—their personal data.
The EU’s General Data Protection Regulation (GDPR) is the strongest data protection and privacy law in effect, establishing robust data rights for individuals in the entire European Economic Area (EEA) and inspiring similar laws in other parts of the world.
We have chosen to apply the rights granted by the GDPR—to access data, erase data, and opt out of data collection—to all our customers, wherever they reside.
Law enforcement requests
Occasionally, Asana receives requests from U.S. or international law enforcement agencies about our customers. Asana complies with legally valid governmental requests, and we care about maintaining the trust of our customers. We communicate our policies around law enforcement requests in our Law Enforcement Data Request Guidelines, which includes informing our customers and the public about law enforcement requests that we receive. We publish and maintain a Law Enforcement Transparency Report that is updated twice annually.
Enhanced privacy for healthcare customers
Our commitment to security and privacy allows us to offer enterprise tier healthcare and healthcare-adjacent customers the option to use Asana in compliance with the U.S. Health Insurance Portability and Accountability Act (HIPAA). Businesses that are subject to HIPAA can use Asana to support HIPAA-compliant work management and execute a Business Associate Addendum (BAA) with Asana.
Asana and AI
Artificial Intelligence (AI) has the power to enhance the lives of humans, aid decision making, and free up time for more strategic work. We believe that AI needs to be properly harnessed to avoid unintended consequences, and we ensure that we implement AI in ways that enrich the user experience without compromising privacy. To ensure that our new AI and data-powered features are deployed ethically and effectively, we’ve established an internal review board, a cross-functional team of Asana’s Research & Development (R&D), Legal, Privacy, and Security functions, which reviews all AI-powered product features. Our customers are granted privacy controls and tooling to administer how and where their data interacts with these features.
Asana has developed five guiding principles for human-centered AI. Here are our AI principles, inspired by our values:
- AI should help people achieve their goals
- We design for human + AI teams
- People are accountable for decisions
- We are committed to safety — in the short and long run
- We promote transparency, in practice and in product
Our platform infrastructure
As our customers grow, we are committed to scaling with them to help reliably orchestrate their work. This includes ensuring that our infrastructure has all the attributes enterprises need to work efficiently.
Our platform is scalable, reliable, and available.
We use Amazon Web Services (AWS) as a core building block of the Asana platform, which allows us to adapt easily to an increase in demand.
Amazon’s relational database service (RDS) replicates our database synchronously, which allows us to recover from a database failure quickly—usually in a matter of seconds. To guard against a regional failure, we securely move regular snapshots of the database to a backup data center.
For our Enterprise customers, we commit to a 99.9% service availability level, and our status page makes it easy to review uptime levels and announcements.
Ensuring technological resilience
As a secure, cloud-based service, we’re committed to ensuring teams can manage their work from wherever they are. To do so, we must maintain the trust we’ve built with customers with sound disaster recovery plans and procedures that protect the integrity of customer data and recover or maintain vital technology infrastructure and systems following a disaster.
Asana’s primary data centers are hosted on AWS in Virginia, U.S. Eligible customers (Enterprise tier) may request to have their data stored in Frankfurt, Germany; Sydney, Australia; or Tokyo, Japan. In the event of a single AWS data center loss, recovery procedures would bring up nodes in another data center. To account for major disasters, a disaster recovery (DR) site is hosted in an AWS data center in Ohio, U.S. (for U.S.-based data); Dublin, Ireland (for EU- and Australia-based data); or Osaka, Japan (for Japan-based data).
9 The Privacy Statement applies to all free and paid customers of Asana as well as other situations where an individual interacts with Asana. This includes, but is not limited to, interactions with Asana via one of our web properties, events held by Asana, and other interactions with staff of Asana in their official capacity, such as UI/UX studies, or interactions with our sales team.