Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Asana is a cloud based project management and work collaboration platform developed by Asana Inc. (US). It enables teams to manage tasks, projects, portfolios, goals, and workflows. The platform processes personal data including user profiles, task assignments, comments, and file attachments, and transfers data internationally via US based infrastructure, requiring GDPR compliance through Asana's Data Processing Addendum.
Asana is a work management SaaS operated by Asana Inc. since 2008. It provides task management, projects, portfolios, goals, workflows, forms, time tracking, and the Asana Intelligence generative features powered by OpenAI and Anthropic. EU customers typically interact with Asana via the asana.com domain and through API integrations with Slack, Microsoft Teams, Google Drive and others. The Enterprise plan offers SAML SSO, SCIM provisioning, audit logs and the optional EU data residency add on.
Inside the Asana web application, authenticated users have the cookies asana_session_id (session), asana_user_id (identifier), __cf_bm (Cloudflare bot management) and several CSRF cookies. On the marketing site asana.com, Asana loads Google Analytics 4, LinkedIn Insight Tag, Marketo and Vidyard, which set their own cookies and require consent. When a publisher embeds a public Asana Form on its own site, the page is in fact an iframe to asana.com that drops the same cookies before any consent and therefore requires the visitor opt in under ePrivacy art. 5(3).
For internal use the lawful basis is the employment relationship and the legitimate interest of the controller in running its work management environment. For external guests invited to projects, performance of a contract or pre contract applies. The Asana Data Processing Addendum is incorporated by reference into the Master Subscription Agreement and includes the EU Standard Contractual Clauses (module 3 processor to sub processor). Customers using Asana Intelligence must accept an additional addendum covering generative AI use.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Asana Inc. is certified under the EU US Data Privacy Framework since 4 October 2023. By default workspace data is hosted on AWS US East (Virginia) and US West (Oregon). The EU data residency add on, available on the Enterprise plan since 2023, pins workspace content to AWS Frankfurt. Operational telemetry, abuse detection, billing and Asana Intelligence inference continue to be processed in the United States, even with the EU add on. The Asana Trust Center publishes the active list of sub processors (AWS, Google, OpenAI, Anthropic, Twilio, Salesforce).
Sign the Asana DPA and activate the EU data residency add on for high risk projects. Disable Asana Intelligence on workspaces handling special categories of data (HR, legal, health). Restrict guest access through SAML SSO and conditional access. Document Asana and its sub processors in your records of processing (GDPR art. 30) and in the privacy notice. Run a DPIA when Asana Intelligence is used to evaluate employees performance or to take decisions producing legal effects under GDPR art. 22. Refresh the transfer impact assessment annually.
Direct alternatives include Monday.com (Israel), ClickUp (US), Notion (US), Trello (Atlassian, Australia and US), Wrike (US, Citrix), Jira (Atlassian). EU sovereign alternatives are Stackfield (Germany), Tem.io (France), Plane (India and EU hosting) and the open source Vikunja, OpenProject and Taiga.
Websites using Asana must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended for Asana deployments when used across an organisation to manage projects involving personal data. Key areas to assess include: scope of personal data stored in tasks, comments, attachments, and forms (which may contain employee, customer, or partner data), international data transfers to US based AWS infrastructure, third party integrations connected via the Asana API (Slack, Google Drive, Microsoft Teams, Salesforce), data retention policies and export capabilities, access controls and permission settings across workspaces, and the use of Asana Forms on public facing pages that may collect personal data from external users.
Sample consent text
Our team uses Asana, a work management platform operated by Asana Inc. in the United States, to plan and track our work. We have signed the Asana Master Subscription Agreement including the Data Processing Addendum. If we are on the Enterprise plan we activate the EU data residency add on so that the workspace content stays in Frankfurt; otherwise data is processed in the United States under the EU US Data Privacy Framework and the EU Standard Contractual Clauses. If you contact us through a shared Asana form or project, your data is processed under those safeguards. You can request access, rectification or erasure at any time.
Third-party domains contacted
app.asana.comapi.asana.comform.asana.comcdn.asana.comassets.asana.bizapi.amplitude.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| asana_session | authentication | Session | Maintains the authenticated user session for the Asana web application. |
| xsrf_token | security | Session | CSRF protection token preventing cross site request forgery attacks on form submissions and API calls. |
| asana_feature_flags | functionality | 1 year | Stores feature flag assignments for A/B testing and gradual feature rollouts. |
| amp_device_id | analytics | 1 year | Amplitude analytics device identifier tracking product usage patterns across sessions. |
| ajs_anonymous_id | analytics | 1 year | Segment analytics anonymous identifier used for tracking user journeys before and after authentication. |
| asana_prefs | functionality | 1 year | Stores user interface preferences including sidebar state, view mode, and notification settings. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
Asana sets session authentication cookies, CSRF protection tokens, feature flag cookies for product testing, and analytics cookies. Third party services integrated into Asana's platform, such as Amplitude and Segment, may also set analytics cookies. When Asana Forms are embedded on external sites, cookies from app.asana.com and related analytics domains may be deposited on visitor browsers. Asana also uses local storage for caching application state and user preferences.
For internal team use within an organisation, consent is generally not required as contract performance or legitimate interest applies. However, when Asana Forms are embedded on public facing websites, consent is recommended before collecting personal data from external users, especially if cookies are set. Cookie consent under the ePrivacy Directive is required for non essential analytics cookies on any page embedding Asana widgets.
Internal project management use relies on contract performance (Art. 6(1)(b)) or legitimate interest (Art. 6(1)(f)). Security logging and fraud prevention are covered by legitimate interest. Public facing Asana Forms collecting external user data should rely on consent (Art. 6(1)(a)). Third party integration data flows should be assessed individually. Each processing activity should be documented in your Records of Processing Activities.
Yes. Asana Inc. is a US based company and data is primarily hosted on AWS infrastructure in the United States. International transfers are covered by Asana's DPA incorporating SCCs and Asana's certification under the EU US Data Privacy Framework. Enterprise customers can enable EU data residency, keeping data at rest in AWS Frankfurt data centers. Some processing operations and support activities may still involve US systems.
A DPIA is recommended when Asana is used to manage workflows containing personal data, such as HR processes, recruitment pipelines, customer relationship management, or any project involving sensitive personal data. The assessment should cover data categories stored in tasks and comments, international transfers to US infrastructure, connected third party integrations, and access control configurations across workspaces.
Execute Asana's DPA from the Trust page. Enable EU data residency if available. Configure workspace permissions and access controls. Establish data retention policies and regularly clean completed projects. Audit third party integrations for GDPR compliance. Deploy cookie consent for embedded Asana Forms. Train team members on data minimisation in task descriptions. Include Asana in your DPIA if it processes sensitive data.
Alternatives include OpenProject (open source, self hosted project management), Taiga (open source agile platform), Nextcloud Deck (self hosted Kanban boards), Vikunja (open source task management), and Cryptpad with Kanban (encrypted collaboration). For EU hosted SaaS alternatives, consider Hive or Teamwork. Each alternative should be evaluated for GDPR compliance, data processing agreements, and feature parity with your requirements.
If you embed Asana Forms on your website, document the cookies set by app.asana.com and any analytics domains. Specify whether each cookie is essential or requires consent. Describe the personal data collected through embedded forms. Reference Asana's role as data processor, the DPA with SCCs, and the EU US Data Privacy Framework certification. Provide instructions for managing consent and inform users about their data subject rights regarding form submissions.