• About
  • Pricing
  • Docs
  • Changelog
  • Security
Install
Sign InSign Up

Security & Privacy

Built for enterprise environments. Your data stays with you.

Security Overview

  • Runs entirely client-side in your browser
  • ServiceNow instance data (records, scripts, configuration) never leaves your device
  • Uses only the user's existing permissions — no elevated access
  • Cloud sync for your personal snippets, commands, switches, and settings (on by default, can be disabled)

Local Execution

SN Utils runs entirely in your browser. Your ServiceNow data never leaves your machine.

No Instance Data

Your ServiceNow records, credentials, and business data never leave your environment.

Your Permissions

The extension operates under your logged-in user's rights. No elevated access.

Data Flow Overview

A visual representation of what data goes where

ServiceNowYour instance
Your Data(Scripts, Records)
Your BrowserSN Utils runs here
Metadata(License, Settings*)
SN UtilsLicense & sync services
AIR GAP — No ServiceNow data crosses to SN Utils
Your ServiceNow data stays in your browser
Metadata only: license + optional sync*
Air gap: No ServiceNow instance data crosses

* Optional sync includes snippets, commands, and settings

Where does it run?

Understanding our security architecture in detail

Your Environment (Private)

Your Browser

SN Utils extension runs locally in your browser

ServiceNow Instance

Your data stays in ServiceNow under your credentials

Local Filesystem

ScriptSync writes files locally for VS Code (optional)

SN Utils Servers (Limited)

License Validation API

Validates license keys (frequency depends on licensing method)

Only metadata transmitted — no ServiceNow data

What ServiceNow data is NOT accessed?

  • Instance scripts or records
  • ServiceNow configuration
  • Credentials
  • Business data

License Validation by Plan

How license checks work depends on your licensing method

Self-Service Licensing

For Pro plan users via snutils.com — our current offering

  • User-based license validation
  • Extension checks license at most once per day
  • IP address included at transport layer (standard HTTPS)
  • No ServiceNow instance data transmitted

ServiceNow Store App

COMING SOON

Planned for the Enterprise plan

  • All license data will be stored on your ServiceNow instance
  • The extension will communicate only with the Store App on your instance
  • The Store App will validate with the SN Utils backend
  • Designed so no user IP, ServiceNow data, or configuration is transmitted
  • Additional sync/integrations will be explicitly opt-in

How Your Data Stays Secure

A detailed breakdown of what stays local vs. what we receive

What Stays in Your ServiceNow Instance

Data TypeWhere It LivesBackend Access
Your scripts & codeYour instance only Never transmitted
ServiceNow recordsYour instance only Never transmitted
Credentials & tokensYour instance only Never transmitted
User preferencesYour instance cache Never transmitted
Usage statisticsLocal + shared by default (Pro) On by default — opt-out

What We Receive (Pro Plan)

  • License data — Email, device ID, and user identifier for seat tracking
  • IP address — Standard HTTPS transport layer (not stored)
  • Snippets, commands & switches — Your custom resources — synced by default for Pro, disable via Sync Resources toggle
  • Extension settings — Preferences and per-instance configs (may include hostnames) — backed up by default, disable via Auto-Backup toggle
  • Usage statistics — Aggregated daily totals shared by default for Pro — change to 'Collect Only' or 'Off' to opt out

Enterprise (planned): The ServiceNow Store App will communicate with our backend from your instance — your browser extension will only talk to your ServiceNow instance.

What We Never Receive

  • ServiceNow credentials or passwords
  • Session tokens or API keys
  • ServiceNow instance scripts or records
  • Ticket data or business records
  • ServiceNow instance configuration
  • Individual action timestamps

AI Features & LLM Integration

SN Utils includes optional AI features (Sidekick AI and the AI Command Builder). They are Pro-only, the AI code is removed entirely from the free Community build, and a request is only ever made when you explicitly click Send or Generate.

