> ## Documentation Index
> Fetch the complete documentation index at: https://docs.elementum.io/llms.txt
> Use this file to discover all available pages before exploring further.
# CloudLink Overview
> What CloudLink is, how it differs from your data warehouse, supported connection types, and the security model behind it.
CloudLink is Elementum's secure connection mechanism. It's how Elementum reaches data and services that live outside the platform—your data warehouse (such as Snowflake) or an external REST API—so that workflows, apps, and automations can use that data where it already lives.
## CloudLink vs. Snowflake
These are two different things that work together:
| Term | What it is | Who owns it |
| ------------- | ------------------------------------------------------------------------------- | ---------------------------- |
| **Snowflake** | Your data warehouse. The system where your business data is stored. | Your organization |
| **CloudLink** | The connection Elementum uses to reach Snowflake (or another supported system). | Elementum, configured by you |
A CloudLink does **not** copy or move your data. Your data stays in Snowflake; CloudLink gives Elementum a governed, in-place way to read from and write to it.
CloudLink uses **patented technology** for direct, in-place access to your warehouse data. That approach supports faster implementations and workflows that run against current data in your environment.
## What CloudLink provides
* **Secure access** — Direct, encrypted connections with IP whitelisting and role-based access control.
* **In-place data** — Your data stays in its source system. No data is copied or moved into Elementum.
* **Centralized management** — One place in Elementum to configure, monitor, and rotate connections.
* **Scalable architecture** — Supports small teams through enterprise-scale deployments.
## Common use cases
A CloudLink to your warehouse is the foundation for processes that run on data you already own. Examples:
* **Sales** — Opportunity routing, approvals, and pipeline monitoring from CRM or warehouse tables.
* **Customer support** — Priority routing and response tracking from ticket and interaction history.
* **Finance** — Reconciliation, spend monitoring, and reporting from ledger or transaction data.
* **Supply chain** — Inventory, reorder, and supplier metrics from operational and logistics tables.
## Supported connection types
A CloudLink connects to one of two kinds of systems. The setup steps differ for each, so pick the one that matches what you're connecting to.
Connect Elementum to your Snowflake account using key-pair authentication. Required for Cortex AI features, change-tracking automations, and Snowflake stage workflows.
Connect Elementum to an external REST API. Used primarily to power [API-powered dropdowns](/workflows/api-powered-dropdowns) and API Elements.
Elementum also supports CloudLinks to [Google BigQuery](/guides/connect-bigquery-to-elementum) and [Databricks](/guides/connect-databricks-to-elementum). The concepts on this page apply to those platforms as well.
**AI services require a data-warehouse CloudLink.** [AI Services](/ai-agents/ai-services) (LLMs, embeddings, Snowflake Cortex, etc.) cannot run on an API CloudLink. If you need AI services, choose a Snowflake (or other supported warehouse) CloudLink.
## Authentication
CloudLink supports two authentication methods. Where the platform supports it, key-pair is required for full feature access.
**Key-pair authentication (recommended)**
Key-pair authentication uses an RSA key pair to secure the connection. Elementum holds the private key and gives you the public key to assign to your service account. Because the private key never leaves Elementum's infrastructure, there's no shared secret to leak or rotate manually.
For Snowflake, key-pair authentication is **required** for change tracking, Cortex AI integration, and Cortex Agents. See [Connect Snowflake to Elementum](/administration/connect-snowflake-to-elementum#key-pair-authentication) for the full setup.
**Password authentication**
Password authentication is simpler to set up but is not recommended. If you use password authentication today, plan to migrate to key-pair using the Snowflake setup guide.
## The platform schema (critical concept)
Every CloudLink to a data warehouse needs a small, dedicated schema (or dataset) that **Elementum uses for its own platform operations**. This is separate from your business data.
**Do NOT enter your data schema in the CloudLink "Schema" field.** That field is for Elementum's internal platform operations only.
**You must create a new, empty schema** (for example `ELEMENTUM_PLATFORM`) and enter that. Your actual data tables are selected separately after the connection is established.
**If you enter your data schema here, it will be hidden from workflow building and you won't be able to access your data.**
| What you enter | What happens |
| ---------------------------------------------------------- | -------------------------------------------------------------------- |
| ❌ Your data schema (for example `PUBLIC`, `SALES`) | Your data becomes inaccessible in Elementum |
| ✅ Empty platform schema (for example `ELEMENTUM_PLATFORM`) | Elementum stores operational data here; your data remains accessible |
**Critical:** The schema you choose for Elementum platform use is where Elementum creates and manages its own tables. That schema must be **used only by Elementum**. Do not store your own business tables in it or modify Elementum-managed objects there. External changes to those tables can cause Elementum to malfunction.
## Security model
CloudLink is designed so that data access is secure, auditable, and revocable.
