Enterprise Key Management (EKM)

EKM at Asana works by encrypting your data in all of our production datastores. At a high level, this is how EKM works:

• You set up AWS KMS keys specific to Asana EKM in your own AWS account. These keys should only be used for EKM at Asana, and not for any other purpose.
• You grant Asana access to these keys.
• For domain data in RDS, Asana uses these keys to encrypt your data and encrypt your database backups.
• For your attachments stored in S3, Asana will create a new AWS account for isolation. We’ll then create an S3 bucket set up with encryption using your keys.
• For your data residing in OpenSearch, Asana will create a new OpenSearch instance, set up with encryption using your keys.
• Your key is solely your responsibility; Asana is not liable if you lose, disable, or delete the key or any data under your encryption management process.

Note that some features and elements of the service are not compatible with EKM will remain unencrypted. Currently, these exceptions are: 

• Email addresses
• Third Party Services and related metadata
• Videos created within the service

The following elements of the service are shared unencrypted with Asana subprocessors to enable provision of the services:

• End users’ names and email addresses 
• Team names