This Data Processing Addendum, including the Standard Contractual Clauses where applicable (“DPA”), is entered into between Asana, Inc. (“Asana”) and the third party identified in the Agreement (“Channel Partner") (each referred to as a “Party” and collectively as the “Parties”). This DPA is incorporated by reference into the applicable partner agreement (the “Agreement”) between the Parties. All capitalized terms used in this DPA but not defined will have the meaning set forth in the Agreement. To the extent of any conflict or inconsistency between this DPA, any previously executed data processing agreement, and the remaining terms of the Agreement, this DPA will govern.

This DPA sets out the terms that apply when personal data is processed by Asana under the Agreement. The purpose of the DPA is to ensure such processing is conducted in accordance with Applicable Law and respects the rights of individuals whose personal data are processed under the Agreement.

1. Definitions

“Applicable Law(s)” means all applicable laws, regulations, and other legal or self-regulatory requirements in any jurisdiction relating to privacy, data protection, data security, communications, secrecy, breach notification, or the Processing of Personal Data, including without limitation, to the extent applicable, (i) the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. (“CCPA” and subsequent California Privacy Rights Act of 2020 “CPRA”), (ii) the General Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR”), (iii) in respect of the United Kingdom the Data Protection Act 2018 (“UK DPA 2018”) and the GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 (the “UK GDPR”), and (iv) the Swiss Federal Data Protection Act (“Swiss DPA”) and (v) the Act on the Protection of Personal Information (“APPI”).

“Asana” means Asana, Inc., a company incorporated in Delaware, and its Affiliates and subsidiaries.

“controller”, “business operator”, “personal data”, “process”, “processing”, “processor”, and “data subject” will have the same meanings as defined by Applicable Law. Other relevant terms such as “business”, “business purpose”, “consumer”, “personal information”, “sale” (including the terms “sell”, “selling”, “sold”, and other variations thereof), “service provider”, “share” or “sharing” for purposes of “cross-context behavioral advertising”, and “third party” have the meanings given to those terms under Applicable Law.

“Europe” means the European Economic Area, which constitutes the member states of the European Union and Norway, Iceland, and Liechtenstein (“EEA”), as well as, for the purposes of this DPA, Switzerland and the United Kingdom.

“Personal Data Breach” means the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

"Personal Data” includes “personal data”, “personal information”, and “personally identifiable information”, and such terms will have the same meaning as defined by Applicable Law.

“Process” and “Processing” mean any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making such data available, alignment or combination, restriction, erasure or destruction.

“Restricted Transfer” means: (i) where the GDPR applies, a transfer of Personal Data originating from the EEA to a country outside of the EEA which is not subject to an adequacy determination by the European Commission; (ii) where the UK GDPR applies, a transfer of Personal Data originating from the United Kingdom to any other country which is not subject to adequacy regulations adopted pursuant to Section 17A of the UK DPA 2018; and (iii) where the Swiss DPA applies, a transfer of Personal Data originating from Switzerland to a country outside of Switzerland which is not included on the list of adequate jurisdictions published by the Swiss Federal Data Protection and Information Commissioner.

“Services” means the product and/or services that Channel Partner provides to Asana as described in the Agreement.

“Standard Contractual Clauses” means (i) where the GDPR applies, the standard contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the European Council (available as of June 2021 at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj), (the “EU SCCs”); (ii) where the UK GDPR applies, the applicable standard data protection clauses adopted pursuant to Article 46(2)(c) or (d) of the UK GDPR including the standard data protection clauses issued by the Commissioner under s119A(1) of the UK DPA 2018 as revised from time to time (“UK Addendum”); and (iii) where the Swiss DPA applies, the applicable standard data protection clauses issued, approved or recognised by the Swiss Federal Data Protection and Information Commissioner (the “Swiss SCCs”), in each case as completed as described in Section 8 (Data Transfers) below.

“Subprocessor” means any Channel Partner affiliate or third party engaged by Channel Partner for the Processing of Personal Data in connection with the Services.

