ServiceNow has placed Edge Encryption into end-of-renewal status, with full end-of-life planned for December 2028. Organizations that relied on Edge Encryption to protect sensitive data before it reached the ServiceNow platform will need to transition to a new encryption model.
ServiceNow’s recommended path forward is Platform Encryption, which bundles Cloud Encryption and Field Encryption Enterprise, and performs cryptographic operations inside the ServiceNow cloud.
For many organizations, this shift represents a significant architectural change. Moving encryption from a customer-controlled edge proxy to in-cloud encryption affects how organizations manage sensitive data, encryption keys, and security policies across SaaS environments.
If your organization relied on edge-based encryption to maintain control over sensitive data and encryption keys, you may now be evaluating a ServiceNow Edge Encryption replacement that preserves this security model.
What is ServiceNow Edge Encryption – and why is it going away?
ServiceNow Edge Encryption was designed as a SaaS encryption proxy that protected sensitive data before it entered the ServiceNow cloud.
In this architecture, sensitive data fields were encrypted within the customer’s environment before transmission to the SaaS platform. The ServiceNow platform stored only encrypted values for those fields while the customer retained control of the encryption keys.
This model allowed organizations to:
- Maintain customer-managed encryption
- Protect sensitive data before it reaches the SaaS platform
- Enforce internal security policies and data governance controls
- Support compliance requirements such as GDPR encryption compliance or PCI-DSS cloud encryption
ServiceNow has now shifted its strategy toward in-cloud encryption, directing customers to migrate to Platform Encryption instead.
While this approach simplifies encryption within the platform itself, it also changes where encryption occurs and who controls key operations.
Edge Encryption vs. Platform Encryption: What actually changed?
The primary difference between Edge Encryption and Platform Encryption is where encryption takes place.
Edge Encryption
- Encryption performed in the customer environment
- Encryption keys remain customer controlled
- ServiceNow stores only encrypted values
Platform Encryption
- Encryption occurs inside the ServiceNow cloud
- Supports BYOK ServiceNow key management
- Sensitive data will enter over TLS and then be processed in the clear before entering the storage platform
Removing the edge proxy eliminates the separation between the customer’s encryption environment and the SaaS platform—a control that many organizations relied on to manage sensitive data.
Four compliance and security risks introduced by ServiceNow’s Platform Encryption transition
Moving encryption from the edge to the cloud introduces several potential considerations.
1. Data sovereignty: where does your sensitive data actually live?
When encryption occurs inside the ServiceNow cloud, sensitive data may be processed within infrastructure outside the organization’s direct control.
For organizations concerned with data sovereignty in ServiceNow environments, this can raise questions about where sensitive data is handled and how it is protected.
Edge Encryption ensured sensitive data could be encrypted before leaving the organization’s environment, providing stronger control over how data entered SaaS platforms.
2. Key custody: BYOK isn’t enough if the keys are used inside someone else’s cloud
ServiceNow Platform Encryption supports Bring Your Own Key (BYOK) models.
However, there is a difference between owning encryption keys and controlling where those keys are used. Even with BYOK ServiceNow, encryption operations still occur within ServiceNow infrastructure.
Organizations that prefer strict customer-managed encryption may want to evaluate whether this model aligns with their internal security policies.
3. Regulatory compliance: does in-cloud encryption satisfy GDPR, PCI-DSS, DORA, and NIS2?
Organizations should review whether in-cloud encryption satisfies their regulatory obligations.
Frameworks such as:
- GDPR
- PCI-DSS
- DORA
- NIS2
often require strong controls around how sensitive data is encrypted and processed.
For organizations that adopted Edge Encryption to support GDPR encryption compliance or PCI-DSS cloud encryption, reviewing the architectural change is an important step.
4. Single-purpose solution: what about your other SaaS applications?
Platform Encryption protects only the ServiceNow platform.
However, most enterprises operate multi-SaaS environments including platforms such as Salesforce, Workday, and SAP SuccessFactors.
Using separate encryption tools for each application can increase operational complexity and fragment security policies. Many organizations prefer a SaaS encryption proxy that can apply consistent protection across multiple platforms.
Introducing OpenText Data Privacy & Protection Sentry: a direct ServiceNow Edge Encryption replacement
OpenText™ Data Privacy & Protection Sentry (Sentry) provides a modern ServiceNow Edge Encryption replacement that restores edge-based encryption while supporting today’s SaaS environments.
Sentry encrypts or tokenizes sensitive data before it reaches ServiceNow, ensuring the platform stores only protected values while encryption keys remain under customer control.
This architecture preserves a hold-your-own-key (HYOK) model that maintains stronger control over data and encryption operations.
Because Sentry supports format-preserving encryption (FPE) and Secure Stateless Tokenization (SST), protected values retain their structure, so workflows, searches, and integrations continue to function normally.
How Sentry works
Sentry operates as a transparent encryption gateway between users and SaaS applications.
Sensitive fields and files are intercepted and protected before being transmitted to the ServiceNow platform.
Key capabilities include:
- Format-preserving encryption for SaaS data
- Tokenization and encryption for sensitive fields and files
- Customer-managed encryption keys that remain outside SaaS infrastructure
- Centralized policies across multiple SaaS applications
This makes Sentry a practical edge encryption proxy alternative for organizations replacing ServiceNow Edge Encryption.
What’s included in the Sentry migration package
OpenText offers a migration package designed specifically for Edge Encryption customers.
This includes:
- Sentry deployment and configuration
- Prebuilt templates supporting field encryption for ServiceNow
- Functional testing and production cutover support
- Migration of historical ServiceNow Edge-encrypted data
- Documentation and operational training
Sentry vs. ServiceNow Platform Encryption: a side-by-side comparison
| Capability | ServiceNow Platform Encryption | Sentry |
| Encryption location | ServiceNow cloud | Customer environment |
| Key custody | BYOK used in cloud | Full customer control |
| Data sovereignty | Potential exposure | Maintained at edge |
| Format-preserving encryption | Limited | Full FPE and SST |
| SaaS coverage | ServiceNow only | Multi-SaaS support plus non-SaaS applications, too |
Don’t let a vendor decision become your compliance problem
ServiceNow’s retirement of Edge Encryption reflects a broader shift toward cloud-native encryption models.
For organizations that relied on edge-based encryption to control how sensitive data enters SaaS environments, the change is more than a product migration, it’s an architectural and security shift.
OpenText Data Privacy & Protection Sentry restores the customer-managed encryption proxy model that Edge Encryption originally provided while extending protection across modern SaaS environments.
Organizations currently using Edge Encryption should begin evaluating their ServiceNow Edge Encryption replacement strategy early to ensure a smooth transition.
Visit our our ServiceNow Edge Encryption replacement strategy page to learn more or contact us directly.