RSA key-pair instead of passwords. Snowflake's dual-key support enables zero-downtime key rotation.
IP whitelisting restricts inbound access to known Elementum IPs. All traffic uses TLS encryption. VPC/private network configurations are supported.
Dedicated service account with minimal permissions. Each organization has separate access controls. Complete logging of all access and modifications.
Contact your Elementum representative to discuss SOC 2, GDPR, HIPAA, and other compliance requirements.
### Security architecture
**At rest**
* Account data is encrypted using industry-standard algorithms.
* Credentials are encrypted and never returned outside Elementum's internal systems.
**In transit**
* All traffic is encrypted using TLS.
* Connections are supported over the public Internet or a VPN.
* Application Firewall protects ingress traffic.
* IP whitelisting restricts inbound access to known Elementum addresses.
* VPN is supported with least-privilege network controls.
* RSA key-pair authentication (recommended; required for full Snowflake feature support).
* Role-based access control on the warehouse side.
* Dedicated service account with minimal permissions per environment.
* Each organization has separate access controls.
* Complete logging of all data access and modifications.
* All warehouse-side access is auditable through your warehouse's native audit logs (for Snowflake, query history and access history).
### Elementum IP addresses
Whitelist these Elementum IPs in your data platform's network policy or firewall before attempting a connection.
| Region | IP Addresses |
| ----------- | --------------------------------------------------- |
| **US East** | `44.210.166.136`, `44.209.114.114`, `52.72.254.246` |
| **Europe** | `18.185.13.42`, `63.182.157.140`, `3.65.106.188` |
The Snowflake setup guide includes copy-paste SQL for [creating a network policy](/administration/connect-snowflake-to-elementum#whitelist-elementum-ip-addresses) with these addresses.
## Keeping data fresh: real-time vs scheduled
CloudLink supports two complementary mechanisms for keeping Elementum's view of your warehouse data current. You can use both, depending on the table.
| Mechanism | What it does | Best for |
| --------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------ |
| **Real-time updates (change tracking)** | Elementum reacts to inserts and updates in your warehouse as they happen. Requires enabling change tracking on each Snowflake table. | Transactional data where workflows need to fire immediately on a new or changed row. |
| **Scheduled updates** | Elementum re-reads the table on a configurable interval (default 20 minutes; minutes to days). | Analytical or slower-changing data, and resource-efficient batch processing. |
For Snowflake, change tracking is enabled with an optional grant in the [setup script](/administration/connect-snowflake-to-elementum#step-4-grant-permissions-and-set-the-network-policy); the schedule is set during the [Elementum-side connection step](/administration/connect-snowflake-to-elementum#step-5-add-credentials-in-elementum).
## What you can do once connected
After a CloudLink is set up, the same connection powers everything Elementum does with that warehouse:
| Capability | Where to go next |
| ---------------------------------------------- | -------------------------------------------------------------------------------------------------- |
| Bring warehouse tables into Elementum | [Tables](/data/tables) |
| Build apps and workflows on warehouse data | [Build an app](/getting-started/build-an-app), [Flow](/getting-started/fundamentals/core-concepts) |
| Detect new and changed data | [Data Mining](/data/data-mining) |
| Trigger and run workflows on warehouse changes | [Automations](/workflows/automation-system) |
| Process files stored in Snowflake stages | [Snowflake stages](/administration/snowflake-stages) |
| Use Snowflake Cortex as your AI provider | [Snowflake Cortex setup](/ai-agents/snowflake-cortex-setup) |
| Connect Snowflake Cortex Agents to apps | [Snowflake Cortex Agents](/ai-agents/snowflake-cortex-agents-setup) |
| Run AI OCR on documents in Snowflake | [Snowflake AI OCR](/ai-agents/snowflake-ai-ocr) |
## Best practices
1. **Authentication** — Prefer key-pair authentication where supported; rotate credentials on your security schedule; limit who can change CloudLink settings.
2. **Platform schema** — Keep the Elementum platform schema dedicated and documented; never hand-edit Elementum-managed objects there.
3. **Data quality** — Use clear column names and consistent formats in source tables; keep data current for reliable workflows.
4. **Scope** — Connect only the tables you need; grant the minimum warehouse permissions required.
5. **Performance** — Plan refresh frequency for table size and cost; treat performance warnings seriously before production workflows depend on a table.
6. **External BI tools** — If you need warehouse data in BI tools such as Power BI or Tableau, **do not** point those tools at Elementum's platform schema. Use Elementum [Tables](/data/tables) to define views and exports that external tools can consume safely.
## Choose your connection type
Step-by-step Snowflake setup: prerequisites, IP whitelisting, key-pair authentication, setup script, and Elementum-side credentials.
Set up a CloudLink to an external REST API for use in API-powered dropdowns and API Elements.