Solutions

  • Products
  • Use Cases
  • Industries
HR and IT
  • WHITE PAPER
  • HR and IT better together
  • Boost productivity and attract quality talent with great employee experiences.
Healthcare Security
  • WHITE PAPER
  • Healthcare security 101
  • Drive clinical excellence and improve care outcomes with a connected system.

Platform

Digital Workflows
  • ANALYST REPORT
  • The value of digital workflows
  • Get apps to market in half the time at a third of cost with higher satisfaction.

Customers

Success Navigator
  • SUCCESS NAVIGATOR
  • Your prescription for success
  • Accelerate outcomes with a step-by-step action plan of proven best practices.

Explore

Value Calculator
  • VALUE CALCULATOR
  • Live up to your potential
  • Determine the untapped value across your entire business in just 60 seconds.

FAQ

Thank you for reviewing ServiceNow’s Data Processing Annex (“ DPA”) and Data Security Guide (“ DSG”). Below, you will find information about ServiceNow’s privacy and security programs, which are designed to protect the personal data that you submit to the ServiceNow cloud services.

ServiceNow’s DPA and DSG address our obligations as the data processor and your obligations as the data controller under relevant data protection laws. This FAQ provides answers to commonly asked questions regarding our DPA and DSG and provides explanations regarding the differences that you may see with our forms. Specifically, by virtue of the cloud‑based services we provide, we do not review or analyze the content of the data input by customers in the ordinary course of operating our services. As a result, we will not know whether personal data is uploaded into your instance of the services. Accordingly, as the customer and data controller, you are principally responsible for complying with any obligations under relevant data protection laws that require review or analysis of data.  For these reasons, our DPA and DSG are drafted to assist our customers in meeting their regulatory requirements while simultaneously reflecting the operational reality of the cloud‑based services we provide.

1.     What are ServiceNow’s security obligations with respect to personal data?

ServiceNow is committed to protecting personal data it processes by implementing and maintaining a robust security program. Section 4.3 (Data Security Measures) of the DPA and Section 2 (Physical, Technical and Administrative Security Measures) of the DSG detail the specific technical, physical and organizational security measures ServiceNow takes to protect your data.

As a provider of a standardized cloud‑based service, ServiceNow maintains a data agnostic security program. In other words, we implement the same security measures regardless of the category or sensitivity of data customers process within their ServiceNow environment. Ultimately, because you have exclusive insight into the content of your data, it is your responsibility to review our security program to determine whether it is sufficient for the data you process or plan to process within your environment, as further described in Section 2.2 (Security Risk Assessment) of the DPA.

2.     How does ServiceNow assist customers in complying with data subject rights mandated by data protection laws?

The ServiceNow cloud software provides functionality that facilitates access, correction, rectification, erasure and blocking of personal data, and further allows a customer to transfer or port personal data.

3.     What audit rights do customers have as a data controller?

ServiceNow strongly believes in transparency regarding its data privacy and security programs. In accordance with Section 4.2.1 (Audits) of the DSG, current customers may request access to the ServiceNow CORE, a comprehensive repository of information and documentation, including policies, procedures, as well as our then‑current third‑party audit reports against internationally recognized standards such as ISO 27001 and ISO 27018, and independent third‑party assessments against security standards like SSAE 18 / SOC 1 and SOC 2 Type 2.

ServiceNow does not permit customers to conduct onsite audits or inspections as such audits often do not produce any more insight into our privacy and security programs than the documentation in the ServiceNow CORE. Additionally, onsite audits are costly for both parties and have the potential to create unnecessary security risks.

4.     Does ServiceNow use any sub‑processors? How will I be notified of any future sub‑processors that ServiceNow intends to use?

ServiceNow is committed to providing world class service to its customers, which includes 24x7 live technical support. To deliver and support our service, ServiceNow engages its affiliates located throughout the world, including in the United States, United Kingdom, Australia and India.

ServiceNow may also engage a third party to provide processing services. However, prior to engaging a new sub‑processor, ServiceNow will notify you in accordance with Section 8.1.2 (New Sub‑Processors) of the DPA. You may object to ServiceNow’s proposed use of such sub‑processor in accordance with Section 8.2 (Right to Object).

5.     How does ServiceNow notify customers of data breaches?

In the event of a security incident impacting customer data, ServiceNow will provide an initial report to the designated customer contact in the customer support portal. Customers are responsible for ensuring the appropriate person is listed in the support portal.

6.     What legal mechanism does ServiceNow use to transfer personal data from the European Union?

ServiceNow has self‑certified to the Privacy Shield framework to lawfully transfer personal data from the European Union and Switzerland. Learn more about the details of our certification on the Department of Commerce website here.

Additionally, ServiceNow processing entities executed an intra‑group agreement that incorporates the terms of the DPA and DSG as well as the Standard Contractual Clauses. This allows a customer to enter into a DPA and DSG only with the ServiceNow selling entity without the need to execute Standard Contractual Clauses with each of ServiceNow’s processing entities. For customers that prefer to enter into the Standard Contractual Clauses directly with each of ServiceNow’s processing entities, please review and execute this version of the DPA and DSG.

Please contact privacyreview@servicenow.com should you have any other questions about ServiceNow’s DPA and DSG.

 

 

Thank You

Thank you for submitting your request. A ServiceNow representative will be in contact within 48 hours.

form close button

Contact Us

I would like to hear about upcoming events, products and services from ServiceNow. I understand I can unsubscribe any time.

  • By submitting this form, I confirm that I have read and agree to the Privacy Statement.