Security has been in mind at Prefect since day one.
From our Cloud infrastructure to the systems and practices in place to protect your data and operations, security has been prioritized from the start. To learn more about these practices, please contact firstname.lastname@example.org for our security white paper.
The Hybrid Model
Prefect’s hybrid model allows us to coordinate our users' dataflows in the comfort of their own environment, relying only on proprietary meta data to complete our job successfully. Data is transferred over an authenticated api, hosted by Prefect Cloud.
Customer Data + Environment
Prefect uses proprietary metadata to coordinate workflows and collects logs specific to the execution. Prefect requires a minimum amount of customer data (name and email address) for user login and admin management, which data is retained for as long as necessary to fulfill the purposes for which it is collected.
At the customer's instruction, Prefect may retain additional subsets of data (e.g., confidential information, login credentials, etc.) in connection with:
Secrets (Cloud 1.0 only)
Prefect provides the ability to store secrets in our Cloud that can be recalled in the workflow steps, using the Prefect native task library. Secrets are stored in a Google Cloud Project separate from our core processing platform with enhanced access limitations.
Customer data can be included in the workflow logging.
Flow and Run Task Parameters
The customer can assign Flow and Task parameters names, which are stored in the database. Flow parameter values are stored by Prefect in the database. Task parameter values are not stored by Prefect in the database.
Blocks (Cloud 2.0 only)
Blocks provide the storage of configuration and interfaces to external systems. Each block document is encrypted by keys unique to each workspace.
Prefect agents are deployed in the customer environment, which poll for scheduled workflow jobs. Prefect does not require ingress access to the customer environment as the connection is opened outbound via the Prefect agent. We do not currently guarantee our endpoint's IP addresses.
Storage + Encryption
All storage systems are encrypted with industry best practice algorithms. Data is encrypted at all times in transit and at rest with a minimum of TLS 1.2 enforced on all of our endpoints.
Server + Data Residency
Prefect does not maintain any physical data centers or servers. Our infrastructure is hosted in Google Cloud Platform (GCP). Prefect has a Data Processing Agreement with GCP and more details can be found here.
Prefect runs on GCP in the following regions.
Backup and DR
Prefect is responsible for ensuring our infrastructure is up-to-date, with the most current security patches. Prefect continuously monitors for known vulnerabilities.
Prefect engages with a third party to conduct annual penetration tests and internally conducts annual disaster recovery simulations.
Enterprise customers can set up a SAML 2.0 connection. All other customers can use Google/Github oauth or username and password. Prefect has further protections within a tenant where only members of your organization can log into your tenant based on domain.
Access to Systems
Prefect grants least privilege access to all systems and conducts (i) quarterly audits on critical systems and (ii) bi-annual audits on non critical systems. Access to Prefect systems is governed by an access request system and any changes to our system follow a change control process.
Where possible, access to Prefect systems is enforced with SSO. In all cases, platform and data systems have minimum password policies and enforce the use of multi factor authentication.
Prefect Employee Laptop Encryption
All Prefect employee laptops are encrypted and enforced using MDM.
Prefect undergoes a SOC 2 Type II compliance audit annually. Contact sales for information about our most recent audit.