Snowflake
Query production data via scoped roles. Promotion to writes requires an approved boundary, residency enforcement, and certificate verification hooks.
Monthly verification • last run September 2025
Modes & scopes
Modes
- Read-first
- Write-gated (promotion requires Action Certificate)
Scopes
- Warehouse-level read role
- Scoped data shares
- Optional write role for governed automations
Runbook highlights
Connection modes
PrivateLink or AWS/GCP service endpoints; no public ingress. Read-first role maps to ANALYST or FINOPS personas.
Learning Controls
Evaluation contracts compare against golden dashboards. Drift on financial measures auto-rolls back governed canaries.
Evidence
Action Certificates embed warehouse, database, and role IDs plus residency policy hash.
Sample automations & evidence
Sample automations
- List incidents impacting finance warehouses
- Generate board KPI snapshot with certified budget deltas
Action Certificate mapping
Every certificate embeds connector identifiers, residency policy hashes, and Learning Control references so downstream systems can verify scope before allowing writes. Export verification logs to Splunk/Datadog using thetrustplane.certificate_id attribute.
Need a signed runbook?
Request a signed copy of this connector runbook, DPIA, or sub-processor alignment via the security contact form. We respond within one business day and can include environment-specific attestations.
Contact security