Security Framework
Shared responsibility model
Clear boundaries for compliance and risk management. Prefect manages orchestration, you control execution and data. Prefect never accesses your code or customer data.
How responsibility is divided
Prefect's hybrid architecture creates a clean separation: we manage the orchestration control plane, you manage execution environments and data security.
Prefect manages
Security of the orchestration platform
- Control plane infrastructure
- Orchestration metadata storage
- API and authentication services
- Platform security and compliance
- Automatic updates and patches
You manage
Security in your execution environment
- Workflow execution infrastructure
- Code and data security
- Access controls and permissions
- Secrets and credentials
- Network and compliance policies
What Prefect manages
We handle the orchestration platform's security, compliance, and availability. Prefect never accesses your workflow code or the data your workflows process.
Infrastructure security
Control plane hosted on GCP with multi-AZ high availability
- •Physical security of data centers
- •Network infrastructure protection
- •Automatic scaling and failover
Data encryption
All orchestration metadata encrypted in transit and at rest
- •TLS 1.2+ for all API connections
- •Workspace-unique encryption keys
- •Encrypted database storage
Compliance & audits
Independent certification and continuous monitoring
- •SOC 2 Type II certification
- •GDPR compliance framework
- •Annual penetration testing
Authentication & access
Secure access to Prefect Cloud UI and API
- •SSO integration (SAML, OIDC)
- •Multi-factor authentication
- •API key management
Platform maintenance
Continuous updates and security patches
- •Automatic security patching
- •Feature updates and improvements
- •Vulnerability monitoring
Support & documentation
Expert guidance and best practices
- •Technical support team
- •Comprehensive documentation
- •Security best practices
What you manage
You retain full control of your execution environments, workflow code, and data. This ensures your sensitive information never leaves your infrastructure.
Execution infrastructure
Deploy and manage workers in your environment
- •Kubernetes, ECS, VM configuration
- •Resource scaling and allocation
- •Worker deployment and updates
Code & data security
Protect workflow source code and processed data
- •Source code security and scanning
- •Data encryption in your environment
- •Dependency vulnerability management
Access control
Manage team permissions and authentication
- •RBAC configuration for workspaces
- •SSO provider integration
- •API key and service account management
Secrets management
Store and manage credentials securely
- •Integration with secrets managers
- •AWS Secrets Manager, Vault, etc.
- •Environment variable security
Network configuration
Control network access and security
- •Firewall and security group rules
- •VPN and private network setup
- •IP filtering and allowlisting
Compliance & governance
Enforce organizational policies
- •Internal security policies
- •Data retention and privacy controls
- •Audit log review and monitoring
How hybrid architecture enables clear boundaries
The separation between orchestration and execution creates natural accountability boundaries.
Your Infrastructure
Complete control and accountability
Prefect Cloud
Orchestration metadata only
Workers poll for work via outbound-only connections. Prefect Cloud never accesses your infrastructure, code, or data.
Related security resources
Compliance documentation and security details
Questions about our security model?
Our security team can help you understand responsibilities, compliance requirements, and how Prefect's architecture supports your security posture.