ServiceNow Edge Encryption is entering end-of-renewal, with full end-of-life scheduled for December 2028. Every organization still running it needs a replacement plan. This article provides what organizations need to know before 2028.
ServiceNow's recommended path is Platform Encryption. It bundles Cloud Encryption and Field Encryption Enterprise, and performs all cryptographic operations inside the ServiceNow cloud. For general commercial use, that may be acceptable. For defense contractors, government agencies, and organizations handling controlled unclassified information (CUI), ITAR-regulated data, or export-controlled technical data, it is not.
Platform Encryption moves the encryption boundary inside the vendor's cloud. You lose the client-side proxy model. Sensitive data enters ServiceNow before it is protected. That is a fundamental architectural shift, and for regulated industries, it creates real compliance exposure.
Edge Encryption worked because data was protected before it left your environment. The ServiceNow platform never saw plain text values. Keys and the encryption system were under your control.
ServiceNow Platform Encryption inverts that. Encryption happens inside ServiceNow's infrastructure.
You are trusting the platform with plain text data, exposing that data to US jurisdictional overlay, and relying on the vendor's key management system.
For organizations subject to strict data sovereignty requirements, NIS2, GDPR, CMMC, NIST SP 800-171, ITAR, or equivalent frameworks, the separation between vendor and the encryption system is what assists with regulatory compliance.
Moving to platform encryption with a US vendor introduces data sovereignty risk that legal and compliance teams in the EU will need to assess carefully.
A genuine Edge Encryption replacement restores the pre-ingress protection model.
It should:
StratoKey's Cloud Data Protection Gateway provides tokenization and encryption at the edge. It sits within your environment and between the user and ServiceNow.
It intercepts data at the edge, applies field-level tokenization or encryption, and passes protected values to the platform. ServiceNow operates normally without exposing sensitive or regulated data to ServiceNow's cloud.
Authorized users will be able to access plain text, unauthorized users, including ServiceNow itself will only have access to the secured/protected data.
This architecture supports organizations working under CMMC Level 2 and Level 3, NIST SP 800-171 Rev 2, DFARS CUI requirements, ITAR, and EU data protection obligations.
Keys remain customer-controlled. There is no dependency on ServiceNow's key management infrastructure.
StratoKey integrates with ServiceNow's APIs, Discovery, and external system connectors without schema changes or workflow modifications.
For organizations in defense, healthcare, aerospace, or government that relied on Edge Encryption to maintain data sovereignty, StratoKey restores that model under a modern, scalable architecture.
| Industry | Regulatory Requirements | How StratoKey CDP Gateway Maintains It |
|---|---|---|
| Defense / DIB | CMMC Level 2 and 3, NIST SP 800-171 Rev 3, DFARS 252.204-7012 | Pre-ingress tokenization keeps CUI out of ServiceNow and within the Customer tokenization vault. Customer-held keys. Audit trail for assessors. |
| Federal Government | FISMA, NIST SP 800-53, agency-specific key control requirements | Gateway-based encryption ensures federal data is end-to-end encrypted before cloud ingestion. Key management remains agency-controlled. |
| Aerospace | ITAR, EAR | Pre-ingress protection ensures export-controlled technical data never enters ServiceNow unprotected. Supports data residency and access control requirements. |
| Financial Services | DORA (EU), GDPR Article 32 | Tokenization supports scope reduction with full audit trail and individual token revocation. |
| Healthcare | HIPAA, GDPR Article 9 (EU special category data) | Field-level encryption ensures PHI and sensitive personal data never enters ServiceNow in plaintext, helps meet encryption carve-out requirements. |
| Energy / Critical Infrastructure | NERC CIP (US), NIS2 Article 21 (EU) | Pre-ingress encryption keeps operational data outside ServiceNow. Customer key control supports documented security measure requirements under both frameworks. |
| Enterprise (EU) | GDPR Article 32, Schrems II, NIS2 | Securing data pre-ingress means ServiceNow, a US-based vendor, never receives sensitive data in plaintext. Supports data minimization, sovereignty requirements, and continuity of Article 32 measures during migration |
|
ServiceNow Platform Encryption |
StratoKey CDP Platform |
|
|---|---|---|
| Where encryption and tokenization occur | Inside the ServiceNow cloud | Client-side, in an environment of your choice, prior to ingestion by ServiceNow. |
| Key control | BYOK | Full customer control: CMEK, HYOK & BYOK. |
| Sensitive data enters ServiceNow | Yes | No, data is secured pre-ingress. |
| Data sovereignty |
Potential sovereignty issues Learn more: Why data residency does not equal data sovereignty |
Continued sovereignty. |
| Format-preserving encryption | Limited | Yes |
| True tokenization | No |
Yes The CDP Gateway provides true tokenization. Vault-backed with stored mapping. |
| API-payload tokenization and encryption for third-party integrations | No |
Yes The API Gateway can secure bi-directional third-party integrations with ServiceNow. |
| Extensible to other SaaS applications | No |
Yes The Cloud Data Protection Gateway is application-agnostic. It can be used with your custom applications or other SaaS applications such as Jira, Confluence, Salesforce etc.. |
StratoKey can assemble a migration package to assist ServiceNow Edge customers with their migration. The package can be developed in collaboration with the organization to take into account its data security, regulatory, and operational requirements.
This can include:
CDP Gateway deployment and configuration.
Documentation and an appointed StratoKey project lead.
Edge's end-of-life in December 2028 sounds distant. In practice, procurement cycles, security assessments, and integration testing in regulated environments take longer than most teams expect.
Organizations that start evaluating replacements now will have time to do it properly.
Get in touch to discuss your ServiceNow environment and what a transition to StratoKey looks like for your compliance requirements.