To demonstrate our commitment to global privacy standards, Asana has certifications of compliance with ISO 27018:2019 (Protecting Personal Data in the Cloud) and ISO 27701:2019 (Privacy Information Management).
We also work to ensure our agreements with our customers are up to date–our Data Processing Addendum incorporates the latest data privacy frameworks between the US and EU, United Kingdom, and Switzerland as well as the EU and UK Standard Contractual Clauses, which outlines our contractual privacy obligations and facilitates the transfer of data globally.
EU / UK
Asana has established a comprehensive GDPR/UK GDPR compliance program and is committed to partnering with customers and vendors on our compliance efforts. Some significant steps Asana takes to align its practices with the GDPR/UK GDPR include:
Revising our policies and contracts with our partners, vendors, and users to reflect legislative developments;
Enhancing our security practices and procedures;
Closely reviewing and mapping the data we collect, use, and share;
Ensuring that we have robust internal privacy and security documentation;
Training employees on global privacy requirements and privacy/security best practices; and
Thoughtfully building a data subject rights policy and response process.
APAC
The Act on the Protection of Personal Information (APPI) is the primary data protection law in Japan that regulates the protection of personal information. It applies to business operators handling personal information of individuals in Japan. The APPI has been amended since it was originally enacted in 2003, with the most recent amendments coming into effect April 1, 2022.
Similarly to the distinction between “data controllers” and “data processors” under the GDPR, the APPI makes a distinction between “business operators”—or entities with the authority to control and make decisions about retained personal information (i.e., Asana’s customers) and third-party service providers handling personal information on behalf of a business operator (i.e., Asana).
The APPI also imposes restrictions on cross-border transfers of personal information outside of Japan. Personal information may be transferred to overseas recipients if there are contractual agreements in place that ensure compliance with data protection standards in Japan.
Asana is committed to processing and safeguarding personal information as required by the APPI and its amendments. Asana’s Data Processing Addendum covers
Our data protection commitments to ensure that we comply with the APPI;
How we will assist our customers with their obligations under the APPI; and
The technical and organizational measures implemented to protect personal information.
For more information on Asana’s security and data protection practices, please see our Trust Center.
U.S. (federal and state)
California
The CCPA (as amended by CPRA) is a law that provides California consumers certain rights with respect to their personal information. Specifically, the law requires that businesses subject to the statute grant consumers the ability to request access to and deletion of their data, and the ability to opt out of certain types of disclosures of their personal information. The law also restricts how service providers that process personal information on behalf of a business may use that information.
Where a business subject to the CCPA has entered into a service or subscription agreement with Asana, Asana will act as a service provider to that business. Specifically, Asana will process such customers’ personal information only for the purposes set forth in the applicable agreement and will cooperate with customers to fulfill their obligations with respect to deletion or access requests.
Asana's Data Processing Addendum specifically references our obligations under the CCPA. If your organization is a customer of Asana and requires an addendum, please reach out to [email protected].
HIPAA
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law in the United States that requires the creation of national standards to protect sensitive patient health information from being disclosed without the patient's consent or knowledge. Businesses that are subject to HIPAA can use Asana to support HIPAA-compliant work management.
HIPAA compliance for Asana is governed by Asana’s Business Associate Addendum (BAA). For additional detail on HIPAA and Asana, please refer to the HIPAA Data Sheet.
Gramm-Leach-Bliley Act
The Gramm-Leach-Bliley Act (GLBA) requires financial institutions—companies that offer consumers financial products or services like loans, financial or investment advice, or insurance—to explain their information-sharing practices to their customers and to safeguard sensitive data. Service providers who are permitted by the financial institutions to access their consumers' nonpublic personal information (NPI) are also required to comply with GLBA. Asana is GLBA-ready and aligns our practices in accordance with GLBA's Privacy Rule and Safeguards Rule. In addition to implementing security safeguards, we only use customer work content to provide our services, and not for any other purpose. Customers should not store sensitive personal data (including financial account numbers and social security numbers) in Asana.
Family Educational Rights and Privacy Act
The Family Educational Rights and Privacy Act (FERPA) is a federal law that requires academic institutions like colleges and universities to protect the privacy of student educational records. Asana enables our customers to comply with FERPA by ensuring personal data is kept secure and only used to provide our services as described in our Terms of Service and Privacy Statement. Asana contractually commits to not disclosing customer data except as directed by the contracting academic institution, as allowed by our terms, or as required by law.
As laws, regulations, and guidance from data protection authorities and regulators continue to evolve and more countries are passing new data protection laws and regulations, we will continue to follow these developments closely and evaluate our program for any changes or enhancements as needed.