When you use Asana at work, your employer is the one legally responsible for your workspace data, not Asana. Asana only processes that data on your employer's behalf.
This analysis describes what Asana's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This distinction determines where you direct privacy requests. If your employer deployed Asana, you may need to go to your employer first to exercise rights like access or deletion of your workspace content.
Interpretive note: The document functions as a high-level hub page and does not reproduce the full controller-processor framework in verbatim contractual language; the precise scope is established in Asana's separate Data Processing Agreement.
This clarifies Asana's dual role as both processor and controller, establishing distinct legal responsibilities depending on the data category, which is essential for enterprise compliance.
View full change record →Individual employees using Asana through their organization may find that Asana cannot directly fulfill their data access or deletion requests for workspace content, because the employer is the controller of that data. Requests for workspace data typically must be routed through the employing organization.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
We use information to enhance the quality, reliability, and/or accuracy of our AI Features by creating, developing, training, testing, improving, and maintaining AI and ML models run by Strava or our service providers. We use aggregated, de-identified data for this purpose. We also use personal info...
Monitoring
Asana has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"Asana acts as a data processor for customer workspace data and as a data controller for data collected through its marketing and website activities.— Excerpt from Asana's Asana Privacy Statement
(1) REGULATORY LANDSCAPE: The controller-processor distinction is foundational to GDPR compliance, particularly Articles 4, 24, and 28, which define the obligations of controllers and processors and require a binding data processing agreement between them. The relevant enforcement authority for EU users is the applicable national supervisory authority. Under CCPA, a similar service provider framework applies, requiring that the processing be pursuant to a written contract. (2) GOVERNANCE EXPOSURE: High. Misclassification of roles or absence of a valid DPA between Asana and enterprise customers creates direct regulatory exposure under GDPR Article 28 for both parties. Enterprise customers who have not executed Asana's DPA or reviewed its terms may be operating without required contractual safeguards. (3) JURISDICTION FLAGS: EU/EEA customers face the highest exposure given GDPR's explicit processor agreement requirements. California-based organizations must confirm Asana qualifies as a CCPA service provider under their specific agreement terms. UK GDPR mirrors GDPR requirements post-Brexit, creating parallel obligations for UK enterprise customers. (4) CONTRACT AND VENDOR IMPLICATIONS: Procurement teams must confirm a current Data Processing Agreement is in place with Asana and that it satisfies GDPR Article 28 requirements including scope, sub-processor disclosure, and audit rights. The existence of a separate DPA as a distinct instrument means this privacy hub page alone is insufficient for vendor due diligence. (5) COMPLIANCE CONSIDERATIONS: Organizations should map which Asana data flows fall under their own controller obligations and configure internal data subject request workflows accordingly. Employee-facing privacy notices should disclose that Asana is a sub-processor and identify the organization as controller for workspace data.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This distinction determines where you direct privacy requests. If your employer deployed Asana, you may need to go to your employer first to exercise rights like access or deletion of your workspace content.
Individual employees using Asana through their organization may find that Asana cannot directly fulfill their data access or deletion requests for workspace content, because the employer is the controller of that data. Requests for workspace data typically must be routed through the employing organization.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Asana.