GDPR Compliance
Your data stays in your infrastructure. Prefect Cloud processes only metadata necessary for orchestration—your code and customer data never leave your environment.
The General Data Protection Regulation (GDPR) is a comprehensive data protection law that applies to organizations processing personal data of individuals in the European Union (EU) and United Kingdom (UK). The regulation establishes strict requirements for how organizations collect, store, process, and transfer personal information.
For teams building data workflows, GDPR creates specific obligations around lawful basis for processing, data minimization, security measures, data subject rights, and cross-border transfers. GDPR applies regardless of where your organization is located—if your workflows process data belonging to EU or UK residents, you must comply.
GDPR distinguishes between two key roles. Understanding this distinction clarifies compliance responsibilities when using Prefect for workflow orchestration.
You determine the purposes and means of processing personal data
When you use Prefect to orchestrate workflows that handle customer information, you act as the data controller. You decide what data to collect, how to process it, and why.
Your Responsibilities:
We process data on your behalf according to your instructions
Prefect Cloud acts as your data processor when it stores metadata about your workflows. We process only the information necessary to coordinate orchestration—we don't determine what your workflows do with personal data.
Our Responsibilities:
Hybrid architecture
Prefect's hybrid architecture separates orchestration coordination from workflow execution. Prefect Cloud coordinates workflows without accessing the personal data your workflows process. Your code executes in your infrastructure with direct access to your systems—customer data never flows through Prefect Cloud.
Our DPA establishes the legal framework for Prefect's role as processor. It incorporates Standard Contractual Clauses (SCCs) for lawful data transfers outside the EU/UK.
We maintain a current list of third-party subprocessors who may access limited metadata, with notification of changes.
Control retention of workflow logs and metadata. You can disable log persistence entirely if compliance requirements demand it.
Your Infrastructure
Data stays here
Prefect Cloud
Metadata only
Workers poll for work via outbound-only connections. No inbound network access to your infrastructure required.
While Prefect provides GDPR-compliant infrastructure, you remain responsible for your workflows' compliance.
Ensure you have valid legal grounds (consent, contract, legitimate interest, etc.) for processing personal data in your workflows.
Use Prefect's access controls (RBAC, SSO, audit logs) and encryption features. Store sensitive data securely in your infrastructure.
Your workflows should support individuals' rights to access, rectify, erase, or port their data. Prefect's metadata doesn't prevent you from fulfilling these requests.
Maintain records of what personal data your workflows process, why, and how long you retain it.
For workflows processing sensitive personal data or using automated decision-making, perform Data Protection Impact Assessments (DPIAs).
Implement organizational and technical measures to protect personal data your workflows handle in your infrastructure.
Prefect Cloud stores orchestration metadata in Google Cloud Platform (GCP) infrastructure located in the United States. All data is encrypted in transit (TLS 1.2+) and at rest using workspace-unique keys.
You control retention of workflow logs and flow run metadata through Prefect Cloud's retention settings. You can configure automatic deletion of old flow runs and disable log persistence entirely.
Personal data processed by your workflows never reaches Prefect Cloud when using hybrid or push work pool execution—that data stays in your infrastructure under your retention policies.
Prefect Technologies, Inc. is a U.S.-based company. When you use Prefect Cloud, some orchestration metadata transfers from the EU/UK to the United States.
Our Data Processing Addendum incorporates Standard Contractual Clauses (SCCs) approved by the European Commission and UK Information Commissioner's Office, providing the legal mechanism for these transfers.
These SCCs establish contractual safeguards ensuring transferred data receives protection equivalent to GDPR requirements, even when stored in the U.S.
Legal documents and compliance information
Our DPA with Standard Contractual Clauses for lawful data transfers
Complete list of third-party service providers we use
Enterprise security features and compliance certifications
How we collect, use, and protect your information
Our security and legal teams are here to help. Contact us about GDPR compliance, request our Data Processing Addendum, or ask about specific regulatory requirements.