Snowflake’s Security & Compliance Reports

Snowflake is continuously expanding our portfolio of Security & Compliance Reports as our customers request them. The following is the current list of reports available to all Customers and Prospects under NDA. Please contact Snowflake and fill out the form on the right by selecting ‘Security Information’ as Inquiry type, or reach out to your Account Team for copies of reports as applicable to your organization or to find out if a particular certification will soon be available.

SOC 2 Type II
The SOC2 Type 2 report is an independent auditor’s attestation of the security controls that Snowflake has had in place during the report’s coverage period. This report is provided for customers and prospects to review to ensure No Exceptions to the documented policies and procedures in the policy documentation.

SOC 1 Type II 
The SOC1 Type 2 report, like the SOC2 Type 2 report, is an independent auditor’s attestation of the financial controls that Snowflake has in place during the report’s coverage period.

PCI-DSS
The Payment Card Industry Data Security Standards is a set of prescriptive requirements to which an organization must adhere in order to be considered compliant. Snowflake’s Attestation of Compliance from our selected Qualified Security Assessor provides an independent auditor’s assessment results after testing Snowflake’s security controls.

HITRUST:
The Health Information Trust Alliance Common Security Framework (HITRUST CSF) serves to unify security controls based on aspects of US federal law (such as HIPAA and HITECH), certain state-specific laws and other industry-standard compliance frameworks into a single comprehensive set of baseline security and privacy controls, built specifically for healthcare needs. 

Snowflake participates in the HITRUST Shared Responsibility and Inheritance Program. With the Shared Responsibility Matrix (SRM), customers can now inherit Snowflake’s HITRUST CSF certification provided that customers apply the controls detailed in the HITRUST Alliance website. Customers should download the Snowflake Custom HITRUST Shared Responsibility Matrix to determine HITRUST controls that they can inherit as part of the shared responsibility model. Customers should refer to the HITRUST webpage for guidance on how to initiate an inheritance request.

CSA Star Level 1
Cloud Security Alliance (CSA) is a not-for-profit organization with a mission to “promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing.” Snowflake  participates in the voluntary CSA Security, Trust & Assurance Registry (STAR) Self-Assessment to document our compliance with CSA-published best practices. The completed CSA Consensus Assessments Initiative Questionnaire (CAIQ) is found on the Cloud Security Alliance website.

ISO/IEC 27001,  ISO 27017:2015 & ISO 27018:2019
The International Organization for Standardization provides requirements for establishing, implementing, maintaining, and continually improving an information security management system. Snowflake’s ISO Certificate is available for download by clicking here. The statement of applicability additionally includes control objectives from the ISO 27017:2015 & ISO 27018:2019 framework.

FedRAMP Moderate
The Federal Risk and Authorization Management Program, or FedRAMP, is a government-wide program that provides a standardized approach to security. Federal Agencies may download Snowflake’s FedRAMP Package from OMB/MAX.

Department of Defense (DoD) Impact Level 4 (IL4)
The U.S. military creates, stores, and operationalizes massive amounts of sensitive data. Protecting that data is a strategic priority and is the focus of the Department of Defense Impact Levels framework. This framework is used to categorize information systems and data and to indicate the security requirements that data is subject to. Snowflake has received Provisional Authorization (PA) by the Defense Information Systems Agency (DISA) at U.S. Department of Defense (DoD) to operate at Impact Level 4 (IL4) on AWS GovCloud.

StateRAMP
As a 501(c)6 nonprofit, StateRAMP’s mission is to promote cybersecurity best practices through education and policy development to improve the cyber posture of public institutions and the citizens they serve.

StateRAMP’s governance committees adopt policies and procedures that standardize security requirements for providers. StateRAMP’s Program Management Office then verifies those cloud offerings utilized by the government that satisfy adopted security requirements through independent audits and continuous monitoring. Products that are working towards or have achieved StateRAMP Authorizations are included on the Authorized Product List.

State and local governments, public education institutions, and special districts are invited to become members of StateRAMP. Government membership provides access to shared services for managing supplier risk. Providers are also eligible for membership. Provider membership benefits include: a public profile on the Authorized Product List, transferrable credentials, committee eligibility, access to the complete membership directory, an opportunity to provide feedback on policies, and documentation, and member education.

