This page describes the Omnata Connect architecture from a security point of view.
During connection configuration, Named Credentials are created which grant our Apex code the privilege to call those endpoints. No other endpoints are called by Omnata code, and this is also enforced by the Apex runtime.
Non-sensitive connection parameters (e.g. database names), are stored in Custom Metadata Types.
In addition to this, when Snowflake JWT Authentication is used, a Self-Signed certificate is generated in Salesforce and used by the Named Credentials. During setup, the certificate's public key is assigned to the Snowflake user.
Data accessed by External Objects is not cached or stored on the Salesforce platform, and instead is always read on demand.