Introduction
Privacy and security are important for many reasons. Privacy is a fundamental right that is recognized globally, with regional and national data protection and privacy laws in effect around the world.
ServiceNow provides a highly secure and agile cloud infrastructure, and its services deliver robust protection for our Customers’ data. Our privacy program helps make sure that our business practices operationally conform with applicable global privacy and data protection laws.
ServiceNow is generally a service provider and data processor to our Customers when we provide our services, and process personal data on their behalf in accordance with their instructions. These FAQs provide information about ServiceNow’s approach to privacy and data protection as a service provider and data processor.
ServiceNow may also act as controller in relation to certain other activities ancillary to our services, and you can find out more about ServiceNow as a controller in our Declaración de privacidad.
- Is ServiceNow compliant with global privacy and data protection laws?
ServiceNow complies with all global privacy and data protection laws that apply to ServiceNow as part of the provision of our services. We also monitor privacy law developments globally to evaluate the potential impact on our business, and to assist our Customers with their own compliance requirements.
- How does ServiceNow manage its global privacy compliance obligations?
ServiceNow has a dedicated Global Privacy team advising on matters relating to privacy and data protection worldwide. As part of this, a robust, organization‑wide privacy program is maintained. ServiceNow has a Data Protection Officer (“DPO”), registered with the relevant Data Protection Regulators. ServiceNow also has a dedicated Data Security team working alongside the Privacy team.
- Is ServiceNow a controller or a processor under the GDPR when providing services?
As a global Software‑as‑a‑Service provider, ServiceNow acts as a processor under the General Data Protection Regulation (“GDPR”) when providing services to our Customers. Under the terms of our standard Data Processing Addendum with Customers and Partners, ServiceNow will only process personal data as instructed by the Customer or Partner, for the purpose of providing services.
- Is ServiceNow a service provider or business under the CCPA?
Under the California Consumer Privacy Act (“CCPA”) ServiceNow is a service provider when providing services to our Customers. Under the terms of our standard Data Processing Addendum with Customers and Partners, ServiceNow will only process personal data as instructed by the Customer or Partner, for the purpose of providing services.
- When does ServiceNow act as a controller under GDPR and a business under CCPA?
There are limited instances where ServiceNow acts as a controller under GDPR and a business under CCPA relating to our services. For example, ServiceNow will determine the purposes and means of processing personal data when processing account management and billing data, marketing data, and when processing certain data on centralized ServiceNow platforms. Please see the ServiceNow Declaración de privacidad for more information.
- What personal data does ServiceNow process as part of the services?
Personal data can be uploaded by Customer or Customer’s agents, employees, or contractors to the Customer instance. The categories of personal data processed are therefore determined by the Customer. ServiceNow, as a data-agnostic data processor, does not have visibility or control over what data Customers choose to process within their Customer instance.
- How may ServiceNow access personal data within Customer instances to provide Customer support services?
Some Customer support services may require remote access to the Customer’s instance. Access for ServiceNow to perform routine Customer support is generally determined by each Customer, and ServiceNow offers several access control options. Customers can explore these options in more detail in the relevant product documentation, as well as certain region‑specific services with additional access controls.
- Where does ServiceNow store Customer data?
Customer data storage locations vary depending on the type of service and location of the Customer, as specified in the relevant Order Form.
- Where can I get more information about ServiceNow’s services?
Discover more about specific products through the ServiceNow Product Documentation.
- What sub‑processors does ServiceNow use?
In order to provide our services, ServiceNow may use ServiceNow group entities and third-party sub‑processors. A full list of our appointed sub‑processors for the different ServiceNow services is available here.
- How can I receive updates regarding sub‑processors?
From time to time, ServiceNow may update our sub‑processors as needed to continue to provide the services to Customers. If this happens, ServiceNow will notify Customers of new sub‑processors through the mechanism identified in Clause 6 of the Data Processing Addendum.
- How does ServiceNow address Privacy by Design and Privacy by Default?
ServiceNow has various processes in place that govern Privacy by Design during our product development lifecycle, and to complete Privacy Impact Assessments when required. Our services incorporate functionalities to assist Customers in meeting their own privacy requirements. More information is available in ServiceNow CORE.
- What is ServiceNow’s approach to privacy when developing and deploying AI?
Our teams approach the development and deployment of technology incorporating artificial intelligence (AI) with care, keeping the trust and experience of our Customers at the forefront. ServiceNow’s AI products and features have undergone Privacy by Design reviews and may be subject to additional contractual terms that govern how those AI‑powered services are provided, and how data may be processed, such as the AI Product Specific Terms. For further information about generative AI experiences on the ServiceNow platform, please see our generative AI site.
- How does ServiceNow help Customers manage their personal data and meet their own compliance obligations?
Customers are given administrative access to their instances and have control of authentication, authorization, encryption, monitoring, and logging within their instances. These measures assist Customers in configuring security features to meet their compliance obligations.
More information is available to Customers in ServiceNow CORE and in the relevant Product Documentation.
- How do ServiceNow Customer contracts meet privacy and data protection compliance requirements?
ServiceNow operates on the basis of our comprehensive, global Data Processing Addendum and Data Security Addendum. These terms reflect how we operationally provide Customer services and incorporate necessary language for compliance with applicable global privacy and data protection regulations. These terms are entered into with Customers as part of our standard Master Ordering Agreement.
A full list of our Customer Agreements and Terms can be found here.
- Does GDPR stop ServiceNow from storing or processing personal data outside of the EU?