Snowflake maintains 3 deployments that are currently under review by the StateRAMP PMO for authorization:

• Snowflake Data Cloud on Azure Government – Pending StateRAMP ATO
• Snowflake The Data Cloud on AWS – Pending StateRAMP ATO
• Snowflake The Data Cloud on AWS GovCloud – In-Process for StateRAMP ATO

TxRAMP

In the 87th Legislative Session, the Texas Legislature passed Senate Bill 475, requiring the Texas Department of Information Resources (DIR) to establish a state risk and authorization management program that provides “a standardized approach for security assessment, authorization, and continuous monitoring of cloud computing services that process the data of a state agency.”  To comply, DIR established a framework for collecting information about cloud services security posture and assessing responses for compliance with required controls and documentation. Texas Government Code 2054.0593 mandates that state agencies as defined by Texas Government Code 2054.003(13) must only enter or renew contracts to receive cloud computing services that comply with TX-RAMP requirements beginning January 1, 2022.

Snowflake maintains 4 deployments that are TxRAMP Authorized:

• Snowflake The Data Cloud on Azure Commercial – Provisional 18 month ATO
• Snowflake The Data Cloud on AWS GovCloud – Reciprocity ATO
• Snowflake The Data Cloud on AWS US East/West – Reciprocity ATO
• Snowflake The Data Cloud on Azure Government – Reciprocity ATO

Texas Risk and Authorization Management Program (TX-RAMP) maintains an up-to-date inventory of cloud solutions and the authorization status of those solutions at the following location: https://dir.texas.gov/sites/default/files/2022-11/TX-RAMP%20Certified%20Products.11.18.22.xlsx.

GxP
GxP data integrity requirements (e.g.; 21 CFR 11) apply to life sciences organizations that produce regulated medical products including pharmaceuticals, medical devices, and mobile medical applications. Snowflake is GxP compatible, allowing life sciences customers to ensure data integrity and build GxP compliant solutions with the help of a secure, validated cloud data platform.

ITAR
International Traffic in Arms Regulations (ITAR) state that non-US persons are prohibited from physically or logically accessing the ITAR environment. A Third-Party Assessment Organization (3PAO) performed an audit to confirm that Snowflake’s Microsoft Azure Government (MAG) and AWS GovCloud deployments provide an environment compliant with ITAR.

IRAP (Protected)
The Infosec Registered Assessors Program, or IRAP, is a program governed by the Australian Signals Directorate (ASD) of the Australian Government which endorses suitably-qualified cyber security professionals to provide relevant services which aim to secure broader industry and Australian Government systems and data. IRAP provides a security framework and an assessment methodology that enables Australian Government agencies and their customers to validate Snowflake’s security control implementations and compliance against those requirements defined within the Australian Government Information Security Manual (ISM) developed by the Australian Signals Directorate (ASD). Snowflake employs IRAP assessors to validate Snowflake Australian systems effectiveness against the Information Security Manual at the Protected level.

CJIS
Snowflake’s SnowGov Regions are ready and able to support customer compliance with the FBI’s Criminal Justice Information Services (CJIS) Security Policy.  The CJIS Security Policy provides federal and state agencies with a unified set of standards for the protection and safeguarding of Criminal Justice Information (CJI) in the cloud.  Snowflake recognizes the importance of protecting CJI and works collaboratively with customers to satisfy CJIS requirements.  Customers interested in learning more about how they can use Snowflake in connection with CJI can learn more here: Criminal Justice Information at Snowflake 

IRS Publication 1075
Internal Revenue Service (IRS) Publication 1075 (IRS 1075) outlines the policies, practices, controls and safeguards to be employed by federal, state, and local agencies and contractors handling Federal Tax Information (FTI). Snowflake supports customer compliance with IRS 1075 in our FedRAMP-authorized SnowGov Regions. While there is no official certification for IRS 1075, Snowflake follows IRS Publication 1075 standards and works closely with our customers to meet the IRS’s stringent regulatory requirements for the protection and safeguarding of FTI.  For more information, please visit the IRS Safeguards Program webpage on Cloud Computing.