This document outlines the minimum security requirements (administrative, technical, and physical safeguards) for any third parties providing Services to Asana Customers (“Subcontractor(s)”). Capitalized terms shall have the meaning assigned to them in the underlying services agreement between Asana and Subcontractor unless otherwise defined herein.
a. Subcontractor maintains an information security program which is designed to ensure the security, availability, integrity, and confidentiality of Customer Data. The program includes: i. Formal risk management ii. Periodic risk assessments iii. Penetration testing performed by a qualified, independent third party on at least an annual basis. If any remediation is required, the Subcontractor will perform remediation in a reasonable period of time that takes into account the likelihood and impact of the finding(s).
b. Vendor has appointed a Security Officer and appropriate security personnel responsible for information security efforts.
a. Subcontractor has and maintains the following policies: i. Acceptable use policy outlining appropriate use of Customer Data. ii. Information security policy designed to provide guidance to personnel on maintaining security, confidentiality, integrity, and availability of Customer Data.
b. Subcontractor reviews its policies and procedures on at least an annual basis.
c. Upon Asana’s written request and no more than once in a six-month period, Vendor shall provide Asana with a copy of its Information Security Policy, Acceptable Use Policy, any current third-party attestations or industry certifications (i.e. SOC 2 Type II, ISO 27001) and any updates or amendments thereto. In the event Asana reasonably believes there are gaps in Vendor’s program based on the criteria set forth herein, Asana may request in writing, and Vendor must provide within thirty days receipt of such request, that Vendor complete an additional security questionnaire. Such a questionnaire must be acknowledged and agreed to by Vendor’s appointed Security Officer.
a. Subcontractor must provide its personnel with information security and privacy training upon hire and on at least an annual basis thereafter.
b. Subcontractor must ensure that personnel acknowledge they have read and understand the Subcontractor’s policies and procedures, including the information security policy, upon hire and on at least an annual basis thereafter.
a. Subcontractor will only access Customer Data on a need-to-know basis for purposes of performing the agreed upon services. For clarity, where Asana has procured Subcontractor for Enablement Services, Subcontractor shall not access Customer’s instance of the Asana Service at any time during such engagement. Subcontractor shall cooperate with Customer to develop best practices for performing such Enablement Services, including but not limited to screen-sharing, video recording, or other screen captures as needed to deliver the requisite training and guidance specified in the Order.
b. Subcontractor will ensure that personnel can only access Customer Data on Subcontractor’s systems using multi-factor authentication.
c. Subcontractor must ensure all passwords are equal to or stronger than the NIST 800-63b memorized secret password requirements.
d. Subcontractor must log and monitor access to Customer Data and promptly investigate suspicious activity
e. Subcontractor must provision access in accordance with principles of least privilege.
f. Upon termination, Subcontractor must remove personnel’s access to its systems processing Customer Data within 24 hours.
a. Subcontractor maintains a Security Incident Response Plan that is reviewed at least annually. b. Subcontractor tests Incident Response Plan on at least an annual basis. c. Subcontractor must report Security Incidents in accordance with Asana’s Data Processing Addendum.
a. Subcontractor utilizes an appropriate encryption mechanism at rest and in transit (at minimum: TLS 1.2, ssh, AES-256).
a. Subcontractor will adhere to the following device requirements based on Services stated in an Order.
For Enablement Services:
1. Subcontractor maintains an asset inventory of user endpoints that is periodically updated, audited, and reviewed.
2. Subcontractor maintains a documented process for provisioning endpoints based on documented hardening standards.
3. Subcontractor’s endpoints employ commercially reasonable security controls, including at minimum:
Local hard drive encryption;
A local password; and
EDR software with continuous monitoring, including anti-virus and malware scanning, detection, containment, and reporting capabilities.
4. Subcontractor employs mechanisms to maintain control over distribution of sensitive media, including preventing users from performing file transfers through unapproved file transfer services or transferring data to external media (e.g. USB Drives).
5. Subcontractor employs mechanisms to securely dispose of, destroy, or repurpose hardware when it is no longer needed.
6. Subcontractor ensures hardware is returned in a timely manner when they are no longer needed.
7. Subcontractor has the ability to remotely wipe machines if they are stolen or compromised.
For Integrated Services or other non-Enablement Services:
1. Subcontractor will only use devices that are managed by Asana to perform work related to the services. Subcontractor may elect to either:
a. Receive managed hardware from Asana for the course of the engagement with Asana Customers. If Subcontractor is provided with hardware, Subcontractor must use only Asana hardware to perform Services related to Asana Customers in accordance with the underlying agreement between Asana and Subcontractor; or
b. provide a new, unconfigured laptop to be enrolled in Asana’s end-point management systems. Asana will install anti-virus/anti malware applications and ensure that the device meets our minimum security requirements.
a. Subcontractor conducts a security risk assessment on any third party service providers that may have access to Customer Data prior to the initiation of service.
b. Subcontractor makes reasonable efforts to ensure third party service providers maintain security measures at minimum consistent with this agreement.
a. Except with regard to Enablement Services, Subcontractor will only access the Customer's instance of the Asana Service for the duration stated in the applicable Order. Upon termination of the engagement with the Customer, Vendor will ensure they no longer have access to Customer’s Asana environment.
b. Subcontractor will ensure any Customer Data that has been downloaded or retained outside of their Asana instance and any copies will be destroyed upon termination of the services.
a. Subcontractor performs background checks on employees prior to the start of employment. Background verifications are designed according to local laws, regulations, ethics, and contractual constraints and proportional to the data classification to be accessed, business requirements, and acceptable risk.