// Trust & Security Report
Asana, Inc.
Work and project management platform (Agentic Work Management, AI Teammates, Service Management, Client Management, Command, StackAI by Asana)
Certifications held
13
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on asana.com“SOC 2 (Type 2) — Security, availability, confidentiality, and privacy trust services criteria”
Verify on asana.com“ISO/IEC 27001:2022 — Global standard for information security management systems”
Verify on asana.com“ISO/IEC 27017:2015 — Code of practice for information security controls for cloud services”
Verify on asana.com“ISO/IEC 27018:2019 — Code of practice for protecting personally identifiable information (PII)”
Verify on asana.com“ISO/IEC 27701:2019 — Privacy information management standard supporting compliance with global privacy laws”
Verify on asana.com“CSA STAR Level 1 — Cloud security controls compliance self-assessment”
Verify on asana.com“HIPAA — Protection of patient health information in the United States. Asana meets HIPAA compliance and supports Enterprise Key Management (EKM). Business Associate Addendum (HIPAA) is offered.”
Verify on asana.com“We have a comprehensive privacy compliance program that aligns our practices with regulations such as the General Data Protection Regulation and California Consumer Privacy Act.”
Verify on asana.com“US State Privacy Laws — Compliant with relevant US state privacy laws in California, Colorado, Virginia, and more”
Verify on asana.com“APPI and other global privacy laws — Protection of the personal information for residents of Japan and other relevant global privacy laws”
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Global data residency options. Data centers in US, Europe, Japan, and Australia; customer can choose region for data at rest.
Two-layer model. (1) Third-party LLM providers do NOT train on customer data: 'Our third-party LLM service providers are contractually prohibited by us from using customer data to train their models' and the admin-security page states 'Our AI partners do not use your data to train their models' and 'Our AI partners are required to delete customer data after each query.' (2) Asana's OWN ML models DO use metadata (not content) when Asana AI is enabled: 'When features powered by Asana AI are enabled in your domain, we use metadata related to your domain's use of Asana to train machine learning models. Depending on the model and the feature, these machine learning models power features, both in your domain and other Asana domains.' Admins/super admins can adjust AI preferences for the domain in the admin console. So customer CONTENT (tasks, projects, attachments) is not used to train models; usage METADATA is used for Asana's internal ML by default when AI features are on.
// Security controls
Encryption in transit and at rest
Encrypts Customer Data in transit and at rest using industry-standard algorithms (TLS 1.2, AES-256). Quote: 'encrypt Customer Data in transit and at rest using industry-standard encryption algorithms that are appropriate for the mechanism of transfer (e.g. TLS 1.2, AES-256)'
asana.comPenetration testing
Annual third-party penetration testing; executive summary available to customers. Quote: 'Asana will engage a qualified third-party to perform penetration tests covering the scope of the services at least annually.'
asana.comBug bounty program
Public bug bounty program on HackerOne (hackerone.com/asana) and Bugcrowd (bugcrowd.com/asana). Quote (Data Security Standards): 'Asana must maintain a bug bounty program that enables independent security researchers to report security threats and vulnerabilities on an ongoing basis.' Trust page: 'Protections include encryption, least privilege access, secure software development, and a public bug bounty program.'
asana.comAuthentication and access
Two-factor authentication, SSO, SAML 2.0, SCIM provisioning, session duration limits, org-wide password strength, IP allowlisting, custom RBAC roles, object-level admin controls.
asana.comEnterprise data controls
Enterprise Key Management (EKM / bring-your-own-key), Audit Log API, SIEM/DLP/CASB/eDiscovery/archiving integrations, domain export and deletion, app blocking/approval, mobile security controls.
asana.comReliability / uptime
99.9% uptime commitment to Enterprise customers; 24/7 priority support; daily and regional backups; published real-time and historical status.
asana.comSubprocessors transparency
Public subprocessor list and Data Processing Addendum available under legal terms.
asana.com// Products & data scope
data: User-generated tasks, projects, goals, messages, attachments. Admin console available on paid plans (not free). Standard certs apply.
Free plan: Asana is the data controller when signing up with a personal/free email domain. Admin console and advanced security controls excluded from free plan.
data: Full enterprise governance: EKM, data residency selection, audit logs, SIEM/DLP/CASB, HIPAA BAA available, 99.9% uptime SLA. Asana acts as processor; customer org is controller.
Target tier for regulated customers. 85% of Fortune 100 cited as customers. Multi-org deployment and HIPAA BAA available here.
data: Uses domain usage metadata to train Asana's own ML models (admin-toggleable); third-party LLM partners contractually barred from training on customer data and must delete data after each query. Agents have scoped identity, audit trail, and cost constraints.
AI features admin-controlled per domain. Distinct data-use posture vs core product: metadata used for internal ML by default when enabled.
data: Has its OWN separate StackAI Privacy Policy and StackAI Platform Data Processing Addendum, distinct from core Asana privacy terms.
Separate legal/privacy scope - reviewers integrating StackAI should read the StackAI-specific policy, not assume core Asana terms apply.
data: Built on core Asana platform; inherit core certifications and governance. Distinct workflows but same underlying trust posture.
Marketed as separate products but share the Asana security/compliance foundation.
// What to watch
- AI metadata nuance: Asana uses domain USAGE METADATA (not content) to train its own ML models by default when Asana AI is enabled, and those models can power features in OTHER Asana domains. Content is not used; third-party LLMs do not train at all. Admin-toggleable. Worth surfacing for privacy-sensitive buyers.
- StackAI by Asana operates under a SEPARATE privacy policy and DPA - do not assume core Asana terms cover it.
- Certifications are listed on the public trust page with 'Read documentation' links; underlying audit reports (SOC 2, ISO certs, pen test summary) are gated behind sales/NDA, which is standard for enterprise vendors.
- Privacy statement effective 2026-01-01 (updated 2025-12-03) - current and recently refreshed.
// At a glance
Pricing model
Freemium SaaS subscription. Free Personal tier, then Starter, Advanced, Enterprise, and Enterprise+ paid tiers (per-seat). No self-host option.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Asana, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
asana.com