No. There is nothing in GDPR that requires personal data to be stored or processed exclusively in the EU. Transfers of personal data outside of the EU may be made by ServiceNow in accordance with our Customer contracts. Any such transfers are subject to an available data transfer mechanism such as adequacy decisions and Standard Contractual Clauses, in addition to the various supplementary technical and organizational safeguards made available by ServiceNow to further protect transferred data.
- What international transfers of Customer data does ServiceNow make?
ServiceNow may transfer Customer data to ServiceNow sub‑processors to provide Customer support and to secure the services. Please see our International Data Transfers FAQ for more information.
- What data transfer mechanisms does ServiceNow rely on?
ServiceNow relies on EU Commission adequacy decisions, EU Standard Contractual Clauses, the UK International Data Transfer Addendum, and Swiss specific data transfer language to enable transfers of Customer data to sub‑processors based outside of Europe.
ServiceNow has also put in place a variety of legal, technical, and operational safeguards, and has carried out a comprehensive Transfer Impact Assessment (TIA) in line with the requirements of EU law and the EDPB recommendations on data transfers.
For more information on ServiceNow’s data transfers, please see our dedicated data transfer materials: International Data Transfers FAQ.
- Can ServiceNow complete and/or assist with a Customer’s TIA?
ServiceNow cannot complete a TIA for our Customers since ServiceNow is a data agnostic service provider with no general visibility of the categories of data submitted by Customers to their instances. Customers are in control of the data they submit to their instances. ServiceNow can, however, assist Customers in carrying out their own TIA by providing factual information about the structure of our services, locations from which Customer data is accessed by ServiceNow, and the technical, organizational, and security safeguards we offer. This information is available to Customers in ServiceNow CORE.
- What is the EU‑U.S. Data Privacy Framework (“DPF”) and is ServiceNow certified?
The DPF facilitates transfers of personal data between entities in the European Economic Area (“EEA”) and United States‑based trading partners who self‑certify under the DPF. The DPF introduces strengthened safeguards and procedures and a new redress mechanism for the benefit of EEA‑based data subjects. Companies certifying to the DPF framework agree to apply specific privacy and security protections to personal data when it is transferred from the EEA to the United States.
ServiceNow is certified under the DPF, which further demonstrates our commitment to global privacy standards and requirements. In accordance with this certification, ServiceNow complies with DPF principles and has made necessary updates to its privacy policies, which have been submitted to the U.S. Department of Commerce.
For more information on ServiceNow’s data transfers, please see our International Data Transfers FAQ.
- How does ServiceNow manage data requests or demands issued by public or government authorities?
Due to the nature of our services as a business‑to‑business company, it is unlikely that ServiceNow would receive a request from public or government authorities to access Customer data. However, ServiceNow must comply with its legal obligations, and we have implemented a government data access standard operating procedure to manage any such requests.
ServiceNow’s Data Processing Addendum sets out the process for handling inquiries and requests from public authorities (see Clause 3.3). For more information, Customers can also view the Government Requests Whitepaper on ServiceNow CORE.
- Does ServiceNow provide data hosting/localization services in the EU?
ServiceNow has data center pairs in the EU where Customers can have their data hosted in accordance with the Customer contract. In addition to this local hosting option, Customers can choose the “ServiceNow Protected Platform for the EU” (SPP EU). SPP EU provides Customers with greater control over how their data are processed by ServiceNow. For more information, Customers can also view the SPP EU white paper on ServiceNow CORE.
- Does ServiceNow sell or share data?
In compliance with CCPA requirements, ServiceNow does not “sell” or “share” (for advertising purposes) Customer data submitted by the Customer to its instance with third parties.
How does ServiceNow secure Customer data?
ServiceNow has implemented organizational, technical, and contractual measures to protect the confidentiality, integrity, and availability of Customer data.
ServiceNow provides several security features and controls that Customers can elect to configure in their instances to meet their own security policies and requirements. These include access controls, authentication, and encryption options.
For further information on our applicable technical and organizational measures, please refer to the Customer contract in place with ServiceNow, which includes the relevant Data Security Addendum/data security clauses. Customers can also find out about ServiceNow’s security processes and procedures via our data security program white papers below and in ServiceNow CORE:
- What security certifications does ServiceNow have in place?
ServiceNow holds many certifications, including the ISO 27001 series (27017, 27018, and 27701), as well as other global, regional, and industry specific certifications. A full list of ServiceNow’s security‐related certifications is available on the Compliance page of the ServiceNow Trust site.
- Do ServiceNow employees receive data protection training?
ServiceNow has a robust training program in place that includes mandatory general privacy training for all employees on a regular basis. In addition, our global Privacy and Security teams conduct regular bespoke training on a variety of topics necessary for specific functions.
- How can I exercise my privacy rights?
Customers are controllers of the personal data processed in their ServiceNow instances, and ServiceNow is a processor / service provider when providing our services. The relevant Customer should be contacted for any privacy related queries or requests relating to ServiceNow services.
Information on where ServiceNow is a controller of your personal data is detailed in our Declaración de privacidad and you can submit a privacy request to ServiceNow using the online form Manage Your Privacy.
- How can I contact ServiceNow if I need more information?
To ask questions about our privacy or data protection practices, please contact us at: privacy@servicenow.com.
The following resources can be used to find more information:
- What do I do if I need ServiceNow’s assistance with a questionnaire?
Please reach out to your Sales Contacto for assistance with questionnaires or for general assistance with your Customer contract.
NOTE: The above information is provided by ServiceNow for information purposes only and is not intended to serve as legal advice, or any legally binding commitments by ServiceNow.