Compliance Regular audits to verify data security and privacy ServiceNow conforms to the most stringent compliance frameworks to help you maintain security and compliance on a continuous basis. Visit Security Portal
ServiceNow AI Platform Compliance Certifications GDPR Resources
Alt
“ServiceNow pursues stringent industry certifications and attestations to show that we are dedicated to helping our customers by preserving their trust, reputation, safety and integrity of their data.” John Castelly Chief Compliance Officer, ServiceNow
Global and regional compliance
Certifications and attestations
Certifications and attestations ServiceNow meets the highest security and privacy standards in all our regions. Additionally, our applications allow organizations to meet your sectoral or regional requirements. See All
Compliance
Compliance Compliance certifications and attestations are critical. We make compliance processes easy for you via our technical capabilities, guidance documents, and legal commitments.  Discover More
Data privacy
Data privacy By providing the tools to protect your sensitive data, we reduce risk exposure in critical parts of your business.  
Secure access control
Secure access control Prevent unauthorized account access and increase data security through multi-factor authentication (MFA). Read Blog
Transparency
Transparency Transparency earns trust. Our stringent terms and data protection agreements dictate how we process data, including policies for responding to government requests. Find Out How
We champion security and privacy initiatives We proactively monitor and adapt our security protocols to rapidly changing regulatory landscapes. Expand All Collapse All ISO/IEC 27017:2015

The ISO/IEC 27017:2015 standard is concerned with the implementation of the cloud-specific information security controls specified in ISO/IEC 27002.

The certification is gained by an annual independent audit and ServiceNow has been an ISO/IEC 27017:2015 certified organization since 2018.
ISO/IEC 27001:2022

The ISO/IEC 27001:2022 certification specifies security management best practices and controls based on the ISO/IEC 27002 best practice guide. It ensures that our information security management system (ISMS) is fine-tuned to keep pace with changes to security threats, essential in the fast-paced world of IT security.

Re-certification is obtained by audit every three years, inclusive of an annual surveillance audit order to prove that ServiceNow:

  1. Has designed and implemented a comprehensive ISMS.
  2. Has adopted a continuous risk management process to ensure that the appropriate information security controls are in place to meet an evolving threat landscape and risks.
  3. Systematically evaluates information security risks appropriately, taking into account several factors, including the impact of company threats and vulnerabilities.

ServiceNow has been an ISO/IEC 27001 certified organization since 2012 and the certificate is available here.
ISO/IEC 27018:2019

The ISO/IEC 27018:2019 is a code of practice based on ISO/IEC 27002 and is concerned with the protection of personally identifiable information (PII) in public clouds in accordance with the privacy principles in ISO/IEC 29100.

The certification is gained by annual independent audit and ServiceNow has been an ISO/IEC 27018:2019 certified organization since 2016.
ISO/IEC 27701:2019
This extension to ISO/IEC 27001 focuses on the establishment, and maintenance of a Privacy Information Management System (PIMS). This is relevant to ServiceNow as a processor of customer data which may contain Personally Identifiable Information (PII). ServiceNow received this certification in 2020.
SSAE 18 SOC 1 and SOC 2 Reports

The Service Organizational Control (SOC) framework is an attestation that ServiceNow meets the required standard regarding having controls in place to protect the confidentiality, integrity and availability of our customers’ data in the cloud.

- SOC 1 focuses on the effectiveness of internal controls that affect the financial reports of customers

- SOC 2 evaluates controls that are relevant to availability, integrity, security, confidentiality, or privacy.

ServiceNow is audited by a third party and has maintained its SSAE 18 SOC 1 Type 2 attestation since 2011 (SSAE 18 superseded SSAE 16 in 2017). SSAE 18 is aligned with international standard ISAE3402 and replaced the now-deprecated SAS70.

ServiceNow’s SOC 1 report covering the period October 1 (of the prior calendar year) to September 30 (current calendar year) is available via ServiceNow CORE by the end of each calendar year (December).

The SOC 1 report covering the period April 1 to March 31 is available via ServiceNow CORE by the end of each calendar Q2 (June).

ServiceNow has also undertaken an annual SOC 2 Type 2 attestation since 2013, relevant to security, availability and confidentiality controls listed in the AICPA Trust Services Criteria (TSC).

