The following requirements and limitations apply to Customer’s use of the Services where Customer Data contains Protected Health Information (“PHI”), Customer is a Covered Entity or Business Associate as applicable, and Asana is the Business Associate or Customer’s subcontractor as applicable and as defined in the Business Associate Addendum between the parties:

1. Before entering any PHI into the Service, Customer must (i) execute a Business Associate Addendum; and (ii) Customer must implement the HIPAA feature in the administrative console as may be described in further detail in the Documentation or set forth at https://help.asana.com/s/article/hipaa-compliance?language=en_US

2. Access to a HIPAA-compliant workspace is domain-wide, therefore, Customer must upgrade its existing workspace(s) to a single Organization and upgrade existing Division(s) to such Organization as applicable.

3. As between the parties, Customer is solely responsible for managing End Users and access to PHI within Customer’s workspace(s) in the Service.

• a. Unless otherwise stated by Asana in writing, Customer must ensure that each End User has a dedicated email domain; use of a personal email domain is prohibited.

• b. Customer shall limit visibility of projects including PHI to End Users on a need-to-know basis by using Service features such as private tasks and private projects.

• c. Customer must enable or keep enabled two factor authentication, SSO, or Google Authentication for all End Users.

• d. Customer shall not use the Service to communicate directly with or provision accounts to patients, plan members, their families, or employers.

4. Customer may only enter PHI into “Tasks” and “Projects” within the Service (e.g., task and project descriptions, task and project titles, custom fields, comments, and attachments).

• a. Customer shall not provide PHI to the Asana User Operations Team in any support tickets or any part of Asana that is not a Task.

• b. Customer shall not put PHI into Service features not stated above, included but not limited to: profiles, Messages, or Goals.

5. Customer shall not input PHI into any free version of the Service.

6. As between the parties, Customer is solely responsible for using the Asana APIs and audit log to monitor for unusual activity.

7. Customer acknowledges and agrees that some Asana features may not be available to Customer and that some features within Customer’s workspace(s) are turned off by default as they are not HIPAA compliant. Customer may enable these features at its own risk. These include but are not limited to the following features, which may be updated from time to time within Asana’s Documentation: Guests, video messaging and Asana AI.

8. Customer shall not use the Service as its system of record for PHI.

9. Customer acknowledges that Asana does not enter into business associate agreements with Third Party Service providers, including those in Asana’s App Directory. Customer must directly enter into separate business associate agreements with those Third Party Service providers.

10. Customer acknowledges that, notwithstanding anything in Customer’s agreement for access to the Asana Service (“Agreement”), unless Customer has accessed the HIPAA Smiles tier of the Service, Asana will delete all Customer Data (including PHI) in Customer’s instance one hundred and eighty (180) days after termination or expiration of Customer’s Agreement. Data will be retained in a backup for a limited time period after domain deletion. If customer has accessed the HIPAA Smiles tier of the Service, Asana will delete all Customer Data (including PHI) in Customer’s instance after six months of inactivity. Customer may export Customer Data (including PHI) at any time during the term in accordance with the Documentation.