Snowflake Integration

Transcend's Snowflake integration enables comprehensive data privacy automation across your Snowflake data warehouse through Structured Discovery, DSR Automation, and Preference Management.

Connect your Snowflake data warehouse to Transcend to:

  • Discover and classify personal data automatically across your schemas
  • Automate Data Subject Requests (DSRs) by executing SQL queries to fulfill access, erasure, and other privacy requests
  • Sync user preferences to ensure consent choices are consistently honored across your data warehouse

This integration uses the ODBC framework and supports both OAuth and Programmatic Access Token (PAT) authentication methods.

Note: Snowflake deprecated username & password authentication in November 2025. Use OAuth or PAT authentication instead.

Before connecting, ensure you have:

  • Snowflake Account Access: Administrative access to create users and security integrations
  • User Permissions: A user with access to a default warehouse and relevant databases/schemas
  • Network Access: Transcend's IPs whitelisted in your Snowflake account (if using network policies)

Your Snowflake user needs:

  • A default_warehouse assigned with sufficient compute resources
  • A role with permission to access that warehouse
  • For Structured Discovery: USAGE on databases/schemas and SELECT on tables
  • For DSR Automation: Additional DELETE or UPDATE permissions for privacy requests

Important: Snowflake deprecated username & password authentication in November 2025. Use OAuth or Programmatic Access Tokens (PAT) for all new and existing Transcend Snowflake integrations.

  1. In the Transcend Admin Dashboard, go to Infrastructure > Integrations.
  2. Click + Add Integration to open the integration catalog.
  3. Search for Snowflake and click the Snowflake tile.
  4. Click + Add to create a new Snowflake integration.
  5. Provide a descriptive title and assign an owner.
  6. Click Continue to Connection Details.

In the integration, click Connect → Connection Details and select your authentication method:

  • PAT (Programmatic Access Token) – Recommended for automated services.
  • OAuth – Recommended for interactive use.

PATs are ideal for service-style, non-interactive connections.

Note: PATs expire (default 15 days, maximum 365 days). You'll need to refresh them periodically.

Run in Snowflake:

CREATE OR REPLACE USER TRANSCEND_USER 
  DEFAULT_ROLE = BASIC 
  DEFAULT_WAREHOUSE = COMPUTE_WH;

GRANT ROLE BASIC TO USER TRANSCEND_USER;
GRANT USAGE ON WAREHOUSE COMPUTE_WH TO USER TRANSCEND_USER;
ALTER USER TRANSCEND_USER SET TYPE = 'SERVICE';

Ensure the assigned role has USAGE and SELECT (and, if needed, UPDATE/DELETE) on the relevant databases and schemas.

Whitelist Transcend's IPs using a Snowflake network policy:

CREATE OR REPLACE NETWORK POLICY TRANSCEND_ACCESS_POLICY 
  ALLOWED_IP_LIST=(
    '34.252.15.52/32', '99.81.28.239/32', '52.215.231.215/32', 
    '63.34.48.255/32', '34.249.254.13/32', '54.75.178.77/32'
  );

ALTER USER TRANSCEND_USER SET NETWORK_POLICY = TRANSCEND_ACCESS_POLICY;

For self-hosted Sombra, include your Sombra cluster's IP addresses instead of, or in addition to, the above.

Also ensure:

  1. Transcend's backend IPs are whitelisted (see the Sombra networking docs for your region and deployment model).
  2. Sombra IPs are whitelisted, whether you use multi-tenant Transcend-hosted Sombra or self-hosted Sombra.
  1. Confirm no authentication policy blocks PAT generation (see Snowflake's authentication policy requirements).
  2. In Snowflake, go to Admin > Users & Roles > Programmatic Access Tokens.
  3. Click Generate New Token for TRANSCEND_USER (or your chosen service user).
  4. Copy and store the token securely; you will not be able to view it again.

In the Snowflake integration connection form, fill in:

  • Account Identifier – As shown in Snowflake (see Snowflake docs for how to find it).
  • Username – Your service user, e.g. TRANSCEND_USER.
  • Programmatic Access Token – The PAT you generated.
  • Warehouse – The warehouse name, e.g. COMPUTE_WH.

Click Connect to establish the connection.

OAuth is best for interactive, user-based access and supports refresh tokens.

Note: OAuth requires periodic re-authentication. Refresh tokens expire based on your configuration (default 90 days).

You will need two Snowflake users:

  • An admin user with the ACCOUNTADMIN role to create the security integration.
  • A non-admin user with database access, but without ACCOUNTADMIN, SECURITYADMIN, GLOBALORGADMIN, or ORGADMIN roles.

