WHITE PAPER ServiceNow Protected Platform Singapore (SPP SG) Information security overview and frequently asked questions Release: Yokohama WHITE PAPER 2SPP Singapore v1.2 | March 2025 Release: Yokohama Introduction Government, public sector, finance, and healthcare organizations are subject to stringent data security regulations, which often require strict controls over data residency and other criteria. To meet these customer needs, ServiceNow partnered with Microsoft to create the ServiceNow Protected Platform for Singapore (“SPP SG”) cloud offering. This provides in-country data storage and processing within Singapore. The SPP SG cloud operates from Singapore Microsoft Azure data centers. This document is designed to be read alongside Securing the Now Platform white paper which gives a holistic overview of the physical, administrative, and technical controls ServiceNow has in place to securely protect customer data. In addition, ServiceNow provides the CORE Compliance Portal where customers (and prospects under NDA) can access prefilled vendor risk questionnaires, certifications and attestations, internal standard operating procedures, and results of penetration tests and audits. Video: ServiceNow CORE Compliance Portal Note: Some details provided in this document are specific to SPP Singapore, and supersedes the information found elsewhere about the standard ServiceNow Commercial Cloud. WHITE PAPER Table of contents Introduction 2 Security Shared Responsibility Model 4 Data residency architecture 5 ServiceNow Advanced High Availability architecture 6 Certifications and attestations 6 Customer access 6 ServiceNow access 6 Technical support 7 Data encryption 7 ServiceNow cloud comparison 8 Frequently asked questions 9 Conclusion 12 Resources 12 WHITE PAPER 4SPP Singapore v1.2 | March 2025 Release: Yokohama Using the extensive capabilities of the Now Platform,® customers can configure instances to meet their unique security policies and obligations while also complying with any regional or industry- specific requirements. Security Shared Responsibility Model Security is a partnership between ServiceNow and the customer, both with specific responsibilities. Therefore, it is essential that each party understands their role in this partnership. Using the extensive capabilities of the Now Platform,® customers can configure instances to meet their unique security policies and obligations while also complying with any regional or industry-specific requirements. For more information about security responsibilities concerning customer data, see the ServiceNow Shared Responsibility Model overview. • As the data controller, the customer determines access rights to their instance and the data it contains. Granular security controls within the instance enable customers to implement policies appropriate to their own requirements and make decisions on data classification. • As the data processor, ServiceNow secures the platform infrastructure and provides tools for security management and monitoring according to customer requirements. Area of Responsibility Responsibility Customer ServiceNow Colocation (data center providers) Security contact details  Secure configuration of instance  Authentication and authorization  Data management (classification and retention)  Data encryption at rest  Data encryption in transit   Encryption key management   Security logging and monitoring   Secure SDLC processes   Penetration testing   Vulnerability management   Privacy compliance   Compliance: regulatory and legal    Employee vetting or screening    Physical security/environment controls   Cloud infrastructure security management  Infrastructure management  Media disposal and destruction  Backup and restore  Business continuity and disaster recovery  WHITE PAPER 5SPP Singapore v1.2 | March 2025 Release: Yokohama Data residency architecture The ServiceNow Protected Platform Singapore (SPP SG) is available to all Singapore customers from the public sector, and highly regulated industries. This cloud offering enables our SPP SG customers to meet localized data residency requirements, while retaining the high levels of scalability and resilience they have come to expect from ServiceNow. SPP SG instances and associated services are hosted exclusively in Azure data centers located in Singapore. There is no dependency on the standard ServiceNow Commercial Cloud infrastructure and only minimal, secure connectivity to the ServiceNow backbone network. Hosting in Singapore Azure data centers allows for critical activities such as maintenance, configuration, and technical support provision, all subject to strict controls and procedures, including quarantine. All customer data is stored and processed in-country, including data associated with common services such as email and encryption key management. The ServiceNow software platform is deployed in the form of Virtual Machines (VMs) which (together with the software running within them) are owned and operated by ServiceNow. The hypervisor and supporting infrastructure layers below it are owned and operated by Microsoft Azure. These hypervisors and VMs are not shared with any other Azure customer, further enhancing the security and segregation of customer data. The