This page describes the Omnata Connect architecture from a security point of view.
In order to retrieve data from the customer's data platform, our Apex code invokes HTTP Callouts directly to those endpoints.
During connection configuration, Named Credentials are created which grant our Apex code the privilege to call those endpoints. No other endpoints are called by Omnata code, and this is also enforced by the Apex runtime.
Non-sensitive connection parameters (e.g. database names), are stored in Custom Metadata Types.
All sensitive credentials are stored in Named Credentials, and are not retrievable. Per Salesforce best practises, credentials are applied to outbound connections by using Callout Endpoints.
In addition to this, when Snowflake JWT Authentication is used, a Self-Signed certificate is generated in Salesforce and used by the Named Credentials. During setup, the certificate's public key is assigned to the Snowflake user.
Data accessed by External Objects is not cached or stored on the Salesforce platform, and instead is always read on demand.