GDPR Compliance
GDPR compliant workflow orchestration
Your data stays in your infrastructure. Prefect Cloud processes only metadata necessary for orchestration—your code and customer data never leave your environment.
What is GDPR?
The General Data Protection Regulation (GDPR) is a comprehensive data protection law that applies to organizations processing personal data of individuals in the European Union (EU) and United Kingdom (UK). The regulation establishes strict requirements for how organizations collect, store, process, and transfer personal information.
For teams building data workflows, GDPR creates specific obligations around lawful basis for processing, data minimization, security measures, data subject rights, and cross-border transfers. GDPR applies regardless of where your organization is located—if your workflows process data belonging to EU or UK residents, you must comply.
Key Requirements
- Lawful basis for processing personal data
- Data minimization—collect only what's necessary
- Appropriate technical and organizational safeguards
- Enable data subject access, correction, deletion rights
- Meet requirements for cross-border data transfers
For Workflow Orchestration
- Secure processing of customer data in workflows
- Control over where data is stored and processed
- Audit trails and access controls
- Data Processing Agreements with vendors
- Transparent data handling by orchestration platform
Controllers and Processors
GDPR distinguishes between two key roles. Understanding this distinction clarifies compliance responsibilities when using Prefect for workflow orchestration.
You are the Controller
You determine the purposes and means of processing personal data
When you use Prefect to orchestrate workflows that handle customer information, you act as the data controller. You decide what data to collect, how to process it, and why.
Your Responsibilities:
- •Ensure lawful basis for data processing
- •Implement appropriate security measures
- •Enable data subject rights (access, deletion)
- •Document processing activities
Prefect is the Processor
We process data on your behalf according to your instructions
Prefect Cloud acts as your data processor when it stores metadata about your workflows. We process only the information necessary to coordinate orchestration—we don't determine what your workflows do with personal data.
Our Responsibilities:
- •Process only according to your instructions
- •Implement appropriate security measures
- •Assist with data subject rights requests
- •Maintain transparent subprocessor list
Hybrid architecture
Your data stays in your infrastructure
Prefect's hybrid architecture separates orchestration coordination from workflow execution. Prefect Cloud coordinates workflows without accessing the personal data your workflows process. Your code executes in your infrastructure with direct access to your systems—customer data never flows through Prefect Cloud.
Data Processing Addendum
Our DPA establishes the legal framework for Prefect's role as processor. It incorporates Standard Contractual Clauses (SCCs) for lawful data transfers outside the EU/UK.
Transparent Subprocessors
We maintain a current list of third-party subprocessors who may access limited metadata, with notification of changes.
Configurable Data Retention
Control retention of workflow logs and metadata. You can disable log persistence entirely if compliance requirements demand it.
Your Infrastructure
Data stays here
Prefect Cloud
Metadata only
Workers poll for work via outbound-only connections. No inbound network access to your infrastructure required.
Your responsibilities as controller
While Prefect provides GDPR-compliant infrastructure, you remain responsible for your workflows' compliance.
Establish lawful basis
Ensure you have valid legal grounds (consent, contract, legitimate interest, etc.) for processing personal data in your workflows.
Implement appropriate security
Use Prefect's access controls (RBAC, SSO, audit logs) and encryption features. Store sensitive data securely in your infrastructure.
Enable data subject rights
Your workflows should support individuals' rights to access, rectify, erase, or port their data. Prefect's metadata doesn't prevent you from fulfilling these requests.
Document processing activities
Maintain records of what personal data your workflows process, why, and how long you retain it.
Conduct impact assessments
For workflows processing sensitive personal data or using automated decision-making, perform Data Protection Impact Assessments (DPIAs).
Security measures
Implement organizational and technical measures to protect personal data your workflows handle in your infrastructure.
Data storage and retention
Prefect Cloud stores orchestration metadata in Google Cloud Platform (GCP) infrastructure located in the United States. All data is encrypted in transit (TLS 1.2+) and at rest using workspace-unique keys.
You control retention of workflow logs and flow run metadata through Prefect Cloud's retention settings. You can configure automatic deletion of old flow runs and disable log persistence entirely.
Personal data processed by your workflows never reaches Prefect Cloud when using hybrid or push work pool execution—that data stays in your infrastructure under your retention policies.
Cross-border data transfers
Prefect Technologies, Inc. is a U.S.-based company. When you use Prefect Cloud, some orchestration metadata transfers from the EU/UK to the United States.
Our Data Processing Addendum incorporates Standard Contractual Clauses (SCCs) approved by the European Commission and UK Information Commissioner's Office, providing the legal mechanism for these transfers.
These SCCs establish contractual safeguards ensuring transferred data receives protection equivalent to GDPR requirements, even when stored in the U.S.
GDPR resources and documentation
Legal documents and compliance information
Data Processing Addendum
Our DPA with Standard Contractual Clauses for lawful data transfers
Authorized Subprocessors
Complete list of third-party service providers we use
Security Overview
Enterprise security features and compliance certifications
Privacy Policy
How we collect, use, and protect your information
Questions about GDPR compliance?
Our security and legal teams are here to help. Contact us about GDPR compliance, request our Data Processing Addendum, or ask about specific regulatory requirements.