ServiceNow® Data Privacy Framework Policy

The purpose of this policy is to ensure ServiceNow, Inc. (“ServiceNow”) compliance with the EUU.S. Data Privacy Framework (EU‑U.S. DPF), the UK Extension to the EU‑U.S. DPF, and the Swiss‑U.S. Data Privacy Framework (Swiss‑U.S. DPF) set forth by the United States Department of Commerce (DoC) with respect to the collection, use and retention of Personal Data transferred from the European Union, United Kingdom (and Gibraltar), and Switzerland to the United States as further described herein (collectively, the “DPF Policy”). This DPF Policy outlines our commitment to the DPF Principles (the “Principles”) and our practices for implementing the Principles.

ServiceNow participates in the EU‑U.S. Data Privacy Framework (EU‑U.S. DPF), the UK Extension to the EU‑U.S. DPF, and the Swiss‑U.S. Data Privacy Framework (Swiss‑U.S. DPF) as set forth by the DoC. ServiceNow has certified to the DoC that it adheres to the EU‑U.S. Data Privacy Framework Principles (EU‑U.S. DPF Principles) with regard to the processing of Personal Data received from the European Union in reliance on the EU‑U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU‑U.S. DPF. ServiceNow has certified to the DoC that it adheres to the Swiss‑U.S. Data Privacy Framework Principles (Swiss‑U.S. DPF Principles) with regard to the processing of Personal Data received from Switzerland in reliance on the Swiss‑U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU‑U.S. DPF Principles, the UK Extension to the EU‑U.S. DPF, and/or the Swiss‑U.S. DPF Principles, the Principles shall govern. To learn more about the DoC Data Privacy Framework (DPF) program please visit here. The DoC Data Privacy Framework List (including ServiceNow’s DPF certification) is available here (search for “ServiceNow, Inc.” under active participants). ServiceNow participates in the Principles with respect to the Personal Data it receives from its Customers or their Users in the European Union, United Kingdom (and Gibraltar), and Switzerland in connection with the use of (i) applications downloaded to a User’s mobile device (“Mobile Applications”); and (ii) ServiceNow’s hosted software applications (the “Subscription Service”) and related support services (“Support Services”), as well as expert services (including professional services, training and certification) (the “Expert Services”) that we provide to Customers and Users. In this DPF Policy, the Subscription Se

The roles, departments, and teams listed below are responsible for completing activities described within this document as well as for enforcing, distributing, and implementing this DPF Policy.

The Company intends that all ServiceNow controlled documents will be retained in the policy management system and active ServiceNow controlled documents will be made available on the Employee Portal and applicable intranet sites.

Certain ServiceNow controlled documents may require that the parties to whom the policy applies, complete training or acknowledge that they have read, understood, and agree to comply with the policy.

Any such training, attestations, or communications are determined and managed by the Policy Owner and Owning Department.

The following terms are found within this document, including acronyms.

• Controller: means a person or organization which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
• Customer: means any entity that purchases the Service.
• Customer Data: is defined in our Customer contracts as the data and content uploaded into the Subscription Service by or for a Customer or its agents, employees, or contractors. (Also see ServiceNow Subscription Service/Customer Restricted)
• Device: means a mobile device.
• ICDR‑AAA: means International Centre for Dispute Resolution‑American Arbitration Association 
• Personal Data: means any information, including Sensitive Data, that is (i) about an identified or identifiable individual and (ii) received by ServiceNow in the U.S. from the European Union, United Kingdom, and Switzerland in connection with the Service.
• Processor: means any natural or legal person, public authority, agency, or other body that processes Personal Data on behalf of a Controller.
• Sensitive Data: means Personal Data specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, sex life, the commission or alleged commission of any offense, any proceedings for any offense committed or alleged to have been committed by the individual or the disposal of such proceedings, or the sentence of any court in such proceedings.
• ServiceNow Subscription Service/Customer Restricted: as defined in the Data Classification Standard, SURF POL0020328, “Customer Data” is the term used in contract language to depict data uploaded to the customer subscription service (i.e., customer instance). See also definition above in this Section 1.4 “Customer Data” for additional details.
• User: means an individual authorized by Customer to access and use the Subscription Service.
• Policy: A document that records core principles, high‑level intent, and sets overall management direction and organizational goals. The intended purpose is to influence and guide both present and future decision making in line with the philosophy, objectives, and strategic plans established by the enterprise’s management teams (i.e., “why” programs or processes are in place).