illustration below is an overview of SPP SG logical architecture. “その他 services” include DNS, monitoring, Support Portal, etc. Azure Singapore Enforced TLS via HTTPS Customer In-country boundary ServiceNow Protected Platform MS Singapore DC (Azure) Email EncryptionKeys Customer Instances Now Log Analytics GenAI その他 Services Encrypted Storage MS Singapore DC (Azure) Customer Instances Encryption Keys Email その他 Services GenAI Now Log Analytics Encrypted Storage Azure VPC Peering AHA Replication WHITE PAPER 6SPP Singapore v1.2 | March 2025 Release: Yokohama ServiceNow Advanced High Availability architecture With SPP SG, customer instances are hosted in data center pairs located within Singapore and benefit from the ServiceNow Advanced High Availability architecture. This architecture provides the same resilience standards as the standard ServiceNow Commercial Cloud. All communication between Azure data centers take place across Azure VNET connections. Certifications and attestations Customers subject to Multi-Tier Cloud Security (MTCS) Level 3 in Singapore and who require in-country data residency can use the ServiceNow in-country offering to adhere to these requirements. Existing ServiceNow certifications and attestations also apply to the ServiceNow Protected Platform (SPP SG). In addition, ServiceNow provides the CORE Compliance Portal where customers (and prospects under NDA) can access prefilled vendor risk questionnaires, certifications and attestations, internal standard operating procedures, and results of penetration tests and audits. Customer access The SPP SG platform is on the Azure SG backbone which is accessible via the internet or via customers’ own existing connections into Azure. The service is accessed via a web interface or the ServiceNow mobile apps using HTTPS with TLS 1.2 (TLS 1.3 may be requested). ServiceNow access Access to ServiceNow infrastructure within the SPP SG environment is only possible by these authorized ServiceNow personnel from a secure, non-persistent Virtual Desktop Environment (VDE) hosted in Singapore and connecting to SPP SG over secure, encrypted connections. Rigorous authentication checks must be passed before access is granted to the VDE. WHITE PAPER 7SPP Singapore v1.2 | March 2025 Release: Yokohama Technical support SPP SG customers can use the dedicated SPP SG Support Portal to manage their instances and any support cases. This portal is hosted within the SPP SG environment. All technical support for SPP SG is provided by the ServiceNow support team. In the case of any issue relating to Azure infrastructure, ServiceNow will liaise with the Microsoft support team directly, without need for customer intervention. Customer Now Support Case Now Support Task Azure Portal Ticket TSE SRE Microsoft AzureTechnical Support The Site Reliability Engineering (SRE) team and some Global Cloud Services teams have access to the Azure environment and a ticketing system to engage with Microsoft Azure Technical Support. Data encryption Most data encryption options remain the same as with the standard ServiceNow Commercial Cloud, including the comprehensive data in transit and data at rest mechanisms. In addition, SPP SG customers benefit from additional data-at-rest protection provided by Azure’s encrypted storage, which employs SSE-PMK (Server Side Encryption, Platform Managed Key). This uses 256-bit AES encryption for the Key Encryption Key (known as Envelope Encryption). The keys are protected and managed by ServiceNow in a dedicated Azure Key Vault hosted within SPP SG data centers. WHITE PAPER 8SPP Singapore v1.2 | March 2025 Release: Yokohama ServiceNow cloud comparison Current ServiceNow security and privacy practices, procedures, certifications, and attestations are applicable to the SPP SG and are described in detail within the Securing the Now Platform white paper. However, there are some notable differences between the standard ServiceNow Commercial Cloud and the SPP SG, as outlined in the table below: Element ServiceNow Commercial Cloud ServiceNow Protected Platform Physical data centers • Colocation facilities leased to and managed by ServiceNow • Microsoft owned and managed Cloud infrastructure • Deployed, managed, and operated by ServiceNow • Deployed, managed, and operated by ServiceNow • Physical network and compute infrastructure owned by Microsoft Operating jurisdictions • Regional, potentially across national or regional borders1 • Singapore only Support locations • Technical support is a global team with support centers • Technical support is a global team with support centers using dedicated in-country support portal Availability • Instance transfers and failovers to colocation facilities in the same regional pair • Instance transfers and failovers occur within the SPP SG Azure data centers only Customer instance isolation • Multi-instance architecture on ServiceNow managed physical infrastructure • Private network infrastructure • Multi-instance architecture on ServiceNow managed virtual infrastructure • Dedicated ServiceNow virtual machines, not shared with other Azure customers • No hypervisors shared with other Azure customers • Private virtual network infrastructure, not shared with other Azure customers Encryption in transit • TLS 1.