Developers setup with offshore resources - data handling outside EU

Lasse Korsgaar1
Tera Contributor

Hi,

Does anyone have experience with handling instances and data in a setup with an external partner working out of India or another country outside the EU?

Our concern is in relation to data. According to EU legislation we are not allowed to handle specific data elements outside the EU, so we are looking into options on how to handle this, so that we can have developers working out of e.g. India.

Options discussed so far:

  1. Data masking. So e.g. emails are anonymized, but we still have data available for testing, e.g. users with certain roles, but without being able to identify the individual
  2. “Offshore instance” with synthetic data. Besides the DEV, TEST and PROD setup we have today, we can have a fourth instance for offshore development. This or these instances would live in parallel with our DEV, TEST and PROD, and instead of cloning with data we would only clone the setup setup, and then create synthetic data on the instance(s). Then we would need to have a setup where we can merge developments on the instances for testing before committing updates to PROD
  3. Current setup with DEV, TEST and PROD but with synthetic data on DEV and TEST. Which means that both nearshore and offshore resources will be working with synthetic data

If you have any experience with this, I would like to know how you have approached it.

9 REPLIES 9

vasaravanan
Kilo Contributor

Dear Lasse,

 

We can certainly help! We have implemented several projects in this space.

You may send your query to ServiceNow Team | AGM <servicenow_team@agminfra.com> so that we can provide an update to your query! 

Michael Bay1
Tera Contributor

As I recall in my previous company with a sourcing partner in India we had a DPA(Data Processing Document) that stated who and what data was in scope for the sourcing provider

Dear Michael,

Thanks for you reply.

When your DPA had decided what data was in scope then how did you handle that in the ServiceNow?

Did you scope it in the saem instance as was used by everyone else, or did you have separate instances?

 

Hey Lasse,

 

We were om the same instance. 

Since they provide Servicedesk ,  2. and 3. level support and Process support they had same access as people in EU.