ServiceNow® Data Privacy Framework Policy

The purpose of this policy is to document and explain ServiceNow, Inc.’s (“ServiceNow”) compliance with the EU‑U.S. Data Privacy Framework (“EU‑U.S. DPF”), the UK Extension to the EU‑U.S. DPF (“UK Extension”), and the Swiss‑U.S. Data Privacy Framework (“Swiss‑U.S. DPF”) set forth by the United States Department of Commerce (“DoC”) with respect to the collection, use and retention of Personal Data transferred from the European Union, United Kingdom (and Gibraltar), or Switzerland to the United States as further described herein (collectively, the “DPF Policy”). This DPF Policy outlines our commitment to the DPF Principles (defined below) and our practices for implementing the DPF Principles.

ServiceNow complies with the EU‑U.S. DPF, the UK Extension, and the Swiss‑U.S. DPF as set forth by the DoC. ServiceNow has certified to the DoC that it adheres to the EU‑U.S. Data Privacy Framework Principles (“EU‑U.S. DPF Principles”) with regard to the processing of Personal Data received from the European Union under the EU‑U.S. DPF and from the United Kingdom (and Gibraltar) under the UK Extension to the EU‑U.S. DPF. ServiceNow has certified to the DoC that it adheres to the Swiss‑U.S. Data Privacy Framework Principles (“Swiss‑U.S. DPF Principles”, and collectively with the EU‑U.S. DPF Principles: the “DPF Principles”) with regard to the processing of Personal Data received from Switzerland under the Swiss‑U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU‑U.S. DPF Principles and/or the Swiss‑U.S. DPF Principles, the DPF Principles shall govern. To learn more about the DoC Data Privacy Framework (DPF) program, or to view our certification (by searching for “ServiceNow” under active participants), please visit the Data Privacy Framework website.

The below roles, departments, and teams are key to the implementation of this policy and include those parties who are responsible for completing activities described within this document, those who must adhere to this policy, and those who govern the implementation of this policy. If your name or team is listed, you have a responsibility to implement.

The Company intends that all ServiceNow Controlled Documents will be retained in the policy management system and active ServiceNow Controlled Documents will be made available on the Employee Portal and applicable intranet sites.

Certain ServiceNow Controlled Documents may require that the parties to whom the policy applies, complete training or acknowledge that they have read, understood, and agree to comply with the policy.

Any such training, attestations, or communications are determined and managed by the Policy Owner and Owning Department.

The following terms are found within this document, including acronyms. Terms without a definition default to the meanings in the Enterprise Business Glossary.

• Data Controller: means a person or organization which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
• Customer: means any entity that purchases the
• Customer Data: is defined in our Customer contracts as the data and content uploaded into the Subscription Service by or for a Customer or its agents, employees, or contractors. (Also see ServiceNow Subscription Service/Customer Restricted)
• Device: means a mobile
• ICDR‑AAA: means International Centre for Dispute Resolution‑American Arbitration Association
• KB: Knowledge Base
• Personal Data: means any information, including Sensitive Data, that is (i) about an identified or identifiable individual and (ii) received by ServiceNow in the S. from the European Union, United Kingdom, and Switzerland in connection with the Service.
• Data Processor: means any natural or legal person, public authority, agency, or other body that processes Personal Data on behalf of a Controller.
• Policy: A policy describes what is expected of ServiceNow. It sets strategy, management direction and organizational goals, and explains why ServiceNow takes certain actions or strategies. The purpose of a policy is to outline expected behaviors and guide decision‑making in line with the philosophy, objectives and strategic plans by ServiceNow. 
• Sensitive Data: means Personal Data specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, sex life, the commission or alleged commission of any offense, any proceedings for any offense committed or alleged to have been committed by the individual or the disposal of such proceedings, or the sentence of any court in such proceedings.
• ServiceNow Subscription Service/Customer Restricted – as defined in the Data Classification Standard, SURF POL0020328, “Customer Data” is the term used in contract language to depict data uploaded to the customer subscription service (i.e., customer instance). See also definition above in this Section 1.4 “Customer Data” for additional details.
• Standard: A document that supports ServiceNow policies with prescriptive and clear statements that describe key requirements and objectives (i.e., ‘what’ is required to be compliant).
• Standard Operating Procedure: A Standard Operating Procedure (SOP) supports a policy and documents how the Company meets business and legal and regulatory requirement, such as 'How to be compliant. SOPs outline who is involved, what happens with the inputs and what the outputs are. It describes the activities that need to be performed to address the expectations outlined in the policy and/or standard. It provides the “how to” of such documents and guides their implementation. Procedures are audience‑specific and provides the process that ensures compliance with a given policy (i.e., “how” the company implements its policies and standards).
• User: means an individual authorized by Customer to access and use the Subscription

