Security & Privacy

Built for enterprise environments. Your data stays with you.

Security Overview

Runs entirely client-side in your browser
No ServiceNow instance data leaves the browser
Uses only the user's existing permissions — no elevated access

Local Execution

SN Utils runs entirely in your browser. Your ServiceNow data never leaves your machine.

No Cloud Storage

We don't store your scripts, records, or credentials on any external servers.

Your Permissions

The extension operates under your logged-in user's rights. No elevated access.

Data Flow Overview

A visual representation of what data goes where

Your BrowserSN Utils runs here

Your Data(Scripts, Records)

ServiceNowYour instance

AIR GAP

License Only(Key, Email)

SN UtilsLicense API only

Your data stays between browser & ServiceNow

Only license metadata reaches our server

Air gap: No instance data crosses

Where does it run?

Understanding our security architecture in detail

Your Environment (Private)

Your Browser

SN Utils extension runs locally in your browser

ServiceNow Instance

Your data stays in ServiceNow under your credentials

Local Filesystem

ScriptSync writes files locally for VS Code (optional)

SN Utils Servers (Limited)

License Validation API

Validates license keys (frequency depends on licensing method)

Only metadata transmitted — no ServiceNow data

What data is NOT accessed or stored?

Your source code/scripts
ServiceNow records or configuration
Credentials or tokens
Business data

License Validation by Plan

How license checks work depends on your licensing method

Self-Service Licensing

For Team plan users via snutils.com

User-based license validation
Extension checks license at most once per day
IP address included at transport layer (standard HTTPS)
No ServiceNow instance data or hostnames transmitted

ServiceNow Store App

For Business and Enterprise plans

All license data stored on your ServiceNow instance
Extension communicates only with Store App on your instance
Store App validates with SN Utils backend
No user IP, ServiceNow data, or configuration transmitted
Additional sync/integrations are explicitly opt-in

Fully Autonomous Operation

For organizations with strict regulatory or security requirements, a fully disconnected setup is available where no external calls are required at all. SN Utils operates entirely on your ServiceNow instances without any backend communication.

Learn more about autonomous operation →

How Your Data Stays Secure

A detailed breakdown of what stays local vs. what we receive

What Stays in Your ServiceNow Instance

Data Type	Where It Lives	Backend Access
Your scripts & code	Your instance only	Never transmitted
ServiceNow records	Your instance only	Never transmitted
Credentials & tokens	Your instance only	Never transmitted
User preferences	Your instance cache	Never transmitted
Usage statistics	Your instance only (opt-in to share)	Opt-in only

What We Receive (Self-Service Plan)

User identifier — ServiceNow sys_id (not username/password)
Email & display name — For license seat tracking
IP address — Standard HTTPS transport layer (not stored)
Daily usage counts (opt-in) — Aggregated totals only if you choose to share

Store App plans: The Store App on your instance communicates with our backend — your browser extension only talks to your ServiceNow instance.

What We Never Receive

ServiceNow credentials or passwords
Session tokens or API keys
Script content or source code
Ticket data or business records
ServiceNow instance configuration
Individual action timestamps

Security Architecture

Authentication

HMAC-SHA256 JWT tokens with 60-second expiration
Instance-specific API keys stored encrypted in ServiceNow Credentials
One-time setup tokens that expire after first use (7-day max)
Rate limiting — 5 registrations per hour per license

Encryption

TLS 1.3 for all API communications
AES-256 encryption at rest in backend database
Password2 encryption for API keys in ServiceNow

Access Control

Row-Level Security on all backend tables
Principle of least privilege for personnel
Multi-factor authentication required for admin
URL validation (*.service-now.com only)

Works Offline

SN Utils is designed to continue working even if our backend is unreachable:

All data cached locally in your instance
Extension features work within browser session
License validation cached for continued operation
Sync happens periodically, not in real-time

Transparency & Compliance

Transparency

Source code available for security review
Clear data collection documentation
Responsive to security inquiries

Compliance

GDPR compliant (EU)
CCPA compliant (California)
ServiceNow Partner compliance

Optional Cloud Sync Features

SN Utils offers optional cloud backup and sync features. These are completely opt-in and disabled by default.

What can be synced (optional)

Code Snippets — Your saved code templates
Slash Commands — Custom commands you've created
Extension Settings — Your SN Utils preferences

Privacy Considerations

You can delete synced data at any time
ServiceNow instance data is never included in sync

Browser Extension Permissions

SN Utils requests only the permissions necessary to function. Here's why we need each:

Manifest Permissions

Cookies

Needed and only used for switching Nodes

Storage

Used to store SN Utils settings and cache data like table list to reduce REST calls

activeTab

Interact with ServiceNow browser tabs

Tabs (Firefox only)

Enables live preview and real-time CSS from sn-scriptsync

Content Security Policy

https://*.service-now.com

Access your ServiceNow instance via REST API

ws://127.0.0.1:1978/

Local websocket for interaction between Helper Tab and VS Code sn-scriptsync

Note: SN Utils on-prem for Chrome does not implement a CSP at this point, but it shares the same codebase.

Security Questions?

Have questions about our security practices? Need a security questionnaire completed for your procurement team? We're happy to help.

Contact Security Team View Privacy Policy

For details on data handling, see the Privacy Policy.