Crunchy Bridge Security Addendum

Last Updated: June 27, 2025

This Crunchy Bridge Security Addendum (“Security Addendum”) is incorporated into and made a part of the Crunchy Bridge Terms of Service, made available at https://www.snowflake.com/en/legal/, between Snowflake and Customer (the “Agreement”) and any capitalized terms used but not defined herein shall have the meaning set forth in the Agreement. In the event of any conflict between the terms of the Agreement and this Security Addendum, this Security Addendum shall govern.  

Snowflake utilizes infrastructure-as-a-service cloud providers as further described in the Agreement and/or Documentation (each, a “Cloud Provider“) and provides the Crunchy Bridge Offering to Customer using virtual private clouds (VPCs) and storage hosted by the applicable Cloud Provider (the “Cloud Environment“). 

Snowflake maintains physical, administrative, and technical safeguards designed to protect the confidentiality, integrity, availability, and security of the Crunchy Bridge Offering and Customer Data (the “Security Program”), including, but not limited to, as set forth below. Snowflake may review and update its Security Program as well as this Security Addendum, provided, however, that such updates shall be designed to enhance and not materially diminish the Security Program.

1. Audits. The information security management system used to provide the Crunchy Bridge Offering shall be assessed by independent third-party auditors in a SOC 2 Type II audit (including HIPAA) (“Audit”), on at least an annual basis. Audit reports may be requested by Customer as described in the Documentation.

2. Encryption and Data Security Controls. Snowflake maintains data security controls which include logical segregation of Customer Data, restricted (e.g. role-based) access and monitoring, and utilization of commercially-available and industry-standard encryption technologies for Customer Data at rest and in transit.

3. System and Network Security.

3.1. Access Controls. All Snowflake personnel access to the Cloud Environment is via a unique user ID, consistent with the principle of least privilege, leveraging multi-factor authentication and passwords that: (a) are at least eight (8) characters in length; (b) are not stored in readable format on Snowflake computer systems; (c) have defined complexity; and (d) if newly-issued, are changed after first use.

3.2. Vulnerability Detection & Management. Snowflake maintains vulnerability assessment and threat protection technologies and scheduled monitoring procedures designed to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code.

4. Administrative Controls.

4.1. Personnel Security. Snowflake requires criminal background screening on its personnel as part of its hiring process, to the extent permitted by applicable law.

4.2. Personnel Training. Snowflake maintains a documented security awareness and training program for its personnel, including, but not limited to, onboarding and on-going training.

4.3. Personnel Agreements. Snowflake personnel are required to sign confidentiality agreements. Snowflake personnel are also required to sign Snowflake’s information security policy, which includes acknowledging responsibility for reporting security incidents involving Customer Data.

4.4. Snowflake Risk Management & Threat Assessment. Snowflake maintains audit and risk assessment procedures for the purposes of periodic review and assessment of risks, monitoring and maintaining compliance with Snowflake policies and procedures, and reporting the condition of information security and compliance to internal senior management.

4.5. Change Management. Snowflake maintains a documented change management program for the Crunchy Bridge Offering.

5. Physical and Environmental Controls. To ensure the Cloud Provider has appropriate physical and environmental controls for its data centers hosting the Cloud Environment, Snowflake regularly reviews those controls as audited under the Cloud Provider’s third-party audits and certifications. Each Cloud Provider shall have a SOC 2 Type II annual audit and ISO 27001 certification, or industry recognized equivalent frameworks. Such controls, shall include, but are not limited to, the following:

(a)  Physical access to the facilities are controlled at building ingress points;

(b)   Visitors are required to present ID and are signed in;

(c)  Physical access to servers is managed by access control devices;

(d)   Physical access privileges are reviewed regularly;

(e)   Facilities utilize monitor and alarm response procedures;

(f)    Use of CCTV;

(g)   Fire detection and protection systems;

(h)   Power back-up and redundancy systems; and

(i)    Climate control systems.

6. Incident Detection & Response.

6.1. Security Incident Reporting. If Snowflake becomes aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data (a “Security Incident“), Snowflake shall provide notice to Customer via email, to the email address associated with Customer’s Account, without undue delay.

6.2. Investigation. In the event of a Security Incident as described above, Snowflake shall take reasonable steps to contain, investigate, and mitigate any Security Incident.

6.3. Communication and Cooperation. Customer acknowledges that because Snowflake personnel may not have visibility to the content of Customer Data, it may be unlikely that Snowflake can provide information as to the particular nature of the Customer Data, or where applicable, the identities, number, or categories of affected data subjects. Communications by or on behalf of Snowflake with Customer in connection with a Security Incident shall not be construed as an acknowledgment by Snowflake of any fault or liability with respect to the Security Incident.

7. Deletion of Customer Data.

7.1. By Customer. The Crunchy Bridge Offering provides Customer controls for the deletion of Customer Data, as further described in the Documentation.

7.2. By Snowflake. Subject to applicable provisions of the Agreement, upon the later of (i) expiration or termination of the Agreement and (ii) expiration of any post-termination “retrieval period” set forth in the Agreement, Snowflake shall promptly delete any remaining Customer Data.

8. Shared Security Responsibilities. Without diminishing Snowflake’s commitments in this Security Addendum, Customer agrees:

8.1. Snowflake has no obligation to assess the content, accuracy or legality of Customer Data, including to identify information subject to any specific legal, regulatory or other requirement and Customer is responsible for making appropriate use of the Crunchy Bridge Offering to ensure a level of security appropriate to the particular content of Customer Data;

8.2. Customer is responsible for managing and protecting its User roles and credentials, including but not limited to (i) ensuring that all Users keep credentials confidential and not share such information with unauthorized parties, (ii) promptly reporting to Snowflake any suspicious activities related to Customer’s Account (e.g., a user credential has been compromised) by submitting a support ticket in accordance with the Documentation, (iii) appropriately configuring User and role-based access controls, including scope and duration of User access, taking into account the nature of its Customer Data, (iv) implementing all customer configurable User access controls for all User interactive logins (e.g. individuals authenticating to the Crunchy Bridge Offering), (v) appropriately configuring all customer configurable network security controls, including with respect to VPC firewalls, private link connections, and VPC peering and, with respect to User access controls, MFA and network access policies;  and, (vi) maintaining appropriate password uniqueness, length, complexity, and expiration;

8.3. To appropriately manage and protect any Customer-managed encryption keys to ensure the integrity, availability, and confidentiality of the key and Customer Data encrypted with such key; and

8.4. To promptly update its Client Software whenever Snowflake announces an update.