ServiceNow hosts and processes Customer Data, including any Personal Data contained therein, as a Processor at the direction of and pursuant to the instructions of ServiceNow’s Customers.

ServiceNow also collects several other types of information from our Customers, and may process such data as a Controller, including:

• Information and correspondence our Customers and Users submit to us in connection with Support Services and Expert Services or other requests related to our Service.
• Information we receive directly from Customers or from our business partners in connection with our Customers’ and Users’ use of the Service or in connection with services provided by our business partners on their behalf, including configuration of the Subscription Service.
• Information related to Users’ use of the Mobile Applications, including geographic location data and information regarding Users’ Devices and OS identification, login credentials, language, and time zone.
• General information about Customers, including a Customer’s company name and address, credit card information, and the Customer representative’s contact information for billing, marketing, and contracting purposes (“General Information”).

ServiceNow may use Personal Data submitted by our Customers and Users as necessary to provide the Service and Mobile Applications, including updating, enhancing, securing, and maintaining the Subscription Service and Mobile Applications and to carry out ServiceNow’s contractual obligations to its Customers. ServiceNow also obtains General Information in connection with providing the Service and maintaining ServiceNow’s relationships with its Customers. Data will be retained in accordance with our Record Retention Schedule unless otherwise required by law or contract agreement.

We may disclose Personal Data that our Customers and Users provide to our Service and Mobile Applications:

• To our subsidiaries and affiliates;
• To contractors, business partners and service providers we use to support our Service;
• In the event ServiceNow sells or transfers all or a portion of its business or assets (including in the event of a merger, acquisition, joint venture, reorganization, dissolution, or liquidation), in which case Personal Data held by us about Users or relating to Customers may be among the assets transferred to the buyer or acquirer;
• If required to do so by law or legal process;
• In response to lawful requests from public authorities, including to meet national security, public interest, or law enforcement requirements.
• ServiceNow’s Data Processing Addendum and Data Security Addendum, located here provides more information regarding data protection and breach notification requirements in the course of providing the Subscription Service.

Individuals in the European Union, United Kingdom (and Gibraltar), and Switzerland generally have the right to access their Personal Data. As a Processor processing Personal Data on behalf of its Customers in the course of providing the Subscription Service, ServiceNow does not own or control such data and does not have a direct relationship with the Users whose Personal Data may be processed in connection with providing the Subscription Service. Since each Customer is in control of what information, including any Personal Data, it collects from its Users, how that information is used and disclosed, and how that information can be changed, Users of the Subscription Service should contact the applicable Customer administrator with any inquiries about how to access or correct Personal Data contained in Customer Data. To the extent a User makes an access or correction request to ServiceNow, we will refer the request to the appropriate ServiceNow Customer and will support such Customer as needed in responding to any request.

To access or correct any General Information Customer has provided, or other personal data in respect of which ServiceNow acts as a Controller, the relevant individual should contact their ServiceNow account representative directly or contact us at: privacy@servicenow.com.

Subject to the below paragraph, in accordance with the Principles, ServiceNow will offer Customers and Users the ability to request that ServiceNow limit the use and disclosure of their Personal Data to the extent it: (i) discloses their Personal Data to third party Controllers, or (ii) uses their Personal Data for a purpose that is materially different from the purposes for which the Personal Data was originally collected or subsequently authorized by the Customer or User. To the extent required by the Principles and applicable laws, ServiceNow also will obtain opt‑in consent if it engages in certain uses or disclosures of Sensitive Data. Unless permitted by applicable laws and the Principles, ServiceNow uses Personal Data only for purposes that are materially the same as those indicated in this Policy.