ServiceNow’s SOC 2 report covers the period October 1 (of the prior calendar year) to September 30 (current calendar year) and is available via ServiceNow CORE by the end of each calendar year (December).

A Bridge Letter is provided between audit periods so that the company is covered for the entire year.

ServiceNow’s SOC 1 bridge letter covering the period October 1 (current calendar year) to December 31 (current calendar year) is available on ServiceNow CORE by the end of each calendar Q1 of next year

The SOC 1 bridge letter covering the period April 1 to June 30 is available via ServiceNow CORE by the end of each calendar Q3.

ServiceNow’s SOC 2 bridge letter covers the period October 1 (current calendar year) to December 31 (current calendar year) and is available on ServiceNow CORE by the end of each calendar Q1 of next year.
BSI Cloud Computing Compliance Controls Catalog (C5) Standard
C5 is a cloud-specific compliance controls catalog developed by the German Federal Office for Information Security (BSI) and leveraged in both the public and private sectors. The C5 Attestation Report follows a similar process and schema as AICPA SOC 2 reports, and has a high overlap of requirements with the AICPA Trust Services Criteria, with the addition of specific cloud-focused requirements. ServiceNow received its C5 Attestation Report in 2020.
APEC Privacy Recognition for Processors (PRP)
The APEC PRP is a voluntary certification for data processors specific to the Asia-Pacific region, and developed by local members in the region. Certifications are renewed annually, but assessors are brought in potentially more frequently for any change that would have a significant impact on the Processor’s Privacy processes and/or procedures.
ISMAP Cloud Service
The Information system Security Management and Assessment Program (ISMAP) is a program that aims to ensure the level of security in cloud service procurement by the Japanese government by evaluating and registering cloud services that meet the security requirements of the Japanese government.  ServiceNow’s Now Platform was independently assessed by a registered ISMAP assessor to meet the Control Criteria of ISMAP controls and has been registered as ISMAP Cloud Service since March, 2022.  ISMAP Cloud Service List is available here: https://www.ismap.go.jp/csm?id=cloud_service_list
CSA STAR Level 2: STAR Certification
The Cloud Controls Matrix ("CCM") is a framework of controls (policies and procedures) that are essential for cloud computing security. It is created and updated by the Cloud Security Alliance ("CSA") and aligned to CSA best practices. The CSA STAR Level 2 Certification is a rigorous third-party independent assessment of the security of a cloud service provider against the CSA Cloud Controls Matrix together with ISO/IEC 27001 requirements.
EU Cloud CoC

The EU Cloud Code of Conduct (EU Cloud CoC) is a set of control requirements designed to develop trust and transparency in the European cloud computing market and to simplify the risk assessment process of Cloud Service Providers (CSPs) for cloud customers. To demonstrate this compliance, ServiceNow performed an internal audit of over 80 EU Cloud CoC requirements and was subject to an external assessment of that audit effort. ServiceNow's external validation of adherence to the EU Cloud CoC speaks to our ongoing commitment to maintaining the highest privacy and security standards alongside our existing Security and Privacy certifications.

Services are verified compliant with the EU Cloud CoC, Verification-ID 2022LVL02SCOPE3113. For Further information please visit https://eucoc.cloud/en/public-register.
FedRAMP High P-ATO For US Government Entities and Providers

ServiceNow’s Government Community Cloud (GCC) offering currently maintains a Federal Risk and Authorization Management Program (FedRAMP) High Baseline Provisional Authority to Operate (P-ATO). This enables ServiceNow to accelerate the adoption of our secure cloud solutions by US federal agencies & providers, and implement a standardized approach for assessing, monitoring, and authorizing cloud computing products and services under the Federal Information Security Management Act (FISMA).

GCC received the initial GCC FedRAMP High Provisional Authority to Operate (P-ATO) in August 2019. GCC also meets Department of Defense (DoD) Impact Level 4 (IL4) and CNSSI 1253F Privacy Overlay High PII + PHI control requirements.

Click here to see ServiceNow on the FedRAMP Marketplace
DoD IL4 PA For US DoD and IC Entities

ServiceNow’s Government Community Cloud (GCC) offering currently maintains a Department of Defense (DoD) Impact Level 4 (IL4) Provisional Authorization (PA). This facilitates the procurement of ServiceNow products by the US Department of Defense (DoD) and Intelligence Community (IC) and establishes a baseline standard defined by the DoD Cloud Computing (CC) Security Requirements Guide (SRG) developed by the Defense Information Systems Agency (DISA).

