If your employer pays for Asana, your employer controls your data — not Asana. You need to ask your employer, not Asana, about your privacy rights.
This analysis describes what Asana's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision clarifies the allocation of data responsibility in business deployments, designating the employing or sponsoring organization—rather than Asana—as the entity responsible for determining how user data is collected, used, and disclosed. This structure establishes the contractual relationship between Asana and the organization as the primary data governance arrangement.
This foundational provision explaining the data controller-processor relationship was removed, though its content appears partially replaced by the new 'Controller-Processor Distinction' provision with less detailed explanation.
View full change record →Employees using Asana through a company account cannot directly request data deletion or access from Asana — those rights must be exercised through the employing organization, which has contractual control over the workspace data.
How other platforms handle this
When our business customers use certain Services, we generally process and store limited personal information on their behalf as a data processor. For certain products such as Docusign's Contract Lifecycle Management (CLM) and Identity products, we may act as a processor and as a controller in certa...
When Gusto provides services to employer-customers, it processes employee personal information on behalf of those employers, who act as the data controllers determining the purposes and means of processing. Gusto acts as a service provider or data processor in this context.
Runway is considered the "data controller" of the "personal data" (as defined under the General Data Protection Regulation) we handle under this Privacy Policy. In other words, Runway is responsible for deciding how to collect, use, and disclose personal data, subject to applicable law. The laws of ...
Monitoring
Asana has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"Asana's customers ('Customers') are organizations that use Asana to manage their work. When a Customer provides access to Asana to their users, those users' data ('Customer Data') is controlled by the Customer. Asana processes Customer Data on behalf of the Customer and in accordance with the Customer's instructions. If you are a user of an Asana Customer's workspace, please refer to the privacy policy of the organization that has provided you access to Asana for information about their privacy practices.— Excerpt from Asana's Asana Privacy Statement
REGULATORY FRAMEWORK: This provision implicates GDPR Art. 4(7) (controller definition), Art. 28 (processor obligations), and Art. 26 (joint controllers where applicable); UK GDPR equivalent provisions; and CCPA §1798.140(g) (service provider definition). The employing organization bears primary GDPR controller obligations; Asana's obligations are defined by the executed DPA. Enforcement authority: relevant EU/EEA national DPAs, UK ICO, and California Privacy Protection Agency.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
We read the privacy policies and terms of service of 38 AI platforms. Here is what they say about training, retention, arbitration, and liability.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision clarifies the allocation of data responsibility in business deployments, designating the employing or sponsoring organization—rather than Asana—as the entity responsible for determining how user data is collected, used, and disclosed. This structure establishes the contractual relationship between Asana and the organization as the primary data governance arrangement.
Employees using Asana through a company account cannot directly request data deletion or access from Asana — those rights must be exercised through the employing organization, which has contractual control over the workspace data.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Asana.