ServiceNow participates in the EU‑U.S. DPF, the UK Extension, and the Swiss‑U.S. DPF and complies with the DPF Principles with respect to the Personal Data it (1) collects from its Customers or their Users in the European Union, United Kingdom (and Gibraltar), and Switzerland, and (2) processes in connection with the use of (i) applications downloaded to a User’s mobile device (“Mobile Applications”); and (ii) ServiceNow’s hosted software applications (the “Subscription Service”) and related support services (“Support Services”), as well as expert services (including professional services, training and certification) (the “Expert Services”) that we provide to Customers and Users. In this DPF Policy, the Subscription Service, Support Services and the Expert Services are collectively referred to as the “Services”.

ServiceNow hosts and processes Customer Data, which may include Personal Data, as a Data Processor at the direction of and pursuant to the instructions of ServiceNow’s Customers.

ServiceNow also collects and processes as a Data Controller other types of information from our Customers, including:

• Information and correspondence our Customers and Users submit to us in connection with Support Services and Expert Services or other requests related to the Services.
• Information that we receive directly from Customers or from our business partners in connection with our Customers’ and Users’ use of the Services or in connection with services provided by our business partners, including configuration of the Subscription Service.
• Information related to Users’ use of the Mobile Applications, including geographic location data and information regarding Users’ Devices and OS identification, login credentials, language, and time zone.
• General information about Customers, including a Customer’s company name and address, credit card information, and the Customer representative’s contact information for billing, marketing, and contracting purposes (“General Information”).

To learn more about how ServiceNow processes Personal Data as a Data Controller, see the ServiceNow Services Privacy Statement.

ServiceNow may process Personal Data collected from Customers and Users as necessary to provide the Services, including updating, enhancing, securing, and maintaining the Services , and to carry out ServiceNow’s contractual obligations to our Customers. ServiceNow also process General Information to provide the Services and maintain ServiceNow’s relationships with our Customers. This Personal Data will be processed in accordance with ServiceNow’s contractual agreements or our Privacy Statements, as applicable, and retained in accordance with ServiceNow’s Record Retention Schedule unless otherwise required by law or contractual agreement.

We may disclose Personal Data that our Customers and Users provide as follows:

• To our subsidiaries and affiliates;
• To contractors, business partners and service providers that we use to support our Services;
• When required to do so by law or legal process;
• In response to lawful requests from public authorities, including to meet national security, public interest, or law enforcement requirements; or
• As permitted by ServiceNow’s Data Processing Addendum and Data Security Addendum, located here, or as described in ServiceNow’s Services Privacy Statement.

Individuals in the European Union, the United Kingdom (and Gibraltar), and Switzerland generally have certain rights regarding their Personal Data, including the rights to access or correct their Personal Data. For Personal Data that ServiceNow processes on behalf of our Customers, ServiceNow redirects data subjects to the appropriate Customer, as the Data Controller, when ServiceNow receives a request or inquiry to access or correct Personal Data. For Personal Data that ServiceNow processes as a Data Processor, data subjects can contact their ServiceNow account representative directly or contact ServiceNow at privacy@servicenow.com.

