Security
Meet even the strictest compliance standards and scale securely with Prefect’s enterprise-grade access features and security model
Access Control
- Personalize every user’s permissions with granular role and object-based access control
- Manage groups of users with teams
- Provision users with your preferred auth provider via SCIM
Secure Infrastructure
Loved by platform teams:
- Configure and restrict infrastructure with workers and work pools
- Dynamically define where each of your flows and tasks are executed
- Separation of orchestration and execution means Prefect never sees your code or data
Get our SOC 2 Type II report
We send watermarked SOC 2 reports, just get in touch and we can send you a copy.
Customer Data + Environment
Prefect uses proprietary metadata to coordinate workflows and collects logs specific to the execution. Prefect requires a minimum amount of customer data (name and email address) for user login and admin management.
At the customer's instruction, Prefect may retain additional subsets of data (e.g., confidential information, login credentials, etc.) in connection with:
Prefect provides the ability to store secrets in our Cloud that can be recalled in the workflow steps, using the Prefect native task library. Secrets are stored in a Google Cloud Project separate from our core processing platform with enhanced access limitations.
Customer data can be included in the workflow logging. Logs may be disabled by customer.
The customer can assign Flow and Task parameter names, which are stored in the database. Flow parameter values are stored by Prefect in the database. Task parameter values are not stored by Prefect in the database.
Blocks provide the storage of configuration and interfaces to external systems. Each Block document is encrypted by keys unique to each Workspace. Prefect encrypts the data before storing it in the database. Keys are stored in Cloud KMS and each Workspace has a different encryption key for Block document data.
Prefect Workers & Agents
Prefect workers and agents are deployed in the customer environment, which poll for scheduled workflow jobs. Prefect does not require ingress access to the customer environment as the connection is opened outbound via the Prefect worker or agent.
Prefect Infrastructure
Storage + Encryption
All storage systems are encrypted with industry best practice algorithms. Data is encrypted at all times in transit and at rest with a minimum of TLS 1.2 enforced on all of our endpoints.
Server + Data Residency
Prefect does not maintain any physical data centers or servers. Our infrastructure is hosted in Google Cloud Platform (GCP). Prefect has a Data Processing Agreement with GCP and more details can be found here.
Prefect runs on GCP in the us-east1 region, with a high availability configuration across at least two availability zones.
Prefect is responsible for ensuring our infrastructure is up-to-date, with the most current security patches. Prefect continuously monitors for known vulnerabilities.
Prefect engages with a third party to conduct annual penetration tests and internally conducts annual disaster recovery simulations.
Authentication
Enterprise customers can set up a SAML 2.0 connection. All other customers can use Google/Github oauth or username and password. Prefect has further protections within a tenant where only members of your organization can log into your tenant based on domain.
Company Policies
Access to Systems
Prefect grants least privilege access to all systems and conducts (i) quarterly audits on critical systems and (ii) annual audits on non critical systems. Access to Prefect systems is governed by an access request system and any changes to our system follow a change control process.
Where possible, access to Prefect systems is enforced with SSO. In all cases, platform and data systems have minimum password policies and enforce the use of multi-factor authentication.
Prefect Employee Laptop Encryption
All Prefect employee laptops are encrypted and enforced using MDM.