What is GDPR?

The General Data Protection Regulation is a wide-ranging law designed to protect the privacy of individuals in the European Union (EU) and United Kingdom (UK) and give them control over how their personal data is collected, processed, and used. The law applies to any company that collects or processes the data of European consumers. Our compliance program and our Data Processing Addendum (described below) have been designed to comply with both the EU version of GDPR as well as the UK’s post-Brexit version.

Controllers and processors

There are two key relationships defined in the GDPR. As a Prefect Cloud customer, you operate as the controller when using our products and services. You have the responsibility for ensuring that the personal data you are collecting is being processed in a lawful manner as described above and that you are using processors, such as Prefect Cloud, that are committed to handling the data in a compliant manner.

Prefect Cloud is considered a data processor. We act on the instructions of the controller (our customer). Similar to controllers, processors are expected to enumerate how they handle personal data, which we have outlined in this document and the legal documents listed below. As a processor, we rely on our customers to ensure that there is a lawful basis for processing.

Processors may leverage other third-parties in the processing of personal data. These entities are commonly referred to as subprocessors. See below for additional information regarding Prefect’s subprocessors.

How does Prefect support GDPR compliance?

Prefect is committed to the GDPR compliance of our company, our customers, and certain other applicable third parties.

To deliver the Prefect Cloud services, Prefect acts as a compliant data processor, with each of our customers acting as the data controller. Prefect receives certain personal data from our customers in the context of providing our Prefect Cloud to the customer. See [here] for an explanation of the data that Prefect Cloud may have access to.

Prefect’s SaaS agreements incorporate a comprehensive Data Processing Addendum (”DPA”) that governs the relationship between the customer (acting as a data controller) and Prefect (acting as a data processor). The DPA facilitates Prefect’s customers’ compliance with their obligations under EU/UK data protection law. Our DPA contains strong privacy commitments focused around data replication that has been updated to confirm our compliance with the GDPR. Our DPA contains data transfer frameworks to ensure that our customers can lawfully transfer personal data to warehouses outside of the European Union or UK in accordance with GDPR requirements.

Prefect's subprocessors

To support delivery of our Services, Prefect may engage and use data processors with access to certain Customer Data (each, a "Subprocessor"). This section provides important information about the identity, location and role of each Subprocessor.

Prefect currently uses third party Subprocessors to provide infrastructure-related services, user authentication and email automations. Prior to engaging any third party Subprocessor, Prefect performs diligence to evaluate the privacy, security and confidentiality practices of any potential Subprocessor.

A list of Prefect’s authorized Subprocessors is available here.