Providing trust and security Secure your workflows from start to finish, creating a trusted foundation for your entire business. Rest easy with dedicated and isolated high-availability cloud instances. Rely on consistent, automated security controls and certified secure integrations, and keep your data safe with multi-layer encryption and data privacy and access controls. And keep your customers, business partners, an internal stakeholders confident by demonstrating compliance with a wide range of applicable regulatory standards. Data encryption ServiceNow instances support symmetric AES256 database encryption using a three-level key hierarchy. When enabled, database records and logs on the instance are encrypted using an instance-specific key. A second key is used to protect the first level key. A third-level instance-specific key protects the second-level key and is stored in a FIPS 140 validated key management appliance in the ServiceNow datacenter. ServiceNow has implemented strict access control for this appliance and has established clear separation of duties. Only four people in ServiceNow security operations have access to the appliance, and these employees do not have access to any ServiceNow customer instances. All data transfers between ServiceNow mobile apps and the ServiceNow instance are over secure TLS/SSL channels using HTTPS and are encrypted using FIPS 140-2 validated cryptographic components. When ServiceNow mobile apps store data offline, the data is AES 256 encrypted and stored using FIPS 140-2 validated components on the device. Offline data is automatically wiped after 48 hours or when the user logs out of the mobile app. Regulatory compliance The Now Platform has the following certifications and attestations: ü ISO 27001, 27017, 27018, 27701 ü DoD IL-4 ü SOC-1, SOC-2, SOC-2 + HITRUST ü AGID ü FedRAMP High ü UK Cyber Essentials Plus ü Health Data Hosting (HDS) ü IRAP OFFICIAL, IRAP PROTECTED ü C5 ü MTCS - Level 3 Privacy and access controls The Now Platform provides robust access control mechanisms, including access control lists and role-based access control. Using access control lists, you can control which employees can log into your ServiceNow instance, including specifying the time window for which access is granted. For each database table, you can also control whether specific users can create, read, update, or delete records. And you can restrict users from viewing specific fields, including preventing them viewing fields that are derived from a restricted field (for instance, to protect PII data). In addition to table-level access control, the Now Platform also provides role-base access control. This allows you to create roles that can access specific ServiceNow applications and capabilities. You then assign one or more of these roles to users or user groups, The Now Platform comes with predefined base roles, and many ServiceNow applications also come with predefined roles. You can also define your own roles. The Now Platform also supports domain separation, allowing you to host multiple tenants on your ServiceNow instance. Domain separation allows you to separate data, processes, and administrative functions into logically defined domains. This is useful for service providers that want to support multiple customers on a single ServiceNow instance, or for organizations that need to enforce segregation across their various business entities Note that the Now Platform also logs all user actions, providing an audit trail for investigations and regulatory compliance. © 2022 ServiceNow, Inc. All Rights Reserved. Confidential. 27