Client: Series A SaaS Company
Engagement Duration: 3 weeks
Focus Areas: Data access, sensitive field exposure, ownership, documentation
Governance Overview
Dimension | Score (1–5) | Notes |
Access Controls | 2 | Wide access to Snowflake across teams. No role-based policies defined. |
PII Classification | 1 | No tagging in warehouse or modeling layers. Sensitive fields exposed. |
Metric Ownership | 2 | No documented owners; conflicting logic across reports. |
Consent Flow Audit | 3 | CMP in place, but not reflected across all tools (e.g., Amplitude). |
Documentation | 2 | Limited Notion tracking; no lineage or refresh frequency defined. |
Scoring Key:
1 = Nonexistent / unmanaged
3 = Partially implemented, inconsistent
5 = Mature, monitored, and enforced
High-Risk Findings
- Sensitive Fields Unprotected: Customer name, email, and usage data exposed to marketing via dashboards with no masking.
- No PII Tags or Lineage: GDPR risk due to inability to trace or restrict personal data usage.
- Unclear KPI Ownership: “Active User” metric defined 3 different ways across reports, with no documented source of truth.
Quick Wins Implemented
- Role-based access template introduced in Snowflake (3 tiers)
- Sensitive field inventory completed and flagged in dbt
- Notion doc created to assign metric ownership across teams
Next Step Recommendations
- Enable Column-Level Access Policies
- Document 10 Core Metrics
- Centralize Consent Metadata
Begin with marketing-facing dashboards containing PII.
Assign owners and link to logic in dbt/Looker.
Sync CMP flags to product and analytics layers for compliance traceability.
Governance Risk Score (Summary)
Current Maturity: 2.0 / 5
Projected Post-Implementation: 4.0+ (in 90 days with adoption)