Asana’s Statement on Security

Introduction

We use Asana every day to keep our team organized, connected, and focused on results. Ensuring our platform remains secure is vital to protecting our own data, and protecting your information is our highest priority.

Our security strategy covers all aspects of our business, including:

  • Asana corporate security policies
  • Physical and environmental security
  • Operational security processes
  • Scalability & reliability of our system architecture
  • Data model access control in Asana
  • Systems development and maintenance
  • Service development and maintenance
  • Regularly working with third party security experts

Asana Corporate Security Policies & Procedures

Every Asana employee signs a Data Access Policy that binds them to the terms of our data confidentiality policies, available at asana.com/terms and asana.com/privacy. Access rights are based on employee’s job function and role.

SOC 2 (Type 1) Certification

Asana has successfully completed its SOC 2 (Type 1) audit for the controls we’ve implemented with respect to security, availability and confidentiality. Achieving SOC 2 (Type 1) certification means we’ve established processes and practices with respect to these three control principles that have been validated by an independent third party.

Security in our Software Development Lifecycle

Asana uses the git revision control system. Changes to Asana’s code base go through a suite of automated tests and are reviewed and go through a round of manual review. When code changes pass the automated testing system, the changes are first pushed to a staging server wherein Asana employees are able to test changes before an eventual push to production servers and our customer base. We also add a specific security review for particularly sensitive changes and features. Asana engineers also have the ability to “cherry pick” critical updates and push them immediately to production servers.

In addition to a list where all access control changes are published, we have a suite of automated unit tests that check that access control rules are written correctly and enforced as expected. We also work with third-party security professionals to:

  • Test our code for common exploits
  • Use network scanning tools against our production servers

Security at the Asana office

Our office is secured via keycard access which is logged, and visitors are recorded at our front desk.

We monitor the availability of our office network and the devices on it. We collect logs produced by networking devices such as firewalls, DNS servers, DHCP servers, and routers in a central place. The network logs are retained for the security appliance (firewall), wireless access points, and switches.

Asana Architecture & Scalability

Scalability/Reliability of Architecture

Asana uses Amazon Web Services (RDS & S3) to manage user data. The database is replicated synchronously so that we can quickly recover from a database failure. As an extra precaution, we take regular snapshots of the database and securely move them to a separate data center so that we can restore them elsewhere as needed, even in the event of a regional Amazon failure.

We currently host data in secure SSAE 16 audited data centers via Amazon RDS in the United States.

Encrypted Transactions

Web connections to the Asana service are via TLS 1.1 and above. We support forward secrecy and AES-GCM, and prohibit insecure connections using TLS 1.0 and below or RC4.

Data Processing Agreements

Under the GDPR, “data controllers” (i.e. entities that determine the purposes and means of processing data) are required to enter into agreements with other entities that process data on their behalf (called “data processors”). Asana offers its EU customers who are data controllers the option to enter into a robust data processing agreement that requires Asana to safeguard personal data in accordance with GDPR requirements.

International Data Transfers

Consistent with existing EU data protection laws, the GDPR requires organizations to use a recognized legal mechanism to transfer data from the EU to other countries that do not have a similar data protection framework, including the United States. To comply with this requirement, Asana is certified under the EU-US Privacy Shield framework, which requires it to maintain certain safeguards for personal data transferred to the United States. Additionally, Asana offers customers located in the EU the option to enter into EU Model Contractual Clauses with us upon request.

Data Access, Management, and Portability Tools

The GDPR gives individual data subjects in certain circumstances the rights to, among other things, access, delete, and make corrections to their data. Data subjects can make these requests directly to the data controllers of their information. With Asana, it’s easy for our customers who are data controllers to access and manage their team members’ data in response to these requests. For example, customers can directly access, update, modify, and delete data within the Asana platform. Asana also offers customers the ability to export organization member and guest information so that it can be sent outside of the platform.

Privacy Documentation

At its core, the GDPR is focused on transparency, fairness, and accountability. Accordingly, the law requires organizations to maintain documentation about their privacy practices and their decisions about how they handle individuals’ personal data. Asana shares the GDPR’s commitment to these principles, and has included within its ongoing GDPR compliance program documentation about Asana’s data collection and processing activities, and the various policies and guidelines it follows pursuant to the GDPR.

Security

Securing our users’ personal data continues to be a priority for Asana as we prepare for the GDPR. The GDPR requires organizations to use appropriate technical and organizational measures to protect the security, confidentiality, and integrity of personal data. Asana has implemented a variety of safeguards to protect the security of our platform, including encrypting web connections to protect data transmissions, replicating our databases to support reliability of the platform, and controlling access to our facilities and office network. Asana also offers customers the ability to use additional security controls to further enhance the security of their teams’ data.

Ongoing Communication

We value communication with our customers. As Asana continues to evaluate and update its data protection program, we will keep you posted with important updates.

Asana Information Security

Employee Workstations, Laptops, & Mobile Devices

All laptops and workstations are secured via full disk encryption and centrally managed. We diligently apply updates to employee machines and monitor employee workstations for malware. We also have the ability to apply critical patches and remote wipe a machine. We use industry-standard OTP technology to further secure access to our corporate infrastructure.

Security Consulting and Application Review

We work with external security advisor, and maintain an external bounty program where we pay security researchers who discover vulnerabilities.

Data Center Security

Amazon

Amazon employs a robust physical security program with multiple certifications, including an SSAE 16 certification. For more information on Amazon’s physical security processes, please visit aws.amazon.com/security.

Product Features

Administrator Management Features

  • Authentication - Asana administrators can force employees to authenticate via Google Accounts or set up SAML. If passwords are stored directly with Asana, we secure them using salted bcrypt.

  • User Management - Administrators can see Last Activity, Guest/Member status, and deprovision users from a central administration interface.

User Features

  • Privacy, Visibility, & Sharing Settings - Customers determine who can access different categories of data like Teams, projects, and tasks. Access to an Asana Organization is based on your company email domain. You can limit a user’s access by inviting them as a Guest.

Privacy

Privacy Policy

Asana’s privacy policy, which describes how we handle data input into Asana, can be found at asana.com/privacy.

Availability

We are committed to making Asana consistently available to you and your teams. Our systems have built-in redundancy to withstand failures and are constantly monitored to keep your work uninterrupted. You can always monitor our availability at our trust page.

Want to report a security concern?

We offer a Security Exploit Bounty Program. Email us at security@asana.com.