Data Processing Addendum

Effective Date:
Last Updated:

Data Processing Addendum to the Prefect Cloud Terms and Conditions

Effective Date: December 2, 2023

This Addendum forms part of the Prefect Terms and Conditions between Prefect Technologies, Inc. ("Company") and the customer entity ("Customer").

SECTION 1: DEFINITIONS

  1. Affiliate - Entity with 50%+ ownership stake or common control
  2. Authorized Sub-Processor - Third party accessing Customer Personal Data with need-to-know basis
  3. Customer Account Data - Personal data related to Customer's account relationship
  4. Customer Usage Data - Service usage data for performance optimization and abuse prevention
  5. Data Exporter - Customer
  6. Data Importer - Company
  7. Data Protection Laws - Applicable regulations including GDPR, UK GDPR, Swiss FADP, and US state privacy laws
  8. EU SCCs - Standard contractual clauses per Commission Decision 2021/914
  9. ex-EEA Transfer - Personal Data transfer outside European Economic Area
  10. ex-UK Transfer - Personal Data transfer outside United Kingdom
  11. Services - As defined in the Agreement
  12. Standard Contractual Clauses - EU SCCs and UK SCCs
  13. UK SCCs - Standard Contractual Clauses with UK SCCs Addendum
  14. UK SCCs Addendum - ICO template for international data transfers
  15. US Data Protection Laws - CPRA, state privacy acts (Colorado, Connecticut, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Utah, Virginia)

SECTION 2: RELATIONSHIP OF THE PARTIES; PROCESSING OF DATA

2.1 Parties acknowledge Company acts as processor regarding Personal Data, except where expressly stated. Customer must ensure lawful processing compliant with Data Protection Laws. Customer is solely responsible for accuracy, quality, and legality of provided data.

2.2 Company processes Personal Data only for purposes in the Agreement/Exhibit A, consistent with documented Customer instructions, and compliant with Data Protection Laws.

2.3 Processing details specified in Exhibit A (subject matter, nature, purpose, duration, data types, Data Subject categories).

2.4 Upon Services completion or Customer request, Company returns or deletes Personal Data unless legally required otherwise. If deletion is impracticable, Company blocks data from further processing and maintains appropriate protections.

2.5 Regarding US Data Protection Laws: Company acts as service provider. Company shall not sell, share, disclose, release, transfer, make available or otherwise communicate any such personal information to another business or third party without prior written consent, except to authorized sub-processors for business purposes.

SECTION 3: CONFIDENTIALITY

Company ensures authorized processors maintain confidentiality per the Agreement. Customer consents to Company disclosing Personal Data to advisers, auditors, or other third parties as reasonably required for obligations performance.

SECTION 4: AUTHORIZED SUB-PROCESSORS

4.1 Company may engage affiliates and identified sub-processors to access and process Personal Data. Customer provides general written authorization for necessary sub-processor engagement.

4.2 Sub-processor list available at: https://www.prefect.io/security/sub-processors/. Company provides 30-day advance notice before engaging new sub-processors, allowing objection on data protection grounds.

4.3 If sub-processor changes breach Agreement obligations, Customer may terminate per Sections 7.2-7.3 of the Agreement.

4.4 Company executes written agreements with sub-processors imposing comparable data protection obligations. Company remains liable for sub-processor performance.

4.5 Authorizations constitute prior written consent for Standard Contractual Clauses subcontracting. Commercial information may be removed from provided sub-processor agreements before sharing with Customer upon request.

SECTION 5: SECURITY OF PERSONAL DATA

Company maintains appropriate technical and organizational measures considering state-of-art, implementation costs, processing nature/scope/context/purpose, and varying risk likelihood/severity. Exhibit C references additional security details.

SECTION 6: TRANSFERS OF PERSONAL DATA

6.1 Company may transfer Personal Data outside EEA, UK, or Switzerland as necessary for Services. Customer acknowledges that Company's primary processing operations take place in the United States.

6.2 Ex-EEA Transfers: Made pursuant to EU SCCs (Module Two for controller-processor; Module Three for processor-sub-processor relationships).