ServiceNow received its initial GCC DoD IL4 PA in October 2019. The DoD IL4 PA includes both FedRAMP High and DoD IL4 control requirements. ServiceNow’s GCC offering also meets CNSSI 1253F Privacy Overlay High PII + PHI control requirements.

Click here to see ServiceNow on the DISA Storefront within the Standard Offering section
DoD IL5 for the National Security Cloud

ServiceNow has obtained a U.S. Department of Defense (DOD) Impact Level 5 (IL5) Provisional Authorization. This makes the ServiceNow National Security Cloud (NSC) one of the few software‑as‑a‑service and platform‑as‑a‑service (SaaS/PaaS) offerings built and authorized to meet the rigorous Department of Defense Cloud Computing Security Requirements Guide at Impact Level 5.

The IL5 Provisional Authorization will accelerate the DOD’s digital transformation, as it enables the DOD, its mission partners and select federal agencies to move highly sensitive data, including Controlled Unclassified Information and Unclassified National Security Systems, to ServiceNow cloud‑based solutions hosted on Microsoft Azure Government.
Multi-Tier Cloud Security Standard for Singapore (MTCS) Level 3

MTCS Level 3 is a certification that ensures that ServiceNow meets standards regarding the confidentiality and integrity of our customers’ data in the cloud for Singapore. It builds upon ISO/IEC 27001 and covers the sovereignty, retention, and availability of data, along with business continuity planning and disaster recovery.

ServiceNow is proud to have achieved MTCS Level 3, the highest level of certification available.
ASD IRAP assessed for OFFICIAL and PROTECTED Cloud Services

ServiceNow's Australian Platforms has been independently assessed by an endorsed IRAP assessor to meet the Australian ISM controls for OFFICIAL and PROTECTED data. The IRAP assessed OFFICIAL and PROTECTED Cloud Services provides Australian Government customers the trust and confidence in the NOW Platform and enables ServiceNow to effectively engage with Australian Government Agencies and Critical Infrastructure Providers.

Further details for Australian Regulated customers can be reviewed here: https://your.servicenow.com/microsoftregulatedindustries/australia
Government of Canada GC Cloud Provider
The Canadian Centre for Cyber Security (CCCS) has established a set of both physical and logical requirements which must be met to be a certified GC Cloud Provider. Cloud Providers must demonstrate compliance to CCCS personnel prior to approval as a GC Cloud Provider. GC is the government defined data classification level that is approved to be stored within the cloud.
HITRUST Certification
HITRUST was developed by the healthcare industry to standardize compliance objectives through their CSF Framework of controls, originally built on ISO27001. The HITRUST CSF Assurance Program effectively establishes trust in information protection through an achievable assessment and reporting path for organizations of all sizes, complexities, and risks. Certification is awarded to organizations that complete a validated assessment and meet the requisite scoring threshold and other certification criteria.
UK Cyber Essentials Plus Certification
Cyber Essentials Plus is a UK government backed scheme that assists organizations in demonstrating risk mitigation and assessment of cyber security threats to their IT systems. The scheme requires implementation of various technical controls to ensure the best practices and the utmost security, conducted by an external auditor. Due to the regional focus of the scheme, the certification is scoped to the UK region.
PCI DSS Compliance
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards formed in 2004 by Visa, MasterCard, Discover Financial Services, JCB International and American Express. Governed by the Payment Card Industry Security Standards Council (PCI SSC), the compliance requirements were created to secure credit and debit card transactions against data theft and fraud. This is relevant to ServiceNow as a processor of customer data which may contain credit card data. ServiceNow became compliant in 2023.
EU DSA Compliance

ServiceNow and the EU Digital Services Act (Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market for Digital Services and amending Directive 2000/31/EC):

Please direct any communications in accordance with the EU Digital Services Act to DSACompliance@ServiceNow.com.
Data Privacy Framework

ServiceNow is a Data Privacy Framework (DPF) Program participant. The EU-U.S. DPF, UK Extension to the EU-U.S. DPF, and Swiss-U.S. DPF were respectively developed by the U.S. Department of Commerce and the European Commission, UK Government, and Swiss Federal Administration to provide U.S. organizations with reliable mechanisms for personal data transfers to the United States from the European Union, United Kingdom, and Switzerland while ensuring data protection that is consistent with EU, UK, and Swiss law.

