The following describes Asana’s security standards with respect to the administrative, technical, and physical controls applicable to the Service. Capitalized terms shall have the meaning assigned to them in the Agreement unless otherwise defined herein.

1. Security Program

1.1 Security Program. Asana will implement and maintain a risk-based information security program that includes administrative, technical, and organizational safeguards designed to protect the confidentiality, integrity, and availability of Customer Data.

1.2 Security Framework. The information security framework will be based on the ISO 27001 Information Security Management System and will cover the following areas: security risk management, policies and procedures, security incident management, access controls, vulnerability management, physical security, operational security, corporate security, infrastructure security, product security, business continuity disaster recovery, personnel security, security compliance, and vendor security.

1.3 Security Organization. Asana will have a dedicated security team responsible for implementing, maintaining, monitoring, and enforcing security safeguards aligned with the information security management system.

2. Security Assessments, Certifications, and Attestations

2.1 Security Program Monitoring. Asana performs periodic assessments to monitor its information security program to identify risks and ensure controls are operating effectively by performing penetration tests, internal audits, and risk assessments.

2.2 Audits. Asana will engage qualified external auditors to perform assessments of its information security program against the SOC 2 AICPA Trust Services Criteria for Security, Availability, and Confidentiality, and the following standards ISO/IEC 27001:2013, ISO/IEC 27017:2015, ISO/IEC 27018:2019, ISO/IEC 27701:2019. Assessments will be conducted annually and will result in a SOC 2 Type 2 report and evidence of the aforementioned ISO certifications that will be made available to the Customer pursuant to Section 2.5.

2.3 Penetration Tests. Asana will engage a qualified third-party to perform penetration tests covering the scope of the services at least annually. Asana will make available to its customers an executive summary of the most recently completed penetration test pursuant to Section 2.5.

2.4 Bug Bounty Program. Asana must maintain a bug bounty program that enables independent security researchers to report security threats and vulnerabilities on an ongoing basis. Identified findings must be addressed and mitigated based on risk and within a timely manner.

2.5 Security Artifacts. Asana will make available to customer security artifacts that demonstrate its compliance to these data security standards and the frameworks listed in Section 2.2. Artifacts will include the SOC 2 Type 2 Audit Report, ISO certifications listed in Section 2.2, completed industry standard questionnaires, an executive summary of penetration test results, and a summary of the Business Continuity and Disaster Recovery Plan.

2.6 Customer Audits. To the extent that Customer cannot reasonably confirm Asana’s compliance of these data security standards with the information provided by Asana, Customer may make a written request to conduct a remote audit at Customer’s cost with at least thirty days’ notice. The written request must specify the areas that cannot be confirmed through the artifacts made available to Customer. The audit must be conducted during the Subscription Term and the scope must be mutually agreed upon between Customer and Asana prior to the commencement of the audit. The audit must be carried out during regular business hours with minimal disruption to Asana's business operations and will occur no more than once annually.

3. Security Incident Management

3.1 Security Monitoring. Asana will monitor its information systems to identify unauthorized access, unexpected behavior, certain attack signatures, and other indicators of a security incident.

3.2 Incident Response. Asana will maintain a Security Incident Response Plan that is reviewed and tested at least annually to establish a reasonable and consistent response to security incidents and suspected security incidents involving the accidental or unlawful destruction, loss, theft, alteration, unauthorized disclosure of, or access to, Customer Data transmitted, stored, or otherwise processed by Asana.

3.3 Incident Notification. Asana will promptly investigate a Security Incident upon becoming aware of such an incident. To the extent permitted by applicable law, Asana will notify customers of a Security Incident in accordance with its obligations under the Data Processing Addendum. Customer is responsible for providing Asana with updated security contact information in the Admin Console as described here.

4. Security Controls

4.1 Access Control

• 4.1.1 Restricted Access. Access to Customer Data is restricted to authorized Asana personnel who are required to access Customer Data to perform functions as part of the delivery of services. Access is granted based on the principle of least privilege and access granted is commensurate with job function. Access to Customer Data must be through unique usernames and passwords and multi-factor authentication must be enabled. Access is disabled within one business day after an employee’s termination.

• 4.1.2 Passwords. Asana will maintain a password policy that follows the NIST 800-63b memorized secret password requirements.

4.2 Application Security

• 4.2.1 SDLC. Asana will maintain a formal Change Management Policy that ensures security is embedded throughout the software development lifecycle that takes into account the OWASP Top 10 Web Application Security Risks.

• 4.2.2 Code Review and Testing. All changes to code that impact Customer Data will be reviewed and tested prior to being deployed to production.

• 4.2.3 Vulnerability Management. Asana will maintain a vulnerability management program that ensures identified vulnerabilities are prioritized, addressed, and mitigated based on risk. Asana will use commercially reasonable efforts to address critical vulnerabilities within 30 days.

• 4.24 Third-party Software Dependencies. Asana must ensure that third-party libraries and components are appropriately managed and that updates are installed in a timely manner when it is determined that there is a potential to affect the security posture of our product.

4.3 Encryption. Asana will encrypt Customer Data in transit and at rest using industry-standard encryption algorithms that are appropriate for the mechanism of transfer (e.g. TLS 1.2, AES-256).

4.4 Availability and Disaster Recovery. Asana will implement and maintain a documented set of disaster recovery policies and procedures to enable the recovery or continuation of vital technology infrastructure and systems following a disaster. Additionally, Asana will perform annual tests of its disaster recovery plan and will make available a summary of the results to its customers.

4.5 Backups. Asana will perform regular backups of Customer Data and ensure that backups have the same protections in place as production databases.

4.6 Device Security. Asana devices that access Customer Data must be centrally managed and the following security settings must be enabled: hard drive encryption, local password enabled, and anti-virus and/or anti-malware software must be installed, continuously enabled, and automatically updated.

4.7 Physical Security. Asana will ensure that all physical locations that process, store, or transmit Customer Data are located in a secure physical facility. Asana must review third-party security certifications (e.g. SOC 2 Type 2) of its third-party cloud hosting providers on at least an annual basis to ensure that appropriate physical security controls are in place.

4.8 Vendor Risk Management. Asana must maintain a formal vendor risk management program that ensures all third-party vendors who have access to Customer Data undergo a risk assessment prior to being onboarded. Vendors with access to customer data must enter into a vendor data processing agreement with Asana to ensure that they are contractually required to protect our information and meet minimum information security and privacy requirements, including reporting of security incidents and breaches.

4.9 Risk Assessment. Asana will maintain a risk management program to identify, monitor, and manage risks that may impact the confidentiality, integrity, and availability of Customer Data.

4.10 Security Training. Asana will provide its personnel with information security and privacy training upon hire and on at least an annual basis thereafter. Additionally, all employees are required to sign and acknowledge Asana’s Information Security and Data Protection policy upon hire.

4.11 Personnel Security. Asana will perform background verification checks on employees that have access to Customer Data in accordance with relevant laws, regulations, ethical requirements, and/or accepted local practices for non-US jurisdictions for each individual at least upon initial hire (unless prohibited by law). The level of verification shall be appropriate according to the role of the employee, the sensitivity of the information to be accessed in the course of that person’s role, the risks that may arise from misuse of the information, and the accepted local practices in non-US jurisdictions. The following checks shall be performed for each individual at least upon initial hire, unless prohibited by law or inconsistent with accepted local practices for non-US jurisdictions: (i) identity verification and (ii) criminal history.

5. Updates to Data Security Standards

Customer acknowledges that Asana may update or modify the Data Security Standards from time to time, provided that such updates and modifications do not degrade or diminish the overall security of the Service.