ServiceNow, Inc. (“ServiceNow”) complies with the EU‑U.S. Privacy Shield
Framework set forth by the United States Department of Commerce with
respect to the collection, use and retention of Personal Data
transferred from the European Economic Area (“EEA”)to the
United States as further described in the Scope section below. This
Privacy Shield Policy outlines our commitment to the Privacy Shield
Principles (the “Principles”) and our practices for implementing the
Principles. ServiceNow’s Privacy Shield certification can be found here.
To learn more about the Privacy Shield Framework, please visit the
Department of Commerce’s dedicated Privacy Shield website, located here.
ServiceNow commits to comply with the Principles with respect to the
Personal Data the company receives from its Customers or their Users
in the EEA in connection with the use of (i) applications downloaded
to a User’s mobile device (“Mobile Applications”); and (ii)
ServiceNow’s hosted software applications (the “Subscription
Service”) and related support services (“Support
Services”), as well as expert services (including professional
services, training and certification) (the “Expert Services”)
that we provide to Customers. In this Privacy Shield Policy, the
Subscription Service, Support Services and the Expert Services are
collectively referred to as the “Service.”
“Controller” means a person or organization which, alone or
jointly with others, determines the purposes and means of the
processing of Personal Data.
“Customer” means any entity that purchases the Service.
“Customer Data” means the electronic data uploaded into the
Subscription Service by or for a Customer or its Users.
“Device” means a mobile device.
“Personal Data” means any information, including Sensitive
Data, that is (i) about an identified or identifiable individual and
(ii) received by ServiceNow in the U.S. from the EEA in connection
with the Service.
“Processor” means any natural or legal person, public
authority, agency or other body that processes Personal Data on behalf
of a Controller.
“Sensitive Data” means Personal Data specifying medical or
health conditions, racial or ethnic origin, political opinions,
religious or philosophical beliefs, trade union membership, sex life,
the commission or alleged commission of any offense, any proceedings
for any offense committed or alleged to have been committed by the
individual or the disposal of such proceedings, or the sentence of any
court in such proceedings.
“User” means an individual authorized by Customer to access and
use the Subscription Service.
Types of Personal Data Collected
ServiceNow hosts and processes Customer Data, including any Personal
Data contained therein, at the direction of and pursuant to the
instructions of ServiceNow’s Customers. ServiceNow also collects
several types of information from our Customers, including:
Information and correspondence our Customers and Users submit
to us in connection with Expert Services or other requests related
to our Service.
Information we receive from our business
partners in connection with our Customers’ and Users’ use of the
Service or in connection with services provided by our business
partners on their behalf, including configuration of the
Information related to Users’ use of
the Mobile Applications, including geographic location data and
information regarding Users’ Devices and OS identification, login
credentials, language and time zone.
In addition, ServiceNow collects general information about its
Customers, including a Customer’s company name and address, credit
card information, and the Customer representative’s contact
information (“General Information”) for billing and contracting purposes.
Purposes of Collection and Use
ServiceNow may use Personal Data submitted by our Customers and Users
as necessary to provide the Service and Mobile Applications, including
updating, enhancing, securing and maintaining the Subscription Service
and Mobile Applications and to carry out ServiceNow’s contractual
obligations to its Customers. ServiceNow also obtains General
Information in connection with providing the Service and maintaining
ServiceNow’s relationships with its Customers.
Third Party Disclosures
We may disclose Personal Data that our Customers and Users provide to
our Service and Mobile Applications:
To our subsidiaries and affiliates;
business partners and service providers we use to support our
In the event ServiceNow sells or transfers all or a
portion of its business or assets (including in the event of a
merger, acquisition, joint venture, reorganization, dissolution or
liquidation), in which case Personal Data held by us about our
Customers will be among the assets transferred to the buyer or
If required to do so by law or legal process;
In response to lawful requests from public authorities,
including to meet national security, public interest or law
Individuals in the EEA generally have the right to access their
Personal Data. As an agent processing Personal Data on behalf of its
Customers, ServiceNow does not own or control the Personal Data that
it processes on behalf of its Customers or their Users and does not
have a direct relationship with the Users whose Personal Data may be
processed in connection with providing the Service. Since each
Customer is in control of what information, including any Personal
Data, it collects from its Users, how that information is used and
disclosed, and how that information can be changed, Users of the
Subscription Service should contact the applicable Customer
administrator with any inquiries about how to access or correct
Personal Data contained in Customer Data. To the extent a User makes
an access or correction request to ServiceNow, we will refer the
request to the appropriate ServiceNow Customer and will support such
Customer as needed in responding to any request.
