Asana AI / Asana Intelligence

Plain-English risk rating: 2 of 5

Asana's AI features ("Asana Intelligence") sit within Asana's broader workspace product and inherit its security posture. Asana operates a contractual no-training default with its third-party AI subprocessors, holds SOC 2 Type II, ISO 27001, and ISO 27017/27018 certifications, supports HIPAA via the Enterprise+ tier with BAA, and offers EU Data Residency. The Asana Trust Center (powered by SafeBase, verified 2026-05-24) provides documented evidence including a current FY25 penetration test by Praetorian Security.

Notably, Asana's privacy programme is led by Whitney Merrill as Global Privacy & Data Protection Officer — a recognised privacy practitioner who previously led privacy at Electronic Arts and the Federal Trade Commission. The leadership signal matters because the privacy posture of a SaaS vendor often tracks the quality of its DPO.

The risk picture is dominated less by Asana-specific concerns and more by the category-level prompt-injection class that affects any AI-with-access-to-workspace-content, and by the Atlassian competitive context (Atlassian's August 2026 AI training policy change to opt-out has driven some customers to evaluate alternatives, of which Asana is one).

Recommended for

  • Sole proprietor: Asana Starter at $13.49/user/month includes AI features. Acceptable for general project tracking with light AI usage.
  • Small team (2-10 people): Advanced or Enterprise tier with appropriate admin controls. The Asana Intelligence features (smart fields, smart status updates) provide modest productivity uplift; the AI Studio (agentic workflows) requires more deliberate configuration.
  • Regulated industry: Enterprise+ with BAA for HIPAA, EU Data Residency configured where applicable, FY25 penetration test report reviewed under NDA via SafeBase portal.
  • The honest answer for most 1-10 employee businesses using Asana: AI features are bundled into existing paid tiers and the privacy posture is acceptable. The deliberate decision is whether to enable AI Studio agentic workflows on workspaces containing client-sensitive content — if so, prefer Enterprise tier and scope agent access carefully.

Data retention default

  • Standard Asana data lifecycle applies to AI feature output
  • Third-party AI subprocessors (Anthropic, OpenAI) operate under Asana's contractual no-training default
  • 30-day standard provider retention for non-Enterprise tiers; zero-retention APIs available at Enterprise tier
  • Asana admin retention policies apply to AI-generated content (smart fields, summaries) the same way as user-generated content
  • Per Asana Privacy Statement: chat transcripts of conversations with AI chatbots stored and processed for staff training and quality assurance purposes

Training opt-out

NO TRAINING ON CUSTOMER DATA BY DEFAULT across plan tiers. Asana's subprocessor agreements prohibit training on Asana customer content. This is contractual rather than user-toggle, consistent with Notion AI's posture and structurally better than Atlassian's August 2026 opt-out default and Slack's general-purpose ML default.

Zero Data Retention availability

  • Available at Enterprise tier via zero-retention API arrangements with model providers
  • EU Data Residency for qualifying Enterprise customers

Plan tiers and pricing (as of early 2026)

TierPrice (USD)AI featuresSuitable for
Personal (Free)$0Limited AIPersonal use; small teams up to 10
Starter$13.49/user/month (annual)Standard AI featuresSmall teams
Advanced$30.49/user/month (annual)AI Studio accessGrowing teams with workflow automation needs
EnterpriseCustomFull AI features + admin controlsLarger orgs needing SSO, audit, advanced compliance
Enterprise+CustomFull AI + advanced security/complianceRegulated industries needing BAA, EU residency

Jurisdiction

  • Primary processor: Asana, Inc., San Francisco, California, USA
  • Cloud infrastructure: AWS primarily
  • Third-party AI: Anthropic and OpenAI under Asana's contractual no-training arrangements
  • SOC 2 Type II, ISO 27001, ISO 27017/27018 certified; HIPAA available with BAA at Enterprise+
  • EU Data Residency available at qualifying tiers
  • Privacy leadership: Whitney Merrill (Global Privacy & DPO); Sean Cassidy (Head of Security)

Breach history (public incidents)

June 2024 — Asana MCP server data exposure (related but separate)

In June 2024, Asana disclosed that a vulnerability in its Model Context Protocol (MCP) server implementation could have allowed cross-tenant data exposure under specific configurations. The exposure was addressed promptly and Asana published guidance for customers. This pre-dates the broader MCP-vulnerability category that affected Cursor, Claude Code, and others during 2025-2026, but is the closest publicly-documented Asana-AI-specific incident.

Source: Asana security advisory (June 2024); subsequent industry coverage

2025-2026 — Drift data breach impact assessment

The Asana Trust Center explicitly addresses the question "Was Asana impacted by the Drift data breach?" as a documented FAQ. The proactive treatment of the question (rather than waiting for customer inquiries) is a useful transparency signal. Drift (a chat/conversation platform) had widely-reported breach issues that affected multiple integrated vendors; Asana's published position is the most useful primary source for the specifics.

Source: Asana Trust Center via SafeBase (verified 2026-05-24)

No publicly-disclosed Asana AI-specific data breach as of May 2026.

Category-level risk: As with Notion AI and Linear AI, Asana Intelligence inherits the breach exposure of its model providers. The OpenAI Mixpanel third-party breach (November 2025) and Anthropic disclosures during 2025-2026 are the threat baseline. The agentic AI Studio features put Asana in the same prompt-injection class as Microsoft 365 Copilot (EchoLeak), Salesforce Agentforce (ForcedLeak), and other agentic-AI products; the underlying class of vulnerability is unsolved across the industry.

What this means in plain English for SMB owners

Three honest takeaways:

  1. Asana Intelligence's no-training default plus current third-party penetration testing make it one of the lower-risk Embedded Productivity AI options. The Whitney Merrill DPO appointment is a meaningful signal about how the privacy programme is led. If you already pay for Asana, the AI features are a reasonable addition.
  1. The AI Studio agentic features are the deliberate decision point. Smart fields and status summaries are low-risk additions. Agentic workflows that take actions on your behalf require the same care as Microsoft 365 Copilot or Salesforce Agentforce — scope access deliberately, especially for workspaces containing client data.
  1. The June 2024 MCP server vulnerability is a useful pre-EchoLeak indicator. It demonstrates that workspace AI products do have novel attack surfaces. The mitigation pattern (prompt response to disclosure, customer guidance, documented in the Trust Center) is the right posture; the underlying class of risk remains a category-level concern.

Sources

  • Asana Trust Center (trustcenter.asana.com via SafeBase, verified 2026-05-24)
  • Asana Privacy Statement (asana.com/terms/privacy-statement, verified 2026-05-24)
  • Asana AI feature documentation (asana.com/product/ai, verified 2026-05-24)
  • Praetorian Security: Asana FY25 security assessment / penetration test (referenced in Trust Center)
  • Industry coverage of June 2024 MCP server advisory
  • General Embedded Productivity AI category analysis (OWASP LLM Top 10, 2025)

Related on AI Leakage