GDPR Compliance

Bug Bounty Program

SOC 2 Type II

Prefect is SOC 2 Type II certified

Get our SOC 2 Type II report

The Hybrid Model

Prefect’s hybrid model enables coordination of users' dataflows in their own execution environment, relying only on proprietary meta data. Data is transferred over an authenticated API, hosted by Prefect Cloud.

Customer Data + Environment

Prefect uses proprietary metadata to coordinate workflows and collects logs specific to the execution. Prefect requires a minimum amount of customer data (name and email address) for user login and admin management.

At the customer's instruction, Prefect may retain additional subsets of data (e.g., confidential information, login credentials, etc.) in connection with:

Secrets (Cloud 1.0 only)

Prefect provides the ability to store secrets in our Cloud that can be recalled in the workflow steps, using the Prefect native task library. Secrets are stored in a Google Cloud Project separate from our core processing platform with enhanced access limitations.

Logs

Customer data can be included in the workflow logging. Logs may be disabled by customer.

Flow and Task Parameters

The customer can assign Flow and Task parameter names, which are stored in the database. Flow parameter values are stored by Prefect in the database. Task parameter values are not stored by Prefect in the database.

Blocks (Cloud 2.0 only)

Blocks provide the storage of configuration and interfaces to external systems. Each block document is encrypted by keys unique to each workspace.

Prefect Workers & Agents

Prefect workers and agents are deployed in the customer environment, which poll for scheduled workflow jobs. Prefect does not require ingress access to the customer environment as the connection is opened outbound via the Prefect worker or agent.

Prefect Infrastructure

Storage + Encryption

All storage systems are encrypted with industry best practice algorithms. Data is encrypted at all times in transit and at rest with a minimum of TLS 1.2 enforced on all of our endpoints.

Server + Data Residency

Prefect does not maintain any physical data centers or servers. Our infrastructure is hosted in Google Cloud Platform (GCP). Prefect has a Data Processing Agreement with GCP and more details can be found here.

Prefect runs on GCP in the us-east1 region, with a high availability configuration across at least two availability zones.

Prefect is responsible for ensuring our infrastructure is up-to-date, with the most current security patches. Prefect continuously monitors for known vulnerabilities.

Prefect engages with a third party to conduct annual penetration tests and internally conducts annual disaster recovery simulations.

Authentication

Enterprise customers can set up a SAML 2.0 connection. All other customers can use Google/Github oauth or username and password. Prefect has further protections within a tenant where only members of your organization can log into your tenant based on domain.

Company Policies

Access to Systems

Prefect grants least privilege access to all systems and conducts (i) quarterly audits on critical systems and (ii) annual audits on non critical systems. Access to Prefect systems is governed by an access request system and any changes to our system follow a change control process.

Where possible, access to Prefect systems is enforced with SSO. In all cases, platform and data systems have minimum password policies and enforce the use of multi-factor authentication.

Prefect Employee Laptop Encryption

All Prefect employee laptops are encrypted and enforced using MDM.