To access or correct any General Information Customer has provided,
the Customer should contact their ServiceNow account representative
directly or by using the contact information indicated below.
In accordance with the Principles, ServiceNow will offer Customers
and Users choice to the extent it (i) discloses their Personal Data to
third party Controllers, or (ii) uses their Personal Data for a
purpose that is materially different from the purposes for which the
Personal Data was originally collected or subsequently authorized by
the Customer or User. To the extent required by the Principles,
ServiceNow also will obtain opt‑in consent if it engages in certain
uses or disclosures of Sensitive Data. Unless ServiceNow offers
Customers and Users an appropriate choice, ServiceNow uses Personal
Data only for purposes that are materially the same as those indicated
in this Policy.
ServiceNow may disclose Personal Data of Customers and Users without
offering an opportunity to opt out, and may be required to disclose
the Personal Data, (i) to third‑party Processors that ServiceNow has
retained to perform services on its behalf and pursuant to its
instructions, (ii) if it is required to do so by law or legal process,
or (iii) in response to lawful requests from public authorities,
including to meet national security, public interest or law
enforcement requirements. ServiceNow also reserves the right to
transfer Personal Data in the event of an audit or if the company
sells or transfers all or a portion of its business or assets
(including in the event of a merger, acquisition, joint venture,
reorganization, dissolution or liquidation).
Liability for Onward Transfers
ServiceNow complies with the Privacy Shield’s Principle regarding
accountability for onward transfers. ServiceNow remains liable under
the Principles if its onward transfer recipients process Personal Data
in a manner inconsistent with the Principles, unless ServiceNow proves
that it was not responsible for the event giving rise to the damage.
If ServiceNow maintains your Personal Data in one of the Services
within the scope of our Privacy Shield certification, you may direct
any inquiries or complaints concerning our Privacy Shield compliance
to email@example.com, or in
the U.S. or EEA by regular mail as indicated below. ServiceNow shall
respond within 45 days. If your complaint cannot be resolved through
ServiceNow’s internal processes, ServiceNow will cooperate with JAMS
pursuant to the JAMS International Mediation Rules, available on the
JAMS website at www.jamsadr.com/international‑mediation‑rules.
JAMS mediation may be commenced as provided for in the relevant JAMS
rules. The mediator may propose any appropriate remedy, such as
deletion of the relevant Personal Data, publicity for findings of
non‑compliance, payment of compensation for losses incurred as a
result of non‑compliance, or cessation of processing of Personal Data
of the Customer or User who brought the complaint. The mediator, or
the Customer or User, also may refer the matter to the U.S. Federal
Trade Commission, which has Privacy Shield investigatory and
enforcement powers over ServiceNow. Under certain circumstances,
Customers and Users may be able to invoke binding arbitration to
address complaints about ServiceNow’s compliance with the Principles.
How to Contact ServiceNow
To ask questions or comment about this Privacy Shield Policy and our
privacy practices or if you need to update, change or remove your
information, contact us at: firstname.lastname@example.org or by
regular mail addressed to:
ServiceNow, Inc. Attn: Privacy 2225 Lawson Lane
Santa Clara, CA 95054
Alternatively, regular mail may also be directed to our European
Union‑based subsidiary, ServiceNow Nederland B.V., by addressing it to:
ServiceNow Nederland B.V. Attn: Legal Department
Hoekenrode 3 1102 BR Amsterdam The Netherlands