2. Relationship of the Parties

For purposes of this DPA, Channel Partner agrees that it is a “Service Provider” and “Processor” or “Subprocessor” of Personal Data, as such term (or the equivalent thereof) is defined by Applicable Law, with respect to the Personal Data Processed under the Agreement. Where Asana acts as Processor of Personal Data, Processing Personal Data for and on behalf of and on the instructions of its customers (“Asana Customers”), Asana’s processing instructions issued to Channel Partner under this DPA will reflect the instructions issued to Asana by Asana Customers. Asana Customers will not be third party beneficiaries of this DPA and all Asana Customers’ instructions with respect to the processing of Personal Data will be exclusively provided to Channel Partner by Asana.

3. Channel Partner Obligations

The subject matter of the Processing, including the Processing operations carried out by Channel Partner on behalf of Asana and the instructions of Asana to Channel Partner are described in Attachment 1 to this DPA, in the Agreement, and such other written instructions as Asana provides to Channel Partner from time to time. In discharging its obligations under the Agreement and this DPA, Channel Partner will comply with all Applicable Laws and will:

3.1 Process Personal Data only on documented instructions from Asana, including with regard to transfers of Personal Data, solely to fulfill its purposes under the Agreement, which may include any lawful processing or business purposes as provided for under Applicable Law. If Channel Partner cannot provide such compliance, it will promptly inform Asana of its inability to comply, in which case Asana is entitled to immediately terminate the Agreement, this DPA, and Channel Partner’s access to Personal Data, and/or to take any other reasonable action, and receive a prorated refund of any prepaid, unused fees applicable to the remaining portion of the Services to be delivered measured from the effective date of termination;

3.2 not “sell” or “share” (as that term is defined in the CCPA) Personal Data;

3.3 not attempt to link, identify, or otherwise create a relationship between Personal Data and non-Personal Data or any other data without the express authorization of Asana or as set forth in the Agreement;

3.4 ensure that persons authorized to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

3.5 upon written request from Asana, promptly assist Asana in the fulfillment of Asana’s obligations to respond to verifiable requests by data subjects (or their lawful representatives) for exercising their rights under Applicable Law (such as rights to access or delete Personal Data);

3.6 promptly, and in any event within seventy-two (72) hours, notify Asana of (i) any third-party or data subject requests or complaints regarding the Processing of Personal Data; or (ii) any government or data subject requests for access to or information about Channel Partner’s Processing of Personal Data on Asana’s behalf, unless prohibited by Applicable Law. If Channel Partner receives a third-party, data subject, or governmental request, Channel Partner will await written instructions from Asana on how, if at all, to assist in responding to the request. Channel Partner will provide Asana with reasonable cooperation and assistance in relation to any such request;

3.7 provide reasonable assistance to and cooperation with Asana for Asana’s performance of a data protection impact assessment of Processing or proposed Processing of Personal Data;

3.8 provide reasonable assistance to and cooperation with Asana for Asana’s consultation with regulatory authorities in relation to the Processing or proposed Processing of Personal Data, including complying with any obligation applicable to Channel Partner under Applicable Law to consult with a regulatory authority in relation to Channel Partner’s Processing or proposed Processing of Personal Data; and

3.9 make available to Asana all information necessary to demonstrate compliance with its obligations under Applicable Law, including the obligations set forth in Article 28 of the GDPR, and allow for and contribute to audits, including inspections, conducted by Asana or another auditor mandated by Asana.