Except as otherwise explained in this section, ServiceNow offers Customers and Users the ability to request that ServiceNow limit the use and disclosure of their Personal Data to the extent that ServiceNow: (i) discloses their Personal Data to third‑party Controllers, or (ii) uses their Personal Data for a purpose that is materially different from the purposes for which the Personal Data was originally collected or subsequently authorized by the Customer or User. Customers and Users can exercise this choice to limit the use and disclosure of their Personal Data by submitting an online form through the ServiceNow Privacy Request Center or by contacting ServiceNow at privacy@servicenow.com. In addition, ServiceNow obtains opt‑in consent to process Personal Data, including Sensitive Data, where required by the DPF Principles or applicable law.

ServiceNow may disclose Personal Data of Customers and Users without offering an opportunity to limit or opt out of that disclosure, and may be required to disclose the Personal Data, (i) to third‑party vendors or sub‑processors that ServiceNow has retained to perform services on our behalf and pursuant to our instructions, (ii) where permitted or required by law or legal process, or (iii) in response to lawful requests from public authorities, including to meet national security, public interest, or law enforcement requirements. ServiceNow reserves the right to transfer Personal Data in the event of an audit or if the company sells or transfers all or a portion of its business or assets (including in the event of a merger, acquisition, joint venture, reorganization, dissolution, or liquidation). 

To learn more about how ServiceNow processes the Personal Data of Customers and Users or individual rights related to Personal Data, visit the ServiceNow’s Services Privacy Statement.

ServiceNow complies with the DPF Principle regarding accountability for onward transfers. ServiceNow is responsible under the EU‑U.S. DPF, the UK Extension, and the Swiss‑U.S. DPF for ensuring that our onward transfer recipients process Personal Data subject to this DPF policy only in a manner consistent with the DPF Principles.

If ServiceNow processes your Personal Data in connection with the Services described in this DPF Policy, you may direct any inquiries or complaints concerning this DPF Policy or ServiceNow’s DPF compliance to privacy@servicenow.com. ServiceNow will respond within 45 days.

If you do not receive timely acknowledgment of your DPF Principles‑related complaint from us, or if we have not addressed your DPF Principles‑related complaint to your satisfaction, you can file your complaint with the International Centre for Dispute Resolution‑American Arbitration Association (ICDR‑AAA), an alternative dispute resolution provider based in the United States. To learn more about how to file a complaint with ICDR‑AAA or the applicable ICDR‑AAA procedures, visit the ICDR‑AAA website here. In compliance with the EU‑U.S. DPF, the UK Extension, and the Swiss‑U.S. DPF, ServiceNow is committed to the referral of unresolved complaints concerning our handling of Personal Data to the ICDR‑AAA. . The services of the ICDR‑AAA are provided at no cost to you.

You may also refer your complaint to the U.S. Federal Trade Commission (FTC). ServiceNow is subject to the investigatory and enforcement powers of the FTC with regard to our compliance with the EU‑U.S. DPF, the UK Extension, and the Swiss‑U.S.. 

Under certain circumstances, you may have the right to invoke binding arbitration to address complaints related to Personal Data covered by the DPF that have not been resolved through other channels. Visit the DPF Website, here, to learn more.

ServiceNow has a dedicated Privacy Team that is responsible for our compliance with the EU‑U.S. DPF, the UK Extension , and the Swiss‑U.S. DPF, and with the DPF Principles. For questions about this DPF Policy or ServiceNow’s compliance with the DPF Principles, or to file a complaint as described in section 2.7 of this Policy, please contact privacy@servicenow.com.

If it’s not possible to contact privacy@servicenow.com, you can contact the ServiceNow Privacy Team by regular mail addressed to:

ServiceNow, Inc.
Attn: Privacy
2225 Lawson Lane Santa Clara, CA 95054

Alternatively, regular mail may also be directed to our European Union‑based subsidiary, ServiceNow Nederland B.V., by addressing it to:

ServiceNow Nederland B.V.
Attn: Legal Department Hoekenrode 3
1102 BR Amsterdam The Netherlands

All ServiceNow personnel are required to comply with all ServiceNow policies, procedures, and standards, as amended from time to time. Failure to do so will be considered just cause for disciplinary action, up to and including termination. ServiceNow and its U.S. entities and/or U.S. subsidiaries listed below adhere to the DPF Principles:

ServiceNow Delaware LLC