6.3 EU SCCs Application:

  • Optional docking clause (Clause 7) does not apply
  • Clause 9: Option 2 applies; minimum notice period per Section 4.2
  • Clause 11: Optional language excluded
  • Clause 13: Square brackets removed
  • Clause 17: Governed by Irish law
  • Clause 18(b): Irish courts for dispute resolution
  • Exhibit B contains Annex I information
  • Exhibit C contains Annex II information
  • Parties deemed to have signed EU SCCs including Annexes

6.4 Ex-UK Transfers: Made pursuant to UK SCCs with amendments:

  • Tables 1-3 information provided in Agreement and Exhibits
  • EU/member state/GDPR references amended to UK equivalents
  • Governed by England and Wales law; London courts have jurisdiction
  • UK Data Protection Laws govern if conflict exists
  • References to legislation include future changes/consolidation/re-enactment

6.5 Swiss Transfers: EU SCCs apply with modifications:

  • GDPR terms interpreted to include Swiss FADP
  • EU SCCs protect legal entities until Revised FADP effective date
  • Clause 13: FDPIC authority for FADP transfers; EU supervisory authority for GDPR
  • "EU Member State" interpreted to include Switzerland data subjects

6.6 Supplementary Measures:

  • Data Importer has not received Government Agency Requests for Customer data
  • If future requests occur, Company redirects agencies to Customer; may share basic contact information
  • If compelled disclosure occurs, Company provides reasonable notice (unless legally prohibited) and cooperates for protective orders
  • Parties discuss and determine whether transfers should suspend based on Government Agency Requests
  • Parties regularly meet to assess protection adequacy, necessity of additional measures, and appropriateness of continued transfers
  • If Standard Contractual Clauses require separate execution, Data Importer executes upon request with reasonable amendments
  • If legitimizing transfer means cease validity or supervisory authority requires suspension, Data Importer may amend or implement alternative arrangements by notice

SECTION 7: RIGHTS OF DATA SUBJECTS

7.1 Company notifies Customer upon receiving Data Subject requests regarding access, rectification, erasure, data portability, restriction/cessation, consent withdrawal, or automated decision-making objection. Company will advise the Data Subject to submit their request to Customer. Customer bears responsibility for responses using Services functionality.

7.2 Company provides reasonable cooperation and assistance for Customer compliance with Data Subject requests, considering processing nature and available information, provided Customer cannot respond independently and Company can lawfully do so. Customer bears costs.

SECTION 8: ACTIONS AND ACCESS REQUESTS; AUDITS

8.1 Company provides reasonable cooperation for data protection impact assessments and compliance demonstration, considering processing nature and available information. Customer bears costs.

8.2 Company provides reasonable cooperation with Customer-supervisory authority interactions and prior consultation per GDPR requirements. Customer bears costs.

8.3 Company maintains three-year post-termination compliance records. Customer may review, audit, and copy records at Company offices during business hours with reasonable notice.

8.4 Upon reasonable request intervals, Company provides SOC 2 certifications/reports or permits independent third-party audits demonstrating compliance with Data Protection Laws, provided: (a) Customer provides reasonable advance notice; (b) audits occur during business hours no more than annually; (c) audits restrict to Customer-relevant data. Customer bears audit costs including Company time reimbursement.

8.5 Company immediately notifies Customer if instructions infringe Data Protection Laws or supervisory authority.

8.6 Upon Personal Data Breach, Company informs Customer without undue delay and takes reasonable remediation steps within reasonable control.

8.7 Upon Personal Data Breach, Company provides reasonable cooperation and assistance for Customer's supervisory authority notification and affected Data Subject notification obligations without undue delay.

8.8 Sections 8.6-8.7 obligations do not apply if breach results from Customer actions/omissions. Breach reporting does not constitute fault/liability acknowledgment.

SECTION 9: CONFLICT

Document precedence order: (1) Standard Contractual Clauses applicable terms; (2) Addendum terms; (3) Agreement terms. Addendum claims subject to Agreement terms, exclusions, and limitations.

EXHIBIT A: DETAILS OF PROCESSING

1. Nature and Purpose

Company processes Customer Personal Data to provide Services per Agreement, for Agreement-specified purposes, in accordance with Customer instructions.