4. Subprocessors

Asana authorizes Channel Partner to engage Subprocessors to carry out specific Processing activities on behalf of Asana, only in compliance with this Section 4. In order for the engagement of a Subprocessor to be valid and compliant with this DPA, Channel Partner will:

4.1 provide Asana an up-to-date list of all of Channel Partner’s Subprocessors at least fifteen (15) business days prior to allowing any Subprocessor to Process Personal Data and give notice of any change in Subprocessors at least fifteen (15) business days prior to any such change, in each case by sending notice in writing to dpa@asana.com;

4.2 ensure that it imposes data protection obligations on that Subprocessor no less protective than those set forth in this DPA by way of a written contract or other legal act under Applicable Law, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of Applicable Law;

4.3 remain fully liable to Asana for the performance of its Subprocessor’s obligations and/or failure to fulfill its data protection obligations under this DPA; and

4.4 allow Asana to reasonably object to Channel Partner’s use of a Subprocessor or replacement of a Subprocessor prior to allowing such new or replacement Subprocessor to Process any Personal Data. Upon objection, the parties will discuss commercially reasonable alternative solutions in good faith. If the parties cannot reach resolution, Channel Partner will either not appoint or replace such Subprocessor or, if not possible, Asana may suspend or terminate the Agreement without penalty or liability to Asana.

5. Recordkeeping

Channel Partner will maintain all records required by Applicable Law, including but not limited to Article 30(2) of the GDPR, and, to the extent applicable to the Processing of Personal Data on behalf of Asana, make them available to Asana upon request.

6. Security

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Channel Partner will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

6.1 the pseudonymisation and encryption of Personal Data;

6.2 the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;

6.3 the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;

6.4 a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing;

6.5 those technical and organizational security measures described in Attachment 1; and

6.6 all such other measures required by Article 32 of the GDPR.

7. Notification of Personal Data Breach

7.1 Channel Partner will notify Asana at privacy@asana.com without undue delay (but in no event later than forty-eight [48] hours) after becoming aware of a Personal Data Breach and will provide all such timely information and cooperation as Asana may require in order for Asana to fulfill its Personal Data Breach reporting obligations under (and in accordance with the timescales required by) Applicable Laws. Notwithstanding the generality of the foregoing, such notice will, at a minimum:

(a) describe the nature of the Personal Data Breach including where possible, the categories and approximate number of data subjects concerned, and the categories and approximate number of Personal Data records concerned;

(b) communicate the name and contact details of the data protection officer or other contact where more information can be obtained;

(c) describe the likely consequences of the Personal Data Breach; and

(d) describe the measures taken or proposed to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

7.2 Channel Partner will further take all such measures and actions as necessary to remedy or mitigate the effects of the Personal Data Breach and will keep Asana informed of all developments in connection with the Personal Data Breach.

8. Data Transfers

8.1 The Parties agree that when the transfer of Personal Data to Channel Partner (as data importer) from Asana (as data exporter) is a Restricted Transfer, Channel Partner will be bound by the Standard Contractual Clauses, which will be deemed incorporated into this DPA, as follows:

a. In relation to transfers of Personal Data protected by the GDPR, the EU SCCs will be completed as follows:

(i) Where Asana is a controller of the Personal Data, Module Two (controller to processor) will apply and where Asana is a processor of the Personal Data, Module 3 (processor to processor) will apply;

(ii) In Clause 7, the optional docking clause will apply;

(iii) In Clause 9, Option 2 will apply, and the time period for prior notice of Sub-processor changes will be as set out in Section 4.1 of this DPA;

(iv) In Clause 11, the optional language will not apply;

(v) In Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;

(vi) In Clause 18(b), disputes will be resolved before the courts of Ireland; and

(vii) Annexes I and II of the Appendix are set forth in Attachment 1.

b. In relation to transfers of Personal Data protected by the UK GDPR, the UK Addendum will apply to such transfers subject to the following:

(i) Table 1 will be completed with the relevant information in Annex I set forth in Attachment 1;

(ii) Table 2 will be completed with the selected modules and clauses from the EU SCCs as identified in Section 8.1(a) of this DPA;

(iii) Table 3 will be completed with the relevant information from Annexes I and II set forth in Attachment 1 and Section 4 of this DPA; and

(iv) In Table 4, the Exporter may end the UK Addendum in accordance with the terms of the UK Addendum.

c. In relation to transfers of Personal Data protected by the Swiss DPA, the EU SCCs will also apply to such transfers in accordance with paragraph (a) above, subject to the following:

