ZettaQuant Architecture & Security FAQ
This document provides responses to common security, compliance, and architecture questions for the ZettaQuant Native App running on Snowflake.
Architecture Diagram
Confidentiality
Does the application store or handle sensitive information?
Answer: The data never leaves the Snowflake account of the user. All the data is processed within user's secure Snowflake environment.
Is sensitive data encrypted in transit and at rest?
Answer: Data is not encrypted by the application itself, because our app ensures zero data movement. Snowflake inherently handles encryption in transit and at rest depending on the policy of your organization.
Are access controls in place to prevent unauthorized access?
Answer: Yes. By default, the app does not get access to any data, warehouse, or compute pool unless explicitly granted by the user.
Integrity
Are input validation mechanisms implemented to prevent data tampering?
Answer: Yes. Input is validated within Snowpark containers and Snowflake SQL runtime, ensuring controlled execution paths.
Are logging and auditing systems in place to detect unauthorized modifications?
Answer: Yes. Snowflake telemetry captures activity in the Observability table, allowing detection of anomalies or unauthorized changes.
Availability
Are disaster recovery and business continuity plans documented?
Answer: Yes. These are provided by Snowflake and its underlying cloud provider.
Are monitoring and alerting systems in place for downtime?
Answer: Yes. Snowflake and the underlying cloud provider provide this.
Authentication & Authorization
Are secure authentication mechanisms used (e.g., MFA)?
Answer: Yes. Snowflake enforces MFA for all user accounts.
Is role-based access control enforced?
Answer: Yes. Role-based authentication and authorization are enforced at the Snowflake level.
Encryption
Is encryption used for data in transit and at rest?
Answer: Snowflake provides encryption. Our application ensures zero data movement, so we do not manage encryption directly.
How are encryption keys managed?
Answer: Keys are managed by Snowflake. Our app requires no separate key management since data never leaves Snowflake.
Backup and Recovery
Are regular backups performed?
Answer: Yes. Backups are managed by Snowflake according to customer account policies.
Is there a documented recovery process?
Answer: Yes. Recovery is supported and documented by Snowflake.
Vulnerability Management
Are regular vulnerability assessments conducted?
Answer: Yes. Snowflake performs continuous assessments. Additionally, ZettaQuant scans Docker images using Trivy and performs pip-audit on containers.
Is there a patch management program?
Answer: Snowflake maintains its own patch cycles. For app dependencies, ZettaQuant updates Python packages and images as new stable versions are released.
Compliance & Documentation
Does the application comply with standards such as SOC 2, ISO 27001, PCI DSS, or HIPAA?
Answer: Snowflake is SOC 2, ISO 27001, PCI DSS, and HIPAA compliant. The ZettaQuant app inherits these guarantees, but we haven't obtained official certificate yet.
Is documentation available (e.g., architecture diagrams)?
Answer: Yes. Documentation and diagrams are available at docs.zettaquant.ai.
Third-Party Dependencies
What external libraries or services are used?
Answer: Open-source Python packages (e.g., transformers, pdfplumber) from the Snowflake Anaconda channel. We do NOT use any package available outside Snowflake Anaconda channel.
Are all dependencies approved for use within Snowflake?
Answer: Yes. All packages are Snowflake-approved via their Anaconda channel.
Data Residency & Processing Boundaries
Does any data leave the Snowflake environment during processing?
Answer: No. All processing occurs entirely within the user’s Snowflake account.
Are all components executed within Snowpark containers?
Answer: Yes. All jobs run inside Snowpark Container Services (SPCS).
Snowflake-Specific Deployment
Is ZettaQuant listed on the Snowflake Marketplace?
Answer: Yes.
Does it run entirely within Snowflake’s secure boundary?
Answer: Yes.
Are any external APIs or services invoked?
Answer: No.
AI Model Transparency & Governance
Data Security
Does the AI process sensitive data?
Answer: Only data explicitly granted access by the user to the app. No data is stored or retained.
Is all processing done within Snowflake’s secure environment?
Answer: Yes.
Model Transparency & Risk Controls
Are AI outputs explainable or traceable?
Answer: Partial explainability is provided via metadata tables and output logs.
Are safeguards in place to prevent overreliance on AI?
Answer: Yes. Users provide inputs at every stage of model training and inference.
Access Control & Output Protection
Are access controls enforced for AI-generated results?
Answer: Yes. Only authorized Snowflake roles can access results.
Can outputs be audited or traced to users?
Answer: Yes. Snowflake telemetry ensures full traceability.
Model Lifecycle & Vulnerability Management
How often are models updated?
Answer: Models are updated on-demand when initiated by the user. Training always occurs inside their Snowflake account.
Are updates tested for security risks?
Answer: Yes. Updates are scanned for vulnerabilities before release.
Logging & Monitoring
Are AI activities logged?
Answer: Yes. They are stored in user's Snowflake telemetry.
Are there alerts for anomalous behavior?
Answer: Snowflake provides anomaly detection and alerting.
Operational & Security Details
- Public Endpoints: None
- External Integrations: None
- Networking: No use of
0.0.0.0or external egress rules - CVE Scans: Performed with Trivy by Aqua Security
- Malware Scans: Conducted via ClamAV; 0 infections detected
- Runtime User: Non-root with minimum privileges
Contact Information
- ZettaQuant Security Contact: support@zettaquant.ai