// Trust & Security Report

    Asana, Inc. logo

    Asana, Inc.

    Work and project management platform (Agentic Work Management, AI Teammates, Service Management, Client Management, Command, StackAI by Asana)

    Certifications held

    13

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type 2
    HELD

    SOC 2 (Type 2) — Security, availability, confidentiality, and privacy trust services criteria

    Verify on asana.com
    SOC 3
    HELD

    SOC 3 — Overview of Service Organization Controls

    Verify on asana.com
    ISO/IEC 27001:2022
    HELD

    ISO/IEC 27001:2022 — Global standard for information security management systems

    Verify on asana.com
    ISO/IEC 27017:2015
    HELD

    ISO/IEC 27017:2015 — Code of practice for information security controls for cloud services

    Verify on asana.com
    ISO/IEC 27018:2019
    HELD

    ISO/IEC 27018:2019 — Code of practice for protecting personally identifiable information (PII)

    Verify on asana.com
    ISO/IEC 27701:2019
    HELD

    ISO/IEC 27701:2019 — Privacy information management standard supporting compliance with global privacy laws

    Verify on asana.com
    CSA STAR Level 1
    HELD

    CSA STAR Level 1 — Cloud security controls compliance self-assessment

    Verify on asana.com
    HIPAA
    HELD

    HIPAA — Protection of patient health information in the United States. Asana meets HIPAA compliance and supports Enterprise Key Management (EKM). Business Associate Addendum (HIPAA) is offered.

    Verify on asana.com
    GDPR
    HELD

    We have a comprehensive privacy compliance program that aligns our practices with regulations such as the General Data Protection Regulation and California Consumer Privacy Act.

    Verify on asana.com
    US State Privacy Laws (CCPA/CPRA, Colorado, Virginia, etc.)
    HELD

    US State Privacy Laws — Compliant with relevant US state privacy laws in California, Colorado, Virginia, and more

    Verify on asana.com
    GLBA
    HELD

    GLBA — Privacy Rule and Safeguards Rule for financial institutions

    Verify on asana.com
    FERPA
    HELD

    FERPA — Privacy rights for educational information and records

    Verify on asana.com
    APPI (Japan) and other global privacy laws
    HELD

    APPI and other global privacy laws — Protection of the personal information for residents of Japan and other relevant global privacy laws

    Verify on asana.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Global data residency options. Data centers in US, Europe, Japan, and Australia; customer can choose region for data at rest.

    Two-layer model. (1) Third-party LLM providers do NOT train on customer data: 'Our third-party LLM service providers are contractually prohibited by us from using customer data to train their models' and the admin-security page states 'Our AI partners do not use your data to train their models' and 'Our AI partners are required to delete customer data after each query.' (2) Asana's OWN ML models DO use metadata (not content) when Asana AI is enabled: 'When features powered by Asana AI are enabled in your domain, we use metadata related to your domain's use of Asana to train machine learning models. Depending on the model and the feature, these machine learning models power features, both in your domain and other Asana domains.' Admins/super admins can adjust AI preferences for the domain in the admin console. So customer CONTENT (tasks, projects, attachments) is not used to train models; usage METADATA is used for Asana's internal ML by default when AI features are on.

    // Security controls

    Encryption in transit and at rest

    Encrypts Customer Data in transit and at rest using industry-standard algorithms (TLS 1.2, AES-256). Quote: 'encrypt Customer Data in transit and at rest using industry-standard encryption algorithms that are appropriate for the mechanism of transfer (e.g. TLS 1.2, AES-256)'

    asana.com

    Penetration testing

    Annual third-party penetration testing; executive summary available to customers. Quote: 'Asana will engage a qualified third-party to perform penetration tests covering the scope of the services at least annually.'

    asana.com

    Bug bounty program

    Public bug bounty program on HackerOne (hackerone.com/asana) and Bugcrowd (bugcrowd.com/asana). Quote (Data Security Standards): 'Asana must maintain a bug bounty program that enables independent security researchers to report security threats and vulnerabilities on an ongoing basis.' Trust page: 'Protections include encryption, least privilege access, secure software development, and a public bug bounty program.'

    asana.com

    Authentication and access

    Two-factor authentication, SSO, SAML 2.0, SCIM provisioning, session duration limits, org-wide password strength, IP allowlisting, custom RBAC roles, object-level admin controls.

    asana.com

    Enterprise data controls

    Enterprise Key Management (EKM / bring-your-own-key), Audit Log API, SIEM/DLP/CASB/eDiscovery/archiving integrations, domain export and deletion, app blocking/approval, mobile security controls.

    asana.com

    Reliability / uptime

    99.9% uptime commitment to Enterprise customers; 24/7 priority support; daily and regional backups; published real-time and historical status.

    asana.com

    Subprocessors transparency

    Public subprocessor list and Data Processing Addendum available under legal terms.

    asana.com

    // Products & data scope

    Asana (Starter / Advanced plans)Work and project management (SMB/team)

    data: User-generated tasks, projects, goals, messages, attachments. Admin console available on paid plans (not free). Standard certs apply.

    Free plan: Asana is the data controller when signing up with a personal/free email domain. Admin console and advanced security controls excluded from free plan.

    Asana Enterprise / Enterprise+Enterprise work management

    data: Full enterprise governance: EKM, data residency selection, audit logs, SIEM/DLP/CASB, HIPAA BAA available, 99.9% uptime SLA. Asana acts as processor; customer org is controller.

    Target tier for regulated customers. 85% of Fortune 100 cited as customers. Multi-org deployment and HIPAA BAA available here.

    Asana AI / AI Teammates / AI Studio (Agentic Work Management)AI agents and automation

    data: Uses domain usage metadata to train Asana's own ML models (admin-toggleable); third-party LLM partners contractually barred from training on customer data and must delete data after each query. Agents have scoped identity, audit trail, and cost constraints.

    AI features admin-controlled per domain. Distinct data-use posture vs core product: metadata used for internal ML by default when enabled.

    StackAI by AsanaAgentic workflow builder

    data: Has its OWN separate StackAI Privacy Policy and StackAI Platform Data Processing Addendum, distinct from core Asana privacy terms.

    Separate legal/privacy scope - reviewers integrating StackAI should read the StackAI-specific policy, not assume core Asana terms apply.

    Asana Service Management / Client Management / CommandVertical AI-native platforms (ITSM/HR, agency, delivery)

    data: Built on core Asana platform; inherit core certifications and governance. Distinct workflows but same underlying trust posture.

    Marketed as separate products but share the Asana security/compliance foundation.

    // What to watch

    • AI metadata nuance: Asana uses domain USAGE METADATA (not content) to train its own ML models by default when Asana AI is enabled, and those models can power features in OTHER Asana domains. Content is not used; third-party LLMs do not train at all. Admin-toggleable. Worth surfacing for privacy-sensitive buyers.
    • StackAI by Asana operates under a SEPARATE privacy policy and DPA - do not assume core Asana terms cover it.
    • Certifications are listed on the public trust page with 'Read documentation' links; underlying audit reports (SOC 2, ISO certs, pen test summary) are gated behind sales/NDA, which is standard for enterprise vendors.
    • Privacy statement effective 2026-01-01 (updated 2025-12-03) - current and recently refreshed.

    // At a glance

    Pricing model

    Freemium SaaS subscription. Free Personal tier, then Starter, Advanced, Enterprise, and Enterprise+ paid tiers (per-seat). No self-host option.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Asana, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    asana.com

    > Browse all vendor trust reports