Snowflake is continuously expanding our portfolio of Security & Compliance Reports as our customers request them. The following is the current list of reports available to all Customers and Prospects under NDA. Please contact Snowflake and fill out the form on the right by selecting ‚Security Information‘ as Inquiry type, or reach out to your Account Team for copies of reports as applicable to your organization or to find out if a particular certification will soon be available.

SOC 2 Type II
The SOC2 Type 2 report is an independent auditor’s attestation of the security controls that Snowflake has had in place during the report’s coverage period. This report is provided for customers and prospects to review to ensure No Exceptions to the documented policies and procedures in the policy documentation.

SOC 1 Type II 
The SOC1 Type 2 report, like the SOC2 Type 2 report, is an independent auditor’s attestation of the financial controls that Snowflake has in place during the report’s coverage period.

The Payment Card Industry Data Security Standards is a set of prescriptive requirements to which an organization must adhere in order to be considered compliant. Snowflake’s Attestation of Compliance from our selected Qualified Security Assessor provides an independent auditor’s assessment results after testing Snowflake’s security controls.

The Health Information Trust Alliance Common Security Framework (HITRUST CSF) serves to unify security controls based on aspects of US federal law (such as HIPAA and HITECH), certain state-specific laws and other industry-standard compliance frameworks into a single comprehensive set of baseline security and privacy controls, built specifically for healthcare needs.

ISO/IEC 27001
The International Organization for Standardization provides requirements for establishing, implementing, maintaining, and continually improving an information security management system. Snowflake’s ISO Certificate is available for download by clicking here. The statement of applicability additionally includes control objectives from the ISO 27017:2015 & ISO 27018:2019 framework.

FedRAMP Moderate
The Federal Risk and Authorization Management Program, or FedRAMP, is a government-wide program that provides a standardized approach to security. Federal Agencies may download Snowflake’s FedRAMP Package from OMB/MAX.

GxP data integrity requirements (e.g.; 21 CFR 11) apply to life sciences organizations that produce regulated medical products including pharmaceuticals, medical devices, and mobile medical applications. Snowflake is GxP compatible, allowing life sciences customers to ensure data integrity and build GxP compliant solutions with the help of a secure, validated cloud data platform.

International Traffic in Arms Regulations (ITAR) state that non-US persons are prohibited from physically or logically accessing the ITAR environment. A Third-Party Assessment Organization (3PAO) performed an audit to confirm that Snowflake’s Microsoft Azure Government (MAG) and AWS GovCloud deployments provide an environment compliant with ITAR.

IRAP (Protected)
The Infosec Registered Assessors Program, or IRAP, is a program governed by the Australian Signals Directorate (ASD) of the Australian Government which endorses suitably-qualified cyber security professionals to provide relevant services which aim to secure broader industry and Australian Government systems and data. IRAP provides a security framework and an assessment methodology that enables Australian Government agencies and their customers to validate Snowflake’s security control implementations and compliance against those requirements defined within the Australian Government Information Security Manual (ISM) developed by the Australian Signals Directorate (ASD). Snowflake employs IRAP assessors to validate Snowflake Australian systems effectiveness against the Information Security Manual at the Protected level.