Security and Privacy
Omnata Sync is delivered as a Snowflake Native Application.
This means that each customer has a dedicated instance of the application, running within the controlled boundary of their Snowflake account. You can read an overview of the security advantages that the Native Applications Framework offers here.
Installation
The Omnata Sync Engine is installed by user with the Snowflake ACCOUNTADMIN role, from the Snowflake Marketplace. This creates a special type of database in your Snowflake account, known as an "application". It contains all of the application code required to configure, schedule and observe data sync tasks.
In addition to this, plugin applications are installed from the Marketplace, which contain the application code that communicates with a particular application. The Sync Engine uses these plugins to read data from and/or write data to the application.
In both cases, these applications start with no privileges to access any tables or other objects within the Snowflake account. These are granted as part of the configuration process, for example if you wanted to sync a Leads table to Salesforce, you would first grant select privileges on it to the Sync Engine application.
Installing an application does not give the application provider (Omnata) any access into your Snowflake account.
After a consumer installs an application in their account, Omnata is made aware via records in the LISTING_EVENTS_DAILY shared table. This provides us with contact details of the person who installed the app, and we will send an automated welcome email. Note that this process does not provide us with any access to your Snowflake account, it is simply a feed of admin contact information.
Configuration
Omnata Sync includes an administration User Interface built with Streamlit, and this runs on a warehouse chosen by the end user.
Network access
In order to sync data with external systems, three features are used by the Sync Engine:
Network rules are used to permit communication with specific domains
Secrets are used to securely store credentials within the Snowflake account
External access integrations are used to tie network rules and secrets together and collectively permit API calls to be made to applications. External Access Integrations require the ACCOUNTADMIN role to configure, and can not be directly created by the application.
Data Storage
All configuration data, sync run history and record data are stored as Snowflake tables inside the native application instance. Omnata do not have access to this information.
These tables are equivalent to any other regular table in the customer's Snowflake account in terms of how data is encrypted and secured.
To grant permission for a Snowflake role to access this data, run the following SQL statement:
Support
Omnata's application code logs messages and trace events to the local event table (automatically created). The customer can query these logs to see error messages logged by background processes, as well as other debugging information.
Omnata requires error events to be shared upon installation of the app. These events do not contain any customer data, user telemetry or debug data.
In order to diagnose the cause of problems, Omnata may ask the consumer to enable the sharing of lower level events for debugging. This is optional and can be revoked at any time.
Application Upgrades
Omnata can deploy new versions of the Sync Engine and plugins, by publishing new versions and assigning them to accounts via release directives. Again, this does not give us any form of access into the consumer's account. The upgrade process is managed by Snowflake, we only have visibility of whether or not the upgrade process succeeded, and any error messages.
Architecture diagram
Download this security overview as a PDF
Last updated