Data Security Standards

EFFECTIVE DATE: FEBRUARY 28, 2020

The following describes Asana’s security principles and architecture with respect to the administrative, technical, and physical controls applicable to the Service. Capitalized terms shall have the meaning assigned to them in the Agreement unless otherwise defined herein.

1. Principles

Asana emphasizes the following principles in the design and implementation of its security program and practices: (a) physical and environmental security to protect the Service against unauthorized access, use, or modification; (b) maintaining availability for operation and use of the Service; (c) confidentiality to protect customer data; and (d) integrity to maintain the accuracy and consistency of data over its life cycle.

2. Security Program

Asana maintains an information security program, which includes: (a) having a formal risk management program; (b) conducting periodic risk assessments of all systems and networks that process Customer Data on at least an annual basis; (c) monitoring for security incidents and maintaining a tiered remediation plan to ensure timely fixes to any discovered vulnerabilities; (d) a written information security policy and incident response plan that explicitly addresses and provides guidance to its personnel in furtherance of the security, confidentiality, integrity, and availability of Customer Data; (e) penetration testing performed by a qualified third party on an annual basis; and (f) having resources responsible for information security efforts.

3. Data Centers

Asana uses Amazon Web Services (AWS) to provide management and hosting of production servers and databases in both the United States and the European Union. AWS employs a robust physical security program with multiple certifications, including SSAE 16 and ISO 27001 certification.

4. Access, Controls, and Policies

Access to manage Asana’s AWS environment requires multi-factor authentication, ssh access to the Service is logged, and access to Customer Data is restricted to a limited set of approved Asana employees. AWS networking features such as security groups are leveraged to restrict access to AWS instances and resources and are configured to restrict access using the principle of least privilege. Employees are trained on documented information security and privacy procedures. Every Asana employee signs a data access policy that binds them to the terms of Asana’s data confidentiality policies and access to Asana systems is promptly revoked upon termination of employment.

5. Audits and Certifications

As of the Effective Date, Asana has been awarded SOC 2 (Type I and Type II) certification with respect to the suitability of its controls to meet the criteria related to security, availability, and confidentiality set forth in the 2016 edition of TSP section 100A, Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, Trust Services Principles and Criteria). Asana adheres to the E.U-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework concerning the transfer of Personal Data from the European Union to the United States of America, and has self-certified compliance with the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework.

6. Vendor Management

Asana takes reasonable steps to select and retain only third-party service providers that will maintain and implement the security measures consistent with the measures stated in this attachment. Before software is implemented or a software vendor can be used at Asana, Asana IT carefully reviews the vendor’s security protocols, data retention policies, privacy policies, and security track record. IT may reject use of any software or software vendor for failure to demonstrate the ability to sufficiently protect Asana’s data and End Users.

7. Testing and Remediation

On an annual basis, Asana performs on its own and engages third-parties to perform a variety of testing to protect against unauthorized access to Customer Data and to assess the security, reliability, and integrity of the Service. To the extent Asana determines, in its sole discretion, that any remediation is required based on the results of such testing, it will perform such remediation within a reasonable period of time taking into account the nature and severity of the identified issue.

8. Security Incident Response

Asana performs incident response tabletop exercises annually and maintains an incident response plan designed to establish a reasonable and consistent response to security incidents and suspected security incidents involving the accidental or unlawful destruction, loss, theft, alteration, unauthorized disclosure of, or access to, proprietary data or personal data transmitted, stored, or otherwise processed by Asana. If Asana detects and subsequently confirms unauthorized access to or disclosure of Customer Data, Asana shall promptly report such breach to Customer, timely perform a root cause assessment, and remedy such breach in a timely manner. Asana shall use reasonable efforts to communicate and cooperate with Customer during the course of any such relevant remediation.

9. Security Monitoring

Anti-virus or anti-malware applications have been installed to detect or prevent unauthorized or malicious software. Asana also uses intrusion detection systems (IDS) for our corporate networks and production environments. Asana runs security scans on a regular basis. For virus monitoring, Asana automatically or manually updates most software it runs and outsources to Amazon when logical and possible. Asana maintains a vulnerability scanning process for production systems. The scope of vulnerability scans includes both external and internal systems in the production environment. Asana’s Security team performs vulnerability scans at least weekly and determines a severity rating for each vulnerability based on the assessment tools criteria such that high or higher-level ranked vulnerabilities require remediation. Vulnerability scans are also run after any significant change to the production environment as determined by the Asana security team.

10. Encryption

Customer Data is encrypted in transit and, subject to the applicable version for the Service selected by Customer, encrypted at rest (and remains encrypted at rest). The connection to app.asana.com is encrypted with 128-bit encryption and supports TLS 1.2 and above. Logins and sensitive data transfer are performed over encrypted protocols such as TLS or ssh.

11. Backup and Restoration

Asana takes daily snapshots of its databases and securely copies them to a separate data center for restoration purposes in the event of a regional AWS failure. Backups are encrypted and have the same protection in place as production. Additionally, Customer Data is stored cross-regionally with AWS.

12. Change Management

Asana has established a change management policy to ensure changes meet Asana's security, confidentiality, and availability requirements. Management reviews and approves the policy annually. Any change to production or IT configuration with unknown or foreseeable security consequences must be reviewed by the relevant teams holding the area of responsibility prior to deployment.

13. Disaster Recovery and Business Continuity

Asana maintains a business continuity plan for extended service outages caused by unforeseen or unavoidable disasters in an effort to restore services to the widest extent possible in a reasonable time frame. This plan covers mission-critical business functions and associated systems. Asana has documented a set of disaster recovery policies and procedures to enable the recovery or continuation of vital technology infrastructure and systems following a disaster. Database snapshots are taken daily, data backups are encrypted in storage, backups are stored in a separate region, and the Service resides on a redundant network and server infrastructure located in geographically separate data centers. This plan is reviewed and tested on an annual basis.

Asana reserves the right to update these terms from time to time and modify its security practices, provided that such update or modification will not materially and adversely diminish the overall security of the Service during the applicable Subscription Term.