Snowflake Architecture

Espresso's architecture is designed to maximize availability and to protect the security of your data.

Our system is trained on metadata and we only use metadata in production. All metadata is encrypted in transit and at rest.

Your data passes through our Snowflake proxy for proxy-enabled features (the Scheduling Agent and the Query Agent). Data is encrypted in transit and is never accessed, logged, or stored by our system.

Enterprise customers can self-host the proxy to prevent data from being transmitted outside of their VPC.

Network Connectivity

We support TLS encryption, PrivateLink on AWS and Azure, and Private Service Connect on GCP. (This applies to any connection in blue on our architecture diagram.)

If you use a Snowflake allowlist, please allow the following IPs:

18.233.13.51
34.195.242.31
34.231.116.52
34.231.212.71
34.234.123.175
35.169.148.94
52.87.110.223
54.161.160.239

Warehouse Agent

Espresso's warehouse agent connects directly to your Snowflake account using a Snowflake service user.

Snowflake Proxy: Standard Deployment

Our Scheduling Agent and Query Agent run over a proxy. In our standard deployment users connect directly to the proxy, which forwards requests to Snowflake and returns results to the user.

Customer data passes in transit through the proxy but is never inspected or stored.

Snowflake Proxy: Self-Hosted Proxy

Customers who do not want their data to leave their environment, even in transit, can self-host the proxy.

Snowflake Proxy: Self-Hosted Deployment

Enterprise customers can self-host Espresso's entire architecture.