2. Duration

Processing continues while necessary for: (i) Services provision; (ii) Company legitimate business needs; (iii) applicable law requirements. Customer Account Data and Customer Usage Data processing/storage per Company Privacy Policy: https://www.prefect.io/legal/privacy-policy/

3. Data Subject Categories

Customer end-users/customers.

4. Personal Data Categories

Company processes Personal Data contained in Customer Account Data, Customer Usage Data, and any Personal Data provided by Customer. Categories of Personal Data include full name, email address, company name, and some basic digital information surrounding usage such as last login time.

5. Sensitive/Special Categories Data

None.

EXHIBIT B: PARTY INFORMATION AND TRANSFER DETAILS

1. Parties

Data Exporter: Customer

  • Contact: As designated in Agreement notice section
  • Signature/Date: Execution upon Agreement entry, Effective Date
  • Role: Per Section 2, Addendum

Data Importer: Prefect Technologies, Inc.

  • Address: 1200 18th Street NW Suite 700, Washington, DC 20036
  • Contact: Brian Russell, Head of Legal, legal@prefect.io
  • Signature/Date: Execution upon Agreement entry, Effective Date
  • Role: Per Section 2, Addendum

2. Transfer Description

Data Subjects: Per Exhibit A Personal Data Categories: Per Exhibit A Special Category Data: Per Exhibit A Processing Nature: Per Exhibit A

Processing Purposes: Internal processing includes: (i) user interface access (email address); (ii) limited customer analytics; (iii) user interface data display. Additional processing occurs via Data Controller-written program flows for remote workflow monitoring/execution.

Duration/Retention: Per Exhibit A Transfer Frequency: As necessary for Services provision Data Recipients: Sub-processor list at https://www.prefect.io/sub-processors

3. Supervisory Authority

Data Exporter's supervisory authority per Clause 13.

4. Authorized Sub-Processors List

https://www.prefect.io/sub-processors/

EXHIBIT C: TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

On Customer request, Prefect provides SOC 2 audit report copies and applicable certifications.

Security Measures

Pseudonymization/Encryption: Processing on Google Cloud Platform secure servers; industry-standard encryption for storage; transit encryption; least-privilege access; MDM-enforced laptop encryption.

Confidentiality/Integrity/Availability/Resilience: Google Cloud Platform highly available services; annual third-party penetration tests; annual disaster recovery/business continuity simulations; quarterly critical system access audits; biannual other system audits.

Incident Recovery Ability: Multi-regional Google Cloud Platform database; annual disaster recovery testing.

Effectiveness Testing/Assessment: SOC 2 Type II certification (February 2022); outlines security controls and service availability assurances.

User Identification/Authorization: Strong passwords and multi-factor authentication for critical systems/production environments; SSO where possible.

Transmission Protection: Always-encrypted traffic; minimum TLS 1.2 enforcement on Prefect endpoints.

Storage Protection: Industry-standard algorithm encryption.

Physical Security: No physical servers maintained; employees restricted from downloading sensitive data.

Event Logging: Application event logging with tracing/monitoring tools; security event logging with intrusion detection/prevention; configured thresholds, alerting policies, machine learning; notifications to Company Slack, paging systems, ticketing systems.

System Configuration: Infrastructure-as-code implementation; PR approval standard process; change control procedures managing out-of-code changes.

Internal IT/IT Security Governance: Chris White, Chief Information Security Officer, oversees day-to-day security operations and sets standards.

Certification/Assurance: SOC 2 Type II certification (February 2022); outlines data security controls and service availability assurances.

Data Minimization: Hybrid approach to customer workflow management/orchestration; minimal user details collected for account management/login access; workflow metadata only; customer code/data executed/stored in customer environment, not Prefect servers.

Data Quality: Formal non-automated production data change process; strongly-typed API ensuring correct payload structure.

Limited Retention: Sensitive/confidential data retained only as necessary for collection/processing purposes; full account/data deletion process available to customers.

Accountability: Annual employee security awareness and incident response training; handbook and information security policy signature required.

Data Portability/Erasure: Full account/data deletion request process available.

Sub-Processor Measures: Data Processing Agreements with Authorized Sub-Processors containing substantially similar data protection obligations.

Additional Information: https://www.prefect.io/security#overview (subject to amendment).

Data Processing Addendum - Prefect