Commonly asked questions about ServiceNow's privacy and security programmes.

Below, you will find information about ServiceNow's privacy and security programmes, which are designed to protect the personal data that you submit to the ServiceNow cloud services.

ServiceNow's standard Data Processing Addendum ("DPA") and Data Security Addendum ("DSA") at https://www.servicenow.com/uk/upgrade‑schedules.html address our obligations as the data processor and your obligations as the data controller under relevant data protection laws. This FAQ provides answers to commonly asked questions regarding our DPA and DSA and provides explanations regarding the differences that you may see with our forms. Specifically, by virtue of the cloud‑based services we provide, we do not review or analyse the content of the data input by customers in the ordinary course of operating our services. As a result, we will not know whether personal data is uploaded into your instance of the services. Accordingly, as the customer and data controller, you are principally responsible for complying with any obligations under relevant data protection laws that require the review or analysis of data. For these reasons, our standard DPA and DSA are drafted to assist our customers in meeting their regulatory requirements while simultaneously reflecting the operational reality of the cloud‑based services we provide.

What are ServiceNow's security obligations with respect to personal data?

ServiceNow is committed to protecting the personal data that it processes by implementing and maintaining a robust security programme. The DSA details the specific technical, physical and organisational security measures ServiceNow takes to protect your data.

As a provider of a standardised cloud‑based service, ServiceNow maintains a data agnostic security program. In other words, we implement the same security measures regardless of the category or sensitivity of the data that customers process within their ServiceNow environment.

Ultimately, because you have exclusive insight into the content of your data, it is your responsibility to review our security programme to determine whether it is sufficient for the data you process or plan to process within your environment.

How does ServiceNow assist customers in complying with data subject rights mandated by data protection laws?

The ServiceNow cloud software provides functionality that facilitates access, correction, rectification, erasure and blocking of personal data, and further allows a customer to transfer or port personal data.

What audit rights do customers have as a data controller?

ServiceNow strongly believes in transparency regarding its data privacy and security programmes. In accordance with the audit clauses in the DPA and/or DSA, current customers may request access to the ServiceNow CORE, a comprehensive repository of information and documentation, including policies and procedures, as well as our then‑current third‑party audit reports against internationally recognised standards such as ISO 27001 and ISO 27018, and independent third‑party assessments against security standards like SSAE 18 / SOC 1 and SOC 2 Type 2.

Does ServiceNow use any sub‑processors? How will I be notified of any future sub‑processors that ServiceNow intends to use?

ServiceNow is committed to providing world class service to its customers, which includes 24x7 live technical support. To deliver and support our service, ServiceNow engages its affiliates located throughout the world, including in the United States, Australia and India, and other sub‑processors for various services, as listed in the DPA. In accordance with the terms of the DPA, ServiceNow will notify you of new sub‑processors, and you may object to ServiceNow's proposed use of such sub‑processor in accordance with the terms of the DPA.

This should be read in the context of ServiceNow's investment in an EU‑centric service delivery offering.

How does ServiceNow notify customers of data breaches?

In the event of a security incident impacting customer data, ServiceNow will provide an initial report to the designated customer contact in the customer support portal or as provided in the DPA and DSA. Customers are responsible for ensuring that the appropriate person is listed in the support portal.

What legal mechanism does ServiceNow use to transfer personal data from the European Union?

ServiceNow relies on EU Commission adequacy decisions and Standard Contractual Clauses (SCCs). For more information, please see International Data Transfers FAQ available at https://www.servicenow.com/uk/company/trust.html.