Which regulatory agencies enforce this type of clause?

{'agency': 'State_AG', 'reason': 'EU/EEA national Data Protection Authorities and the UK ICO (analogous to state-level AG enforcement in the US context) enforce international transfer compliance; US State AGs may also engage where state privacy laws impose cross-border transfer obligations.', 'complaint_url': 'https://www.naag.org/find-my-ag/'}

What is the severity of this clause?

ConductAtlas classifies this International Data Transfers via Standard Contractual Clauses clause as high severity. Severity reflects the magnitude of rights affected, the breadth of users impacted, and the degree of discretion the platform retains.

Do other platforms have similar clauses?

Yes. ConductAtlas has identified similar International Data Transfers via Standard Contractual Clauses clauses across approximately 11 other tracked platforms. You can compare how platforms differ on this clause type in the cross-platform comparison view.

International Data Transfers via Standard Contractual Clauses — Asana

Share 𝕏 Share in Share 🔒 PDF

Recent governance activity Asana recorded 2 documented changes in the last 30 days.

Start monitoring updates

Monitor governance changes for Asana Create a free account to receive the weekly governance digest and monitor one platform for governance changes.

Create free account No credit card required.

Document Record

What it is

Asana moves user data from Europe and the UK to the United States using legal contracts called Standard Contractual Clauses, which are a required safeguard under EU privacy law.

ⓘ

This analysis describes what Asana's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology

ConductAtlas Analysis

Why it matters (compliance & governance perspective)

Post-Schrems II, SCCs alone are insufficient without a documented Transfer Impact Assessment; failure to maintain compliant transfer mechanisms exposes both Asana and its enterprise customers to GDPR enforcement.

Consumer impact (what this means for users)

EU, UK, and Swiss users' personal data is transferred to the United States, and the legal adequacy of that transfer depends on Asana maintaining current SCCs and Transfer Impact Assessments — a compliance burden that directly affects whether their GDPR protections travel with their data.

How other platforms handle this

OneLogin Medium

If you are located in the European Economic Area, the United Kingdom, or Switzerland, please be aware that we may transfer your personal information to countries outside of these regions, including to the United States, where data protection laws may not provide the same level of protection as those...

Zendesk Medium

Where Zendesk transfers personal data outside of the European Economic Area, the United Kingdom, or Switzerland, we rely on appropriate transfer mechanisms, including Standard Contractual Clauses approved by the European Commission, to ensure that your personal data receives an adequate level of pro...

Pinterest Medium

Pinterest, Inc. complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. When we transfer your personal data from the EEA, Switzerland, or the UK to...

See all platforms with this clause type →

Monitoring

Asana has changed this document before.

Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.

Start Watcher free trial Or create a free account →

▸ View Original Clause Language DOCUMENT RECORD

"
Asana may transfer your personal information to countries other than the one in which you live, including to the United States. To the extent that we transfer personal information of individuals in the European Economic Area, the United Kingdom, or Switzerland to a country that has not been found to provide an adequate level of protection under applicable data protection laws, we rely on appropriate safeguards, such as the Standard Contractual Clauses approved by the European Commission, to transfer such personal information.

— Excerpt from Asana's Asana Privacy Statement

ConductAtlas Analysis

Institutional analysis (Compliance & governance intelligence)

REGULATORY FRAMEWORK: Implicates GDPR Chapter V (Arts. 44-49) on international transfers, specifically Art. 46(2)(c) (SCCs), CJEU Schrems II ruling (Case C-311/18), and EDPB Recommendations 01/2020 on supplementary measures. UK GDPR requires UK-specific International Data Transfer Agreements (IDTAs) or UK Addendum to EU SCCs. Swiss revFADP also requires equivalent safeguards. Primary enforcement: EU national DPAs (coordinated by EDPB), UK ICO, Swiss FDPIC.

Full compliance analysis

Regulatory citations, enforcement risk, and due diligence action items.

Track 1 platform — free Try Watcher free for 14 days

Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.

Applicable agencies

State AG

EU/EEA national Data Protection Authorities and the UK ICO (analogous to state-level AG enforcement in the US context) enforce international transfer compliance; US State AGs may also engage where state privacy laws impose cross-border transfer obligations.
File a complaint →

Applicable regulations

Provision details

Document information

Document

Asana Privacy Statement

Entity

Asana

Document last updated

May 5, 2026

Tracking information

First tracked

May 8, 2026

Last verified

May 8, 2026

Record ID

CA-P-006653

Document ID

CA-D-00558

Evidence Provenance

Source URL

https://asana.com/privacy

Wayback Machine

View archived versions →

Content hash (SHA-256)

a1020e9d2ac4ad253f690acce4f06452f86acc441617be1cef5055daa7f41f44

Analysis generated

May 8, 2026 12:27 UTC

Methodology

summarize_document-v7

Evidence

✓ Snapshot stored ✓ Hash verified

Citation Record

Entity: Asana
Document: Asana Privacy Statement
Record ID: CA-P-006653
Captured: 2026-05-08 12:27:36 UTC
SHA-256: a1020e9d2ac4ad25…
URL: https://conductatlas.com/platform/asana/asana-privacy-statement/international-data-transfers-via-standard-contractual-clauses/
Accessed: May 13, 2026

Permanent archival reference. Stable identifier suitable for legal filings, compliance documentation, and research citation.

Classification

Severity

High

Other risks in this policy

Employer as Data Controller for Business Accounts high
CCPA Rights for California Residents medium
Data Retention and Deletion medium
Third-Party Sharing and Sub-Processors medium
Cookie and Tracking Technologies medium
Data Subject Rights (Access, Deletion, Portability, Correction) medium

Professional Governance Intelligence

Need to monitor specific governance provisions?

Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.

Arbitration clauses AI governance Data rights Indemnification Retention policies

Start Professional free trial

Or start with Watcher →

Built from archived source documents, structured governance mappings, and historical version tracking.

Frequently Asked Questions

What does Asana's International Data Transfers via Standard Contractual Clauses clause do?

How does this clause affect you?

How many platforms have this type of clause?

ConductAtlas has identified this type of provision across 11 platforms. See the full comparison.

Is ConductAtlas affiliated with Asana?

No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Asana.