Sign Up

Security & Privacy

Built for enterprise environments. Your data stays with you.

Security Overview

  • Runs entirely client-side in your browser
  • ServiceNow instance data (records, scripts, configuration) never leaves your device
  • Uses only the user's existing permissions — no elevated access
  • Cloud sync for your personal snippets, commands, switches, and settings (on by default, can be disabled)

Local Execution

SN Utils runs entirely in your browser. Your ServiceNow data never leaves your machine.

No Instance Data

Your ServiceNow records, credentials, and business data never leave your environment.

Your Permissions

The extension operates under your logged-in user's rights. No elevated access.

Data Flow Overview

A visual representation of what data goes where

ServiceNowYour instance
Your Data(Scripts, Records)
Your BrowserSN Utils runs here
Metadata(License, Settings*)
SN UtilsLicense & sync services
AIR GAP — No ServiceNow data crosses to SN Utils
Your ServiceNow data stays in your browser
Metadata only: license + optional sync*
Air gap: No ServiceNow instance data crosses

* Optional sync includes snippets, commands, and settings

Where does it run?

Understanding our security architecture in detail

Your Environment (Private)

Your Browser

SN Utils extension runs locally in your browser

ServiceNow Instance

Your data stays in ServiceNow under your credentials

Local Filesystem

ScriptSync writes files locally for VS Code (optional)

SN Utils Servers (Limited)

License Validation API

Validates license keys (frequency depends on licensing method)

Only metadata transmitted — no ServiceNow data

What ServiceNow data is NOT accessed?

  • Instance scripts or records
  • ServiceNow configuration
  • Credentials
  • Business data

License Validation by Plan

How license checks work depends on your licensing method

Self-Service Licensing

For Team plan users via snutils.com

  • User-based license validation
  • Extension checks license at most once per day
  • IP address included at transport layer (standard HTTPS)
  • No ServiceNow instance data transmitted

ServiceNow Store App

For Business and Enterprise plans

  • All license data stored on your ServiceNow instance
  • Extension communicates only with Store App on your instance
  • Store App validates with SN Utils backend
  • No user IP, ServiceNow data, or configuration transmitted
  • Additional sync/integrations are explicitly opt-in

Fully Autonomous Operation

For organizations with strict regulatory or security requirements, a fully disconnected setup is available where no external calls are required at all. SN Utils operates entirely on your ServiceNow instances without any backend communication.

Learn more about autonomous operation →

How Your Data Stays Secure

A detailed breakdown of what stays local vs. what we receive

What Stays in Your ServiceNow Instance

Data TypeWhere It LivesBackend Access
Your scripts & codeYour instance only Never transmitted
ServiceNow recordsYour instance only Never transmitted
Credentials & tokensYour instance only Never transmitted
User preferencesYour instance cache Never transmitted
Usage statisticsLocal + shared by default (Pro/Enterprise) On by default — opt-out

What We Receive (Self-Service Plan)

  • License data Email, device ID, and user identifier for seat tracking
  • IP address Standard HTTPS transport layer (not stored)
  • Snippets, commands & switches Your custom resources — synced by default for Pro/Enterprise, disable via Sync Resources toggle
  • Extension settings Preferences and per-instance configs (may include hostnames) — backed up by default, disable via Auto-Backup toggle
  • Usage statistics Aggregated daily totals shared by default for Pro/Enterprise — change to 'Collect Only' or 'Off' to opt out

Store App plans: The Store App on your instance communicates with our backend — your browser extension only talks to your ServiceNow instance.

What We Never Receive

  • ServiceNow credentials or passwords
  • Session tokens or API keys
  • ServiceNow instance scripts or records
  • Ticket data or business records
  • ServiceNow instance configuration
  • Individual action timestamps

Security Architecture

Authentication

  • HMAC-SHA256 JWT tokens with 60-second expiration
  • Instance-specific API keys stored encrypted in ServiceNow Credentials
  • One-time setup tokens that expire after first use (7-day max)
  • Rate limiting — 5 registrations per hour per license

Encryption

  • TLS 1.3 for all API communications
  • AES-256 encryption at rest in backend database
  • Password2 encryption for API keys in ServiceNow

Access Control

  • Row-Level Security on all backend tables
  • Principle of least privilege for personnel
  • Multi-factor authentication required for admin
  • URL validation (*.service-now.com only)

Works Offline

SN Utils is designed to continue working even if our backend is unreachable:

  • All data cached locally in your instance
  • Extension features work within browser session
  • License validation cached for continued operation
  • Sync happens periodically, not in real-time

Transparency & Compliance

Transparency

  • Source code available for security review
  • Clear data collection documentation
  • Responsive to security inquiries

Compliance

  • GDPR compliant (EU)
  • CCPA compliant (California)
  • ServiceNow Partner compliance

Cloud Sync Features

Cloud sync is enabled by default for Pro and Enterprise users to provide seamless cross-device access. Each feature can be individually disabled in the extension settings.

What is syncedON BY DEFAULT

  • Code Snippets — Your saved code templates
  • Slash Commands — Custom commands you've created
  • Switches — Your custom ServiceNow switches
  • Extension Settings — Preferences and per-instance configs (may include hostnames)

Privacy Considerations

  • Disable “Sync Resources” in Settings > Backup & Sync to keep snippets, commands, and switches local only
  • You can delete synced data at any time
  • ServiceNow records and business data are never included

Browser Extension Permissions

SN Utils requests only the permissions necessary to function. Here's why we need each:

Manifest Permissions

Cookies

Needed and only used for switching Nodes

Storage

Used to store SN Utils settings and cache data like table list to reduce REST calls

activeTab

Interact with ServiceNow browser tabs

Tabs (Firefox only)

Enables live preview and real-time CSS from sn-scriptsync

Content Security Policy

https://*.service-now.com

Access your ServiceNow instance via REST API

ws://127.0.0.1:1978/

Local websocket for interaction between Helper Tab and VS Code sn-scriptsync

Note: SN Utils on-prem for Chrome does not implement a CSP at this point, but it shares the same codebase.

Security Questions?

Have questions about our security practices? Need a security questionnaire completed for your procurement team? We're happy to help.

Contact Security TeamView Privacy Policy

For details on data handling, see the Privacy Policy.

Privacy PolicyEULAFair Use PolicyReport a Vulnerability