(i) Any references in the EU SCCs to “Directive 95/46/EC” or “Regulation (EU) 2016/679” will be interpreted as references to the Swiss DPA; (ii) Any references to “EU,” “Union,” and “Member State law” will be interpreted as references to Swiss law; and (iii) Any references to the “competent supervisory authority” and “competent courts” will be interpreted as references to the relevant data protection authority and courts in Switzerland;unless the EU SCCs as implemented above cannot be used to lawfully transfer such Personal Data in compliance with the Swiss DPA, in which event the Swiss SCCs will instead be incorporated by reference and form an integral part of this DPA and will apply to such transfers. Where this is the case, the relevant Annexes or Appendices of the Swiss SCCs will be populated using the information contained in Attachment 1 of this DPA (as applicable).

8.2 It is not the intention of either Party to contradict or restrict any of the provisions set forth in the Standard Contractual Clauses and, accordingly, if and to the extent the Standard Contractual Clauses conflict with any provision of the Agreement (including this DPA) the Standard Contractual Clauses will prevail to the extent of such conflict.

8.3 By entering into this DPA, the Parties are deemed to be signing the applicable Standard Contractual Clauses and its applicable annexes.

8.4 Channel Partner will not participate in (nor permit any Subprocessor to participate in) any Restricted Transfers of Personal Data (whether as an exporter or an importer of the Personal Data) unless the Restricted Transfer is made in full compliance with Applicable Law and pursuant to Standard Contractual Clauses implemented between the exporter and importer of the Personal Data.

9. Post-termination obligations

The Parties agree that on the termination of Agreement, Channel Partner and any Subprocessors will, at the choice of Asana, return all Personal Data and copies of such data to Asana or securely destroy them and demonstrate to the satisfaction of Asana that it has taken such measures, unless prohibited by Applicable Law. In such circumstances where Applicable Law prevents Channel Partner from returning or destroying all or part of Personal Data, Channel Partner agrees to preserve the confidentiality of Personal Data retained by it and agrees that any active Processing of such Personal Data after termination of the Agreement will be limited to the extent necessary in order to comply with the laws to which it is subject. Channel Partner will ensure that its Subprocessors, if any, comply with these post-termination obligations.

10. Survival

The provisions of this DPA survive the termination or expiration of the Agreement for so long as Channel Partner or its Subcontractors Process the Personal Data.

Annex I to the Standard Contractual Clauses

A. LIST OF PARTIES

MODULE TWO: Transfer controller to processor

MODULE THREE: Transfer processor to processor

B. DESCRIPTION OF TRANSFER

MODULE TWO: Transfer controller to processor

MODULE THREE: Transfer processor to processor

Categories of data subjects whose personal data is transferred Personal data relating to employees of Asana, consultants of Asana, contractors of Asana, and third parties (including Asana customers) with which Asana conducts business.

Categories of personal data transferred Any Personal Data Processed by Vendor on Asana’s behalf in connection with the Agreement. Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

• racial or ethnic origin

• political opinions

• religious or philosophical belief

• trade union membership

• genetic or biometric data

• health information

• data relating to sex life or sexual orientation

• information relating to criminal charges or conviction

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis). Continuous with use of the Services.

Nature of the processing The provision of Services to Asana in accordance with the Agreement.

Purpose(s) of the data transfer and further processing To provide the Services to Asana as described in the Agreement.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period For as long as necessary to provide the Services as described in the Agreement.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing The subject matter, nature and duration of the processing are specified above and in the Agreement.

C. COMPETENT SUPERVISORY AUTHORITY

MODULE TWO: Transfer controller to processor

MODULE THREE: Transfer processor to processor

Identify the competent supervisory authority/ies in accordance with Clause 13 The Data Protection Commission (DPC) of Ireland.

Annex II to the Standard Contractual Clauses

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

MODULE TWO: Transfer controller to processor

MODULE THREE: Transfer processor to processor

Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

Specific measures: Channel Partner agrees to implement the minimum technical and security measures available at: https://www.asana.com/terms/solutions-partner-data-security