Frequently Asked Questions: Prelude's B2B Data Protection Compliance

At Prelude, we highly value our customers' trust and are dedicated to protecting the privacy of their personal data. This Frequently Asked Questions (FAQ) document was created to address the most common questions that our B2B customers may have about Prelude's data protection compliance.


Where Prelude provides its services to a B2B customer, Prelude will process the personal data provided by the customer on its behalf as a data processor (service provider). Prelude’s processing of customer data will be governed by the customer’s instructions in the Data Processing Agreement (DPA). In general, the parties execute the DPA in conjunction with the Master Subscription Agreement (MSA).

Compliance with Data Protection Regulations

Which data protection regulations are covered by Prelude’s compliance program?

Prelude has a comprehensive data privacy compliance program ensuring compliance with the privacy standards in the US, EEA, Canada and UK. Depending on the nature of the provided services, location of the customer and origin of customer data, Prelude can be subject to different data protection regulations. These can include the General Data Protection Regulation (EU) 2016/679 (GDPR), the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), other relevant US state privacy laws, the Personal Information Protection and Electronic Documents Act (Canada) (PIPEDA), and others. Prelude adheres to these regulations in its privacy compliance program, which includes concluding a DPA with its customers. Please refer to section 1 a. of the DPA for the full list of the covered privacy laws.


Why do I need to execute the DPA with Prelude?

With respect to customer data that Prelude processes as a data processor, certain data protection regulations, in particular the GDPR and the CCPA, require the parties to enter into a data processing agreement. In general, the DPA will outline your instructions to Prelude on how we can process your customer data, for what purposes, for how long and under which security measures.

Scope of Processed Customer Data

What categories of customer data and data subjects does Prelude process when providing its services?

When you subscribe to our services, we may collect your email address, first name and last name, your company name and job title, and your address, state, province, ZIP/Postal code, and city. We may also collect your personal data when you communicate with us through email communications, chat, our social media and other forms of communication. The personal data we collect in the course of providing our services typically includes data contained in your endpoints accessed within the platform. Please refer to section 2 of the DPA for further details.

How does Prelude use the customer data (for what purposes)?
Prelude primarily uses your personal data to provide its services to you. Prelude may also use your personal data to improve its services or communicate with you about those services.

Does Prelude process any sensitive customer data?
Prelude does not process any sensitive customer data.

Will I retain ownership of my customer data?
Customers will at all times retain ownership of their customer data.

Scope of Processed Customer Data

How does Prelude protect customer data?
Prelude has implemented technical and organizational measures to protect personal data from unauthorized access, disclosure, alteration, or destruction. These technical and organizational measures are further described at www.preludesecurity.com/legal/toms.
We use encryption, firewalls, access controls (multi-factor/two-factor authentication), and other industry-standard security measures to safeguard personal data. Database volumes are encrypted when stored at rest and in transit. We apply standard IAM (access controls) that enforces the Least Privilege Principle: only employees who have a job function requiring access to a particular system are granted it, and only for the duration it is required.

Does Prelude have any security certifications in place?
Prelude has obtained SOC2 certification, effective as of July 14, 2023.

Retention and Storage of Customer Data

Where is my customer data stored?
Data is stored by default in AWS, either in a data center in Oregon or Virginia.

How long does Prelude retain customer data?
Prelude retains customer data through the period of the subscription, and then for a period no longer than 360 days following the termination of subscription services.

Can I instruct Prelude to delete my customer data before the end of my subscription period? Customers may instruct Prelude to delete customer data in conjunction with a termination of services, in accordance with the relevant subscription agreement.

Transfer of Customer Data

Does Prelude share my customer data with third parties, and if so, under what circumstances?
Prelude may share your data with third parties upon your request and consent, for example, to your Crowdstrike or other EDR to facilitate the use of our services. Prelude may also engage third-party processors (sub-processors) who help us deliver the services to you. These sub-processors provide in particular infrastructure and administration services and assist us with customer support. The current list of Prelude’s sub-processors can be found at www.preludesecurity.com/legal/sub-processor-list.

Is my customer data transferred internationally?
Where the customer is located outside of the US, Prelude may need to transfer the customer’s data to the US in order to deliver the services. Such data transfers can be subject to appropriate safeguards, namely the Standard Contractual Clauses (SCCs) required under Art. 46 of the GDPR.

What are Standard Contractual Clauses? Where can I find them?
The SCCs are standardized model data protection clauses that allow the data exporter (customer) and the data importer (Prelude) to comply with their obligations under GDPR. Their wording is imposed by the European Commission. Prelude’s SCCs are incorporated into the DPA (please refer to section 3 d. of the DPA) and can be found at www.preludesecurity.com/legal/scc

Does Prelude sell or transfer my customer data under the CCPA?
Prelude does not sell or transfer customer data under the CCPA.