Run as an ACCOUNTADMIN user:

CREATE OR REPLACE SECURITY INTEGRATION "TRANSCEND_OAUTH"
  ENABLED = TRUE
  TYPE = OAUTH
  OAUTH_CLIENT = CUSTOM
  OAUTH_CLIENT_TYPE = 'CONFIDENTIAL'
  OAUTH_REDIRECT_URI = 'https://api.transcend.io/integration/snowflake/cb'
  OAUTH_ISSUE_REFRESH_TOKENS = TRUE
  OAUTH_REFRESH_TOKEN_VALIDITY = 7776000;

For US Region: Use https://api.us.transcend.io/integration/snowflake/cb

2. Retrieve client credentials:

WITH INTEGRATION_SECRETS AS (
  SELECT parse_json(system$show_oauth_client_secrets('TRANSCEND_OAUTH')) AS SECRETS
)
SELECT 
  SECRETS:"OAUTH_CLIENT_ID"::STRING AS CLIENT_ID,
  SECRETS:"OAUTH_CLIENT_SECRET"::STRING AS CLIENT_SECRET
FROM INTEGRATION_SECRETS;

3. Set up a non-admin user:

Ensure this user has:

  • Access to relevant databases/schemas
  • A default warehouse assigned
  • Required permissions (see Prerequisites (https://claude.ai/chat/9d957313-508d-4ea9-b226-8e1ddf2955c6#required-permissions))
  • No admin roles that block OAuth

Grant permissions for Structured Discovery:

GRANT USAGE ON DATABASE <database_name> TO ROLE <role_name>;
GRANT USAGE ON SCHEMA <schema_name> TO ROLE <role_name>;
GRANT SELECT ON ALL TABLES IN SCHEMA <schema_name> TO ROLE <role_name>;
GRANT SELECT ON FUTURE TABLES IN SCHEMA <schema_name> TO ROLE <role_name>;

4. Create and Assign a Network Policy

Follow Snowflake's network policy requirements to whitelist these IPs:

CREATE OR REPLACE NETWORK POLICY TRANSCEND_ACCESS_POLICY 
  ALLOWED_IP_LIST=(
    '34.252.15.52/32', '99.81.28.239/32', '52.215.231.215/32', 
    '63.34.48.255/32', '34.249.254.13/32', '54.75.178.77/32'
  );

ALTER USER TRANSCEND_USER SET NETWORK_POLICY = TRANSCEND_ACCESS_POLICY;

For self-hosted Sombra, include your Sombra cluster's IP addresses instead.

Please ensure that:

1.Transcend’s backend IP's are whitelisted. Refer to this document (https://docs.transcend.io/docs/articles/sombra/deploying/customizing-sombra/networking#configure-a-load-balancer).

2. Sombra IP's are whitelisted, whether they use multi-tenant (here (https://docs.transcend.io/docs/articles/sombra/deploying/customizing-sombra/networking#using-transcend-hosted-sombra)) or self-hosted.

  1. Fill out the connection form:
    • Account Identifier: Find yours here (https://docs.snowflake.com/en/user-guide/admin-account-identifier#label-account-name)
    • Client ID: From the security integration
    • Client Secret: From the security integration
    • Warehouse: Your warehouse name (e.g., COMPUTE_WH)
  2. Click Connect with OAuth
  3. Log in using your non-admin user (from step 3 above)

Troubleshooting OAuth Errors:

  • "Invalid consent request": Check user has proper role assignment and doesn't have blocked admin roles
  • "Unexpected error": Verify IP addresses are whitelisted in your network policy

After connecting your Snowflake integration:

Navigate to the Structured Discovery tab to automatically scan and classify personal data:

  1. Choose a Scan Type:
    • Discovery Scan: Extract schemas for DSR/Preference Management
    • Discovery + Classification Scan: Identify and categorize sensitive data
    • Classification Scan: Re-classify data with stable schemas
  2. Enable Recurring Scans and set frequency
  3. Click Save to start scanning

Learn more about Structured Discovery → (https://docs.transcend.io/docs/articles/structured-discovery)

Set up automatic fulfillment of Data Subject Requests:

  1. Go to Manage Datapoints to review discovered tables
  2. Assign data categories to columns
  3. Configure SQL queries for Access, Erasure, and other request types
  4. Test with a sample request
  5. Enable DSR Automation Live Mode

Learn more about DSR Automation → (https://docs.transcend.io/docs/articles/dsr-automation)

Sync user consent preferences into Snowflake tables to ensure preferences are honored across your data warehouse.

Learn more about Preference Management → (https://docs.transcend.io/docs/articles/preference-management)

  • Database Integration Guide (https://docs.transcend.io/docs/articles/integrations/custom/database-integration) - General database integration concepts
  • Structured Discovery (https://docs.transcend.io/docs/articles/structured-discovery) - Data discovery and classification
  • DSR Automation Setup (https://docs.transcend.io/docs/articles/dsr-automation) - Configure privacy request workflows
  • Sombra Security (https://docs.transcend.io/docs/articles/sombra) - End-to-end encryption architecture

Need help? Contact your Transcend representative or email support@transcend.io