When you use Asana at work, your employer is the one legally responsible for your workspace data, not Asana. Asana only processes that data on your employer's behalf.
This analysis describes what Asana's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This distinction determines where you direct privacy requests. If your employer deployed Asana, you may need to go to your employer first to exercise rights like access or deletion of your workspace content.
Interpretive note: The document functions as a high-level hub page and does not reproduce the full controller-processor framework in verbatim contractual language; the precise scope is established in Asana's separate Data Processing Agreement.
Individual employees using Asana through their organization may find that Asana cannot directly fulfill their data access or deletion requests for workspace content, because the employer is the controller of that data. Requests for workspace data typically must be routed through the employing organization.
How other platforms handle this
When Okta provides its products and services to its customers (e.g., organizations that use Okta to manage their workforce or Auth0 to manage their customer identity), Okta processes personal data on behalf of those customers as a data processor. In those cases, the customer is the data controller a...
When we provide the Service to our customers, we act as a data processor on behalf of those customers. Our customers are the data controllers, meaning that they determine the purposes and means of the processing of personal data that is submitted into the Service. If you are an end user of a custome...
We collect and receive information as a data controller for our own purposes and as a data processor on behalf of our customers. When our customers use our products to process data about their end users and employees, we act as a data processor on their behalf. Our customers, as data controllers, de...
Monitoring
Asana has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"Asana acts as a data processor for customer workspace data and as a data controller for data collected through its marketing and website activities.— Excerpt from Asana's Asana Privacy Statement
(1) REGULATORY LANDSCAPE: The controller-processor distinction is foundational to GDPR compliance, particularly Articles 4, 24, and 28, which define the obligations of controllers and processors and require a binding data processing agreement between them. The relevant enforcement authority for EU users is the applicable national supervisory authority. Under CCPA, a similar service provider framework applies, requiring that the processing be pursuant to a written contract. (2) GOVERNANCE EXPOSURE: High. Misclassification of roles or absence of a valid DPA between Asana and enterprise customers creates direct regulatory exposure under GDPR Article 28 for both parties. Enterprise customers who have not executed Asana's DPA or reviewed its terms may be operating without required contractual safeguards. (3) JURISDICTION FLAGS: EU/EEA customers face the highest exposure given GDPR's explicit processor agreement requirements. California-based organizations must confirm Asana qualifies as a CCPA service provider under their specific agreement terms. UK GDPR mirrors GDPR requirements post-Brexit, creating parallel obligations for UK enterprise customers. (4) CONTRACT AND VENDOR IMPLICATIONS: Procurement teams must confirm a current Data Processing Agreement is in place with Asana and that it satisfies GDPR Article 28 requirements including scope, sub-processor disclosure, and audit rights. The existence of a separate DPA as a distinct instrument means this privacy hub page alone is insufficient for vendor due diligence. (5) COMPLIANCE CONSIDERATIONS: Organizations should map which Asana data flows fall under their own controller obligations and configure internal data subject request workflows accordingly. Employee-facing privacy notices should disclose that Asana is a sub-processor and identify the organization as controller for workspace data.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
We read the privacy policies and terms of service of 38 AI platforms. Here is what they say about training, retention, arbitration, and liability.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This distinction determines where you direct privacy requests. If your employer deployed Asana, you may need to go to your employer first to exercise rights like access or deletion of your workspace content.
Individual employees using Asana through their organization may find that Asana cannot directly fulfill their data access or deletion requests for workspace content, because the employer is the controller of that data. Requests for workspace data typically must be routed through the employing organization.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Asana.