How AI requests work

  • The extension never calls an LLM provider directly — all traffic is proxied through snutils.com over HTTPS
  • Sidekick AI sends page metadata only (table and field names, page type) — never record values
  • The AI Command Builder sends your prompt and may include a table's field schema (names, labels, types) — never record data
  • Rate limited to 50 requests per hour per user

Never sent to the LLM

  • ServiceNow record values
  • Credentials, session tokens, or cookies
  • Attachments or file contents

Admins can turn AI off for the team

A team owner or admin can disable the AI features for their whole team from the team Settings page — an organization-wide default plus per-user overrides. Enforcement is server-side, so blocked requests are rejected at the API. How to turn AI off →

For the full integration design and exact sample data payloads:

AI Integration & Data Handling →

Security Architecture

Authentication

  • JWT access tokens (7-day expiry) with device-bound refresh tokens (30-day expiry)
  • Device fingerprinting binds tokens to a specific browser/device
  • Activation tokens are single-use and stored only as SHA-256 hashes
  • Rate limiting — 5 device activations per hour per account

Encryption

  • TLS 1.3 for all API communications
  • AES-256 encryption at rest in backend database

Access Control

  • Row-Level Security on all backend tables
  • Principle of least privilege for personnel
  • Multi-factor authentication required for admin
  • URL validation (*.service-now.com only)

Works Offline

SN Utils is designed to continue working even if our backend is unreachable:

  • All data cached locally in your instance
  • Extension features work within browser session
  • License validation cached for continued operation
  • Sync happens periodically, not in real-time

Transparency & Compliance

Transparency

  • Source code available for security review
  • Clear data collection documentation
  • Responsive to security inquiries

Compliance

  • GDPR compliant (EU)
  • CCPA compliant (California)
  • ServiceNow Partner compliance

Cloud Sync Features

Cloud sync is enabled by default for Pro (and trial) users to provide seamless cross-device access. Each feature can be individually disabled in the extension settings.

What is syncedON BY DEFAULT

  • Code Snippets — Your saved code templates
  • Slash Commands— Custom commands you've created
  • Switches — Your custom ServiceNow switches
  • Extension Settings — Preferences and per-instance configs (may include hostnames)

Privacy Considerations

  • Disable “Sync Resources” in Settings > Backup & Sync to keep snippets, commands, and switches local only
  • You can delete synced data at any time
  • ServiceNow records and business data are never included

Browser Extension Permissions

SN Utils requests only the permissions necessary to function. Here's why we need each:

Manifest Permissions

Cookies

Needed and only used for switching Nodes

Storage

Used to store SN Utils settings and cache data like table list to reduce REST calls

activeTab

Interact with ServiceNow browser tabs

Tabs (Firefox only)

Enables live preview and real-time CSS from sn-scriptsync

Content Security Policy

https://*.service-now.com

Access your ServiceNow instance via REST API

ws://127.0.0.1:1978/

Local websocket for interaction between Helper Tab and VS Code sn-scriptsync

Note: SN Utils on-prem for Chrome does not implement a CSP at this point, but it shares the same codebase.

Security Questions?

Have questions about our security practices? Need a security questionnaire completed for your procurement team? We're happy to help.

Contact Security TeamView Privacy & Data Processing Agreement

For details on data handling, see the Privacy & Data Processing Agreement.

Privacy & Data Processing AgreementService TermsFair Use PolicyReport a Vulnerability

Productivity tools for ServiceNow.

© 2026 SN Utils. All Rights Reserved.

SN Utils is an independent product and is not affiliated with, endorsed by, or sponsored by ServiceNow, Inc. ServiceNow is a registered trademark of ServiceNow, Inc.

Product
  • Documentation
  • Pricing
  • Changelog
  • Security
Resources
  • Getting Started
  • About
  • Business Case
  • Procurement & Vendor Info
  • Contact
Legal
  • Service Terms
  • Fair Use Policy
  • Privacy & Data Processing
  • Cookie Policy