Asana DPA: GDPR Data Processing Agreement for German Companies

Short answer

Asana automatically includes a Data Processing Agreement on all paid plans (Premium, Business, Enterprise, Enterprise+). German companies do not need to request it separately — but must verify EU data residency and review subprocessors for their use case.

• DPA is auto-included on Premium, Business, Enterprise, and Enterprise+ plans — free plan excluded.
• EU data residency is available on Enterprise and Enterprise+ plans only.
• Subprocessor list is public; German companies have a contractual right to object to additions.
• BetrVG may apply if Asana is used to track task completion or assess employee performance.

Asana includes a Data Processing Agreement (DPA) automatically on all paid plans. German companies do not need to separately request it — but they must be on a paid plan and should verify EU data residency requirements for their specific use case. The free plan is excluded from DPA coverage. EU data residency is only available on Enterprise and Enterprise+ plans. This page explains what the Asana DPA covers, how EU data residency works, what to know about subprocessors, and what BetrVG implications apply for German businesses. For a broader GDPR overview of Asana, see our main Asana GDPR guide.

This page provides general information and is not legal advice for a specific situation.

Does Asana Have a Data Processing Agreement?

Yes. Asana provides a DPA for all paid plan customers (Premium, Business, Enterprise, and Enterprise+). For EU customers, the DPA is automatically incorporated into Asana’s subscription terms — no separate request or negotiation is required.

GDPR Article 28 requires a DPA whenever a company engages a third party to process personal data on its behalf. Asana acts as a data processor when it stores and processes tasks, projects, comments, or attachments that contain personal data — such as names, email addresses, or information about employees or customers.

The Asana DPA obliges Asana to:

• Process personal data only on documented instructions from the customer
• Maintain confidentiality and restrict access to authorised personnel
• Assist with data subject rights requests (access, deletion, correction)
• Notify customers of security incidents without undue delay
• Delete or return personal data at the end of the contract

Free plan users: Asana does not offer a DPA on the free plan. Companies must not use the free plan to process personal data of employees or customers in a GDPR-relevant context.

What Does the Asana DPA Cover?

The Asana DPA addresses the mandatory content under GDPR Article 28 across the following areas:

Data categories and subject matter: The DPA defines the processing scope in terms of the data types a customer stores in Asana — project data, task data, and any personal data uploaded in comments or attachments. Customers are responsible for ensuring that what they actually use Asana for matches the stated scope.

Standard Contractual Clauses (SCCs): For EU customers on plans without EU data residency (Premium, Business), data is processed on US-based infrastructure. Asana incorporates Standard Contractual Clauses into its DPA to cover this EU-to-US transfer, as required under GDPR Chapter V. Asana also participates in the EU-US Data Privacy Framework (DPF).

Subprocessors: Asana uses a list of approved subprocessors to operate its service. This list is publicly available and updated with at least 30 days’ advance notice of changes. Customers have a contractual right to object to new subprocessor additions — a right that German privacy teams should monitor actively.

Processor obligations and audit rights: The DPA includes provisions for data security (Article 32 GDPR), data breach notification, and customer audit rights.

Asana Data Residency Europe

EU data residency is available on Enterprise and Enterprise+ plans. With this option enabled, Asana stores customer data at rest in EU-based data centres. This addresses the strictest data localisation requirements that some German companies and public-sector organisations face.

Lower-tier plans (Business, Premium, Free): Data is stored on US-based infrastructure. The EU-to-US transfer is covered by Standard Contractual Clauses and DPF participation — sufficient for most German companies under current GDPR guidance, but not equivalent to EU data residency.

What EU data residency does not cover: Even on Enterprise plans with EU data residency enabled, some data — such as account metadata or data processed by specific Asana subprocessors — may still be processed outside the EU. Customers with strict requirements should review Asana’s data residency documentation and verify the scope with their Asana enterprise contact.

Asana Subprocessors — What to Know

Asana maintains a public subprocessor list on its privacy documentation page. Key points for German compliance teams:

• The list includes infrastructure providers (such as AWS) and functional subprocessors for monitoring and support
• Asana provides at least 30 days’ advance notice before adding new subprocessors, via email or a publicly updated changelog
• Customers have a contractual right to object to new subprocessors within the notification window
• A sustained objection may give the customer a right to terminate the contract without penalty

For German companies operating under sectoral requirements (healthcare, financial services, public sector), reviewing the subprocessor list for high-risk processing flows is an important compliance step.

Asana and the Works Council (BetrVG) in Germany

German companies using Asana for internal task management and project coordination must assess whether the use triggers co-determination rights under Section 87(1) No. 6 of the Works Constitution Act (Betriebsverfassungsgesetz, BetrVG). This provision requires works council involvement when a technical system is capable of monitoring employee behaviour or performance.

Asana can trigger BetrVG obligations when used to:

• Assign tasks to named employees and track completion
• Monitor response times or task completion rates
• Generate reports on individual employee workload or productivity
• Track deadlines and overdue tasks per employee

If these features are used and a works council exists, a Betriebsvereinbarung (works council agreement) is required before rollout. This agreement typically defines which data is collected, how long it is retained, and who has access to performance-related reports.

For HR-specific use cases — onboarding workflows, absence tracking, or performance management — the BetrVG assessment is particularly important and may also require a Data Protection Impact Assessment (DPIA) under GDPR Article 35.

Asana DPA Checklist for German Companies

Before processing personal data in Asana, German companies should verify:

1. Confirm paid plan status — verify that the company is on Premium, Business, Enterprise, or Enterprise+, not the free plan.
2. Confirm DPA is active — review the Asana subscription terms to confirm the DPA is incorporated; for Enterprise plans, contact the Asana account team.
3. Check EU data residency requirement — if data localisation is required, confirm that Enterprise or Enterprise+ is in scope and the feature is activated.
4. Review subprocessor list — check the current subprocessor list and set up notifications for changes.
5. Assess BetrVG implications — if employees’ task data will be tracked, assess whether a works council agreement is needed before rollout.
6. Update Records of Processing Activities — add Asana and its subprocessors to the company’s Article 30 GDPR records.
7. Document the DPA review — record the DPA version, the date reviewed, and the outcome of the assessment as part of the internal compliance file.

For a broader GDPR vendor assessment framework, see our GDPR AI vendor assessment checklist. For questions about Asana AI features and GDPR, see the Asana AI GDPR guide.