More information about the Data Privacy Framework Program can be found here (https://www.dataprivacyframework.gov/s/). ServiceNow's DPF Policy is available here (https://www.servicenow.com/data-privacy-framework.html).
ISO/IEC 9001:2015

The ISO 9001:2015 certification specifies quality management system (QMS) best practices and controls, ensuring that an organization consistently delivers products and services that meet customer and regulatory requirements. It demonstrates our commitment to maintaining high-quality standards while fostering continuous improvement in every aspect of our operations.

Re-certification is achieved through audit every three years, with an annual surveillance audit to confirm that our organization:

  • Has designed and implemented a robust QMS, ensuring that all processes are aligned with industry best practices.
  • Focuses on a customer-centered approach to ensure consistent satisfaction and engagement.
  • Maintains a culture of continuous improvement, utilizing data-driven insights and feedback to refine processes and drive performance.
  • Actively assesses risks and opportunities to improve the effectiveness of the QMS and adapt to changing market and operational conditions.
ISO/IEC 20000:2018

The ISO/IEC 20000-1:2018 certification specifies the best practices for IT service management (ITSM), ensuring that organizations deliver high-quality IT services that meet customer needs and regulatory requirements. It demonstrates our commitment to managing and improving the quality of our IT service delivery while maintaining a focus on efficiency and customer satisfaction.

Re-certification is achieved through audit every three years, with an annual surveillance audit to confirm that our organization:

  • Has designed and implemented a comprehensive IT service management system (SMS) that aligns with ISO/IEC 20000-1 standards.
  • Continuously monitors and improves the performance and delivery of IT services, ensuring that they meet customer expectations and industry benchmarks.
  • Ensures a systematic approach to managing service-related risks and opportunities, maintaining alignment with evolving customer requirements and technology trends.
  • Promotes a culture of continual service improvement (CSI), using feedback and metrics to optimize IT service processes and ensure consistent, reliable service delivery.
ISO/IEC 22301:2019

The ISO 22301:2019 certification outlines best practices for business continuity management systems (BCMS), ensuring that organizations are prepared to effectively respond to disruptions and maintain critical business operations. It demonstrates our commitment to safeguarding the resilience and continuity of operations in the face of potential crises or emergencies.

Re-certification is achieved through audit every three years, with an annual surveillance audit to confirm that our organization:

  • Has designed and implemented a robust BCMS that aligns with ISO 22301 standards
  • Maintains a proactive approach to identifying and mitigating potential threats to business continuity, ensuring the continued availability of essential services.
  • Systematically evaluates and tests recovery plans to ensure they are effective in minimizing the impact of disruptions and maintaining critical business functions.
  • Promotes continuous improve
Esquema Nacional de Seguridad (ENS) Certification View Certification View Disclaimer
Esquema Nacional de Seguridad (ENS) Certification

The National Security Scheme (ENS) is a Spanish certification framework that establishes the criteria and requirements to ensure the adequate protection of electronic information within the scope of electronic administration. Governed by a royal decree, the ENS establishes standards for public administrations and entities, as well as for private companies that process public data. Classifying data based on its confidentiality and the operations performed with it, the ENS defines different levels of security measures, from basic to the highest, to ensure robust data protection, effective incident management and periodic compliance checks through audits. This certification is essential to foster trust in the electronic services provided by and within the Spanish administration.

Servicenow has met the requirements to comply with ENS at the "High" level.
GDPR compliance We help organizations achieve GDPR compliance with solutions that make meeting requirements like greater data access and privacy by design a seamless part of daily operations.  Read More
Resources Statements ServiceNow Invests in EU Services International Data Transfers FAQ ServiceNow Security for the UK Public Sector Responsible AI Guidelines White Papers Data Encryption Securing the ServiceNow AI Platform Regulated Industries and Data Privacy Requirements (IDC)
Explore more ServiceNow helps you defend against security threats, protect your data, and comply with evolving global mandates.    Learn How GDPR Privacy Security Compliance ServiceNow AI Platform Customer Security Portal