ServiceNow may disclose Personal Data of Customers and Users without offering an opportunity to opt out, and may be required to disclose the Personal Data, (i) to third‑party Processors that ServiceNow has retained to perform services on its behalf and pursuant to its instructions, (ii) if it is permitted or required to do so by law or legal process, or (iii) in response to lawful requests from public authorities, including to meet national security, public interest, or law enforcement requirements. ServiceNow also reserves the right to transfer Personal Data in the event of an audit or if the company sells or transfers all or a portion of its business or assets (including in the event of a merger, acquisition, joint venture, reorganization, dissolution, or liquidation).

ServiceNow participates in the DPF’s Principle regarding accountability for onward transfers as demonstrated in our customer agreements and agreements with subprocessors and vendors. ServiceNow remains liable under the Principles if its onward transfer recipients process Personal Data in a manner inconsistent with the Principles, unless ServiceNow proves that it was not responsible for the event giving rise to the damage.

If ServiceNow maintains your Personal Data in one of the Services within the scope of our DPF certification, you may direct any inquiries or complaints concerning our DPF compliance to privacy@servicenow.com. ServiceNow shall respond within 45 days.

If your complaint cannot be resolved through ServiceNow’s internal processes, ServiceNow will cooperate with the International Centre for Dispute Resolution‑American Arbitration Association (ICDR‑AAA) pursuant to the applicable ICDR‑AAA procedures, available on the ICDR‑AAA website here. In compliance with the EU‑U.S. DPF and the UK Extension to the EU‑U.S. DPF and the Swiss‑U.S. DPF, ServiceNow commits to refer unresolved complaints concerning our handling of Personal Data received in reliance on the EU‑U.S. DPF and the UK Extension to the EU‑U.S. DPF and the Swiss‑U.S. DPF to the International Centre for Dispute Resolution‑American Arbitration Association (ICDR‑AAA), an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles‑related complaint from us, or if we have not addressed your DPF Principles‑related complaint to your satisfaction, please visit here for more information or to file a complaint. The services of the ICDR‑AAA are provided at no cost to you.

The ICDR‑AAA alternative dispute resolution process may be commenced as provided for in the relevant ICDR‑AAA rules and procedures. The ICDR‑AAA neutral may propose any appropriate remedy, such as deletion of the relevant Personal Data, publicity for findings of non‑compliance, payment of compensation for losses incurred as a result of noncompliance, or cessation of processing of Personal Data of the Customer or User who brought the complaint. The ICDR‑AAA neutral, or the Customer or User, also may refer the matter to the U.S. Federal Trade Commission (FTC). As the FTC has jurisdiction over ServiceNow’s compliance with the EU‑U.S. Data Privacy Framework (EU‑U.S. DPF) and the UK Extension to the EU‑U.S. DPF, and the Swiss‑U.S. Data Privacy Framework (Swiss‑U.S. DPF), ServiceNow is subject to the investigatory and enforcement powers of the FTC. Under certain circumstances, Customers and Users may be able to invoke binding arbitration to address complaints about ServiceNow’s compliance with the Principles. Please visit here for additional details on when binding arbitration may be invoked under DPF.

In compliance with the EU‑U.S. DPF and the UK Extension to the EU‑U.S. DPF and the SwissU.S. DPF, ServiceNow commits to resolve DPF Principles‑related complaints about our collection and use of your Personal Data. EU and UK and Swiss individuals with inquiries (including if you need to update, change, or remove your information) or complaints regarding our handling of Personal Data received in reliance on the EU‑U.S. DPF and the UK Extension to the EU‑U.S. DPF and the Swiss‑U.S. DPF should first contact ServiceNow at: privacy@servicenow.com.

If it’s not possible to contact ServiceNow at privacy@servicenow.com, you can contact us by regular mail addressed to:

ServiceNow, Inc.
Attn: Privacy
2225 Lawson Lane Santa Clara, CA 95054

Alternatively, regular mail may also be directed to our European Union‑based subsidiary, ServiceNow Nederland B.V., by addressing it to:

ServiceNow Nederland B.V.
Attn: Legal Department Hoekenrode 3
1102 BR Amsterdam The Netherlands

All ServiceNow Employees and contractors are required to comply with all established ServiceNow policies, procedures, and standards, as amended from time to time. Failure to do so will be considered just cause for disciplinary action, up to and including termination. ServiceNow and its U.S. entities and/or U.S. subsidiaries listed below adhere to the Principles:

ServiceNow Delaware LLC