Security and Privacy
Last updated
Last updated
Omnata Sync is delivered as a .
This means that each customer has a dedicated instance of the application, running within the controlled boundary of their Snowflake account. You can read an overview of the security advantages that the Native Applications Framework offers .
The Omnata Sync Engine is installed by user with the Snowflake ACCOUNTADMIN role, from the . This creates a special type of database in your Snowflake account, known as an "application". It contains all of the application code required to configure, schedule and observe data sync tasks.
In addition to this, plugin applications are installed from the Marketplace, which contain the application code that communicates with a particular application. The Sync Engine uses these plugins to read data from and/or write data to the application.
In both cases, these applications start with no privileges to access any tables or other objects within the Snowflake account. These are granted as part of the configuration process, for example if you wanted to sync a Leads table to Salesforce, you would first grant select privileges on it to the Sync Engine application.
Installing an application does not give the application provider (Omnata) any access into your Snowflake account.
After a consumer installs an application in their account, Omnata is made aware via records in the shared table. This provides us with contact details of the person who installed the app, and we will send an automated welcome email. Note that this process does not provide us with any access to your Snowflake account, it is simply a feed of admin contact information.
Omnata Sync includes an administration User Interface built with , and this runs on a warehouse chosen by the end user.
In order to sync data with external systems, three features are used by the Sync Engine:
are used to permit communication with specific domains
are used to securely store credentials within the Snowflake account
are used to tie network rules and secrets together and collectively permit API calls to be made to applications. External Access Integrations require the ACCOUNTADMIN role to configure, and can not be directly created by the application.
All configuration data, sync run history and record data are stored as Snowflake tables inside the native application instance. Omnata do not have access to this information.
These tables are equivalent to any other regular table in the customer's Snowflake account in terms of how data is encrypted and secured.
To grant permission for a Snowflake role to access this data, run the following SQL statement:
Omnata requires error events to be shared upon installation of the app. These events do not contain any customer data, user telemetry or debug data.
Omnata's application code to the local event table (automatically created). The customer can query these logs to see error messages logged by background processes, as well as other debugging information.
In order to diagnose the cause of problems, Omnata may ask the consumer to for debugging. This is optional and can be revoked at any time.
Omnata can deploy new versions of the Sync Engine and plugins, by and assigning them to accounts via release directives. Again, this does not give us any form of access into the consumer's account. The upgrade process is managed by Snowflake, we only have visibility of whether or not the upgrade process succeeded, and any error messages.
