Prefect Shared Responsibility Model

Prefect’s shared responsibility model defines the division of security, infrastructure, and operational responsibilities between Prefect and its users. This framework ensures a secure, scalable, and flexible orchestration environment while maintaining user control over execution.

Prefect Responsibilities

✅ Managed Infrastructure & Availability

Prefect Cloud fully manages the control plane, including metadata storage, scheduling, API services, authentication, and user management. Prefect ensures high availability, automated scaling, and service reliability, reducing operational overhead for users.

✅ Security & Compliance

Prefect Cloud is built with security best practices, including SOC 2 Type II compliance, role-based access control (RBAC), Encryption-at-Rest, Encryption-in-Transit, SSO support, and GDPR compliance. Prefect never accesses or stores user data—only metadata required for orchestration.

✅ Authentication

Prefect Cloud allows customers to bring and integrate their own Identity Providers for authentication and authorization. Prefect provides integration capabilities with numerous auth providers, and ensures only authenticated users can access the UI and API.

✅ Platform Upgrades & Maintenance

Prefect Cloud continuously delivers automatic updates, security patches, and new features, ensuring users always operate on the latest version without managing upgrades manually.

✅ Support & Documentation

Prefect provides extensive documentation, technical support, and a dedicated team to assist with best practices, troubleshooting, and workflow optimization.

User Responsibilities in Prefect Cloud

🔹 Flow Execution & Data Security

Users own and control their execution environments—whether on Kubernetes, virtual machines, or serverless services. Prefect never pulls user data and only orchestrates execution based on metadata.

🔹 Access Control & Identity Management

Users manage their RBAC settings, workspace permissions, API keys, and SSO integrations to align with internal security policies. Prefect enables fine-grained access controls for different roles. Users are responsible for assigning and determining permissions, access, scope, revocations, password complexity and rotations in their environments.

🔹 Infrastructure Configuration & Resource Management

Users determine how workflows are executed within their environment, including worker deployment, resource scaling, and workload distribution across cloud services.

🔹 Secret Management

Prefect integrates with AWS Secrets Manager, HashiCorp Vault, and other cloud secret managers to securely store credentials, keys, and sensitive environment variables. Users are responsible for managing these secrets in accordance with their internal security policies.

🔹 Compliance & Governance

While Prefect ensures compliance at the platform level, organizations must enforce internal policies for governance, auditing, and workflow security within their environments.

🔹 Network and Proxy Configuration

Customers are responsible for configuring their network access, web proxies, and any IP filtering necessary to access the Prefect Cloud, either publicly, or over PrivateLink.

🔹 Sensitive Data and Logging

Customers are responsible for the information they capture via logging in the Prefect environment. As logging is customer configured, PII / PHI or otherwise deemed “sensitive” under applicable law will not be submitted in logs without Prefect’s prior written approval.

Key Takeaways

• Prefect Cloud fully manages the orchestration control plane, allowing users to focus on execution without infrastructure maintenance.
• Users retain complete control over execution environments, data security, and resource scaling.
• Prefect never accesses user data—only metadata related to orchestration.

For more details, refer to the Prefect Documentation.