Thank you for reviewing ServiceNow’s Data Processing Annex (“DPA”) and Data Security Guide (“DSG”). Below, you will find information about ServiceNow’s privacy and security programmes, which are designed to protect the personal data that you submit to the ServiceNow cloud services.
ServiceNow’s DPA and DSG address our obligations as the data processor and your obligations as the data controller under relevant data protection laws. This FAQ provides answers to commonly asked questions regarding our DPA and DSG and provides explanations regarding the differences that you may see with our forms. Specifically, by virtue of the cloud‑based services we provide, we do not review or analyse the content of the data input by customers in the ordinary course of operating our services. As a result, we will not know whether personal data is uploaded into your instance of the services. Accordingly, as the customer and data controller, you are principally responsible for complying with any obligations under relevant data protection laws that require the review or analysis of data. For these reasons, our DPA and DSG are drafted to assist our customers in meeting their regulatory requirements whilst simultaneously reflecting the operational reality of the cloud‑based services that we provide.
1. What are ServiceNow’s security obligations with respect to personal data?
ServiceNow is committed to protecting the personal data that it processes by implementing and maintaining a robust security programme. Section 4.3 (Data Security Measures) of the DPA and Section 2 ( Physical, Technical and Administrative Security Measures) of the DSG detail the specific technical, physical and organisational security measures ServiceNow takes to protect your data.
As a provider of a standardised cloud‑based service, ServiceNow maintains a data agnostic security program. In other words, we implement the same security measures regardless of the category or sensitivity of the data that customers process within their ServiceNow environment. Ultimately, because you have exclusive insight into the content of your data, it is your responsibility to review our security programme to determine whether it is sufficient for the data that you process or plan to process within your environment, as further described in Section 2.2 (Security Risk Assessment) of the DPA.
2. How does ServiceNow assist customers in complying with data subject rights mandated by data protection laws?
The ServiceNow cloud software provides functionality that facilitates access, correction, rectification, erasure and blocking of personal data, and further allows a customer to transfer or port personal data.
3. What audit rights do customers have as a data controller?
ServiceNow strongly believes in transparency regarding its data privacy and security programmes. In accordance with Section 4.2.1 (Audits) of the DSG, current customers may request access to the ServiceNow CORE, a comprehensive repository of information and documentation, including policies and procedures, as well as our then‑current third‑party audit reports against internationally recognised standards such as ISO 27001 and ISO 27018 and independent third‑party assessments against security standards like SSAE 18/SOC 1 and SOC 2 Type 2.
4. Does ServiceNow use any sub‑processors? How will I be notified of any future sub‑processors that ServiceNow intends to use?
ServiceNow is committed to providing world class service to its customers, which includes 24x7 live technical support. To deliver and support our service, ServiceNow engages its affiliates located throughout the world, including in the United States, Australia and India.
ServiceNow may also engage a third party to provide processing services. However, prior to engaging a new sub‑processor, ServiceNow will notify you in accordance with Section 8.1.2 (New Sub‑Processors) of the DPA. You may object to ServiceNow’s proposed use of such sub‑processor in accordance with Section 8.2 (Right to Object).
This should be read in the context of ServiceNow’s investment in an EU‑centric service delivery offering.
5. How does ServiceNow notify customers of data breaches?
In the event of a security incident impacting customer data, ServiceNow will provide an initial report to the designated customer contact in the customer support portal. Customers are responsible for ensuring that the appropriate person is listed in the support portal.
6. What legal mechanism does ServiceNow use to transfer personal data from the European Union?
ServiceNow relies on EU Commission adequacy decisions and Standard Contractual Clauses (SCCs). For more information, please see our FAQ on International Transfers.
Please contact privacy@servicenow.com should you have any other questions about ServiceNow’s DPA and DSG.