Vendor security program

Security program for EntryLayer and Formless Logic

Formless Logic maintains a vendor security program for EntryLayer that covers secure development, vulnerability management, release review, access control, incident response, vendor management, and Snowflake Marketplace security evidence.

Review controls Security overview

Program controls

Security controls scaled to the current product scope.

The program is designed around EntryLayer's current operating model as a Snowflake Native App provider. It emphasizes reviewed changes, evidence capture, least-privilege access, dependency and package review, and protection of the zero-access product boundary.

Secure development lifecycle

Product changes are developed through branch-based work, code review, CI checks, automated tests, build validation, and focused security review for changes that affect auth, telemetry, package behavior, or customer data boundaries.

Dependency and vulnerability management

Dependency audit, static analysis, container scan evidence, and package-review evidence are maintained as part of Marketplace readiness and release review.

Container image malware scanning

Submission candidate API and web container images are built from reviewed Dockerfiles, scanned for malware before Marketplace submission, and retained with private scan logs for reviewer evidence.

Access control

Repository, package, provider account, deployment, support, and review evidence access are managed with least-privilege intent and limited to people who need access for product, support, or Marketplace operations.

Change and release management

Release candidates are tracked by git SHA, CI run, package version, patch, deploy evidence, and Marketplace package review state where applicable.

Incident response

Security and support incidents follow published intake, severity, acknowledgment, communication, containment, and post-incident review practices.

Data boundary review

Security review focuses on maintaining the Snowflake Native App zero-access posture: no provider-hosted customer source-data store and no provider-owned external API egress for normal product behavior.

Review evidence

Security evidence is collected with release and Marketplace review work.

Evidence is maintained as internal review material and shared with Snowflake or customers when appropriate for security review, support, or Marketplace approval.

Code and release evidence

Pull requests, CI runs, test results, package version, patch, deploy run, and release directive outputs.

Application package evidence

Manifest, setup SQL, service spec, container image references, source-map review location, and Snowflake package validation results.

Vulnerability and malware evidence

Web/API dependency audit, static analysis, container vulnerability scan output, container malware scan output, and remediation tracking for actionable findings.

Runtime evidence

SPCS service status, endpoint review, application package review status, and customer-account runtime boundary documentation.

Support evidence

Incident response process, support contact, Marketplace case references, and customer notification record when applicable.

Vendor management

Third-party services are reviewed according to their role.

EntryLayer relies on a small set of operational providers. The product trust boundary is anchored in Snowflake, while support and development tooling are managed according to the access and data they handle.

Provider

Role

Review posture

Snowflake

Native App runtime, Marketplace listing, package review, billing event plane, and customer-account data platform.

Core platform dependency reviewed through Snowflake Marketplace and Native App program requirements.

GitHub

Source repository, pull requests, CI/CD, dependency review, and release evidence.

Access is limited to development and release needs; CI results are part of release evidence.

Stripe

Marketplace paid-listing payout setup where required by the Snowflake paid listing path.

Used for payout operations, not for storing customer source data.

Email and domain providers

Support, security review communication, customer contact, and domain operations.

Used for communication and operational administration, not as a product data plane.

Security operations

Program areas linked to reviewer evidence.

Security-impacting code changes receive focused review before release.
Dependency and container findings are evaluated, tracked, and remediated according to severity and release risk.
API and web submission candidate images are malware scanned before Marketplace submission.
Release candidates are tied to concrete package, CI, deploy, and validation outputs.
Support and security reports follow the published incident response process.

Current limitations

Certification claims are separate from this program overview.

EntryLayer does not claim SOC 2, ISO 27001, HITRUST, FedRAMP, or similar certification unless a current certificate is separately provided.
This program page describes operational security practices and review evidence for the current EntryLayer product and Marketplace submission scope.
Customer source data remains governed by the customer Snowflake account and is not part of a provider-hosted customer-data store for normal product use.

Related security pages

Security review URLs

Data boundary

Vendor security is evaluated with the Native App boundary in mind.

Normal product use does not require Formless Logic to operate a provider-hosted customer source-data store. The security program therefore focuses on the reviewed package, code, dependencies, release evidence, support systems, and the limited metadata paths described in the architecture documentation.

Questionnaire answer

Published vendor security program URL

For security questionnaires, EntryLayer can answer that Formless Logic maintains a vendor security program for EntryLayer appropriate to its current Snowflake Native App scope.

https://entrylayer.ai/security/vendor-